CWE-73 文件名或路径的外部可控制

External Control of File Name or Path

结构: Simple

Abstraction: Class

状态: Draft

被利用可能性: High

基本描述

The software allows user input to control or influence paths or file names that are used in filesystem operations.

扩展描述

This could allow an attacker to access or modify system files or other files that are critical to the application.

Path manipulation errors occur when the following two conditions are met:

For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 642 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 610 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 700 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 20 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 22 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 41 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 98 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 434 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 59 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Operating_System: [{'cwe_Class': 'Unix', 'cwe_Prevalence': 'Often'}, {'cwe_Class': 'Windows', 'cwe_Prevalence': 'Often'}, {'cwe_Class': 'macOS', 'cwe_Prevalence': 'Often'}]

常见的影响

范围 影响 注释
['Integrity', 'Confidentiality'] ['Read Files or Directories', 'Modify Files or Directories'] The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.
['Integrity', 'Confidentiality', 'Availability'] ['Modify Files or Directories', 'Execute Unauthorized Code or Commands'] The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.
Availability ['DoS: Crash, Exit, or Restart', 'DoS: Resource Consumption (Other)'] The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects.

检测方法

Automated Static Analysis

The external control or influence of filenames can often be detected using automated static analysis that models data flow within the software.

Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.

可能的缓解方案

Architecture and Design

策略:

When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

['Architecture and Design', 'Operation']

策略:

Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Architecture and Design

策略:

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

MIT-5.1 Implementation

策略: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When validating filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.

Implementation

策略:

Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).

['Installation', 'Operation']

策略:

Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.

['Operation', 'Implementation']

策略:

If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Testing

策略:

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Testing

策略:

Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Testing

策略:

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

示例代码

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).

bad Java

String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();

The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.

bad Java

fis = new FileInputStream(cfg.getProperty("sub")+".txt");
amt = fis.read(arr);
out.println(arr);

分析过的案例

标识 说明 链接
CVE-2008-5748 Chain: external control of values for user's desired language and theme enables path traversal. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5748
CVE-2008-5764 Chain: external control of user's target language enables remote file inclusion. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5764

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Path Manipulation
Software Fault Patterns SFP16 Path Traversal

相关攻击模式

  • CAPEC-13
  • CAPEC-267
  • CAPEC-64
  • CAPEC-72
  • CAPEC-76
  • CAPEC-78
  • CAPEC-79
  • CAPEC-80

引用