CWE-158 空字节或NULL字符转义处理不恰当

Improper Neutralization of Null Byte or NUL Character

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

扩展描述

As data is parsed, an injected NUL character or null byte may cause the software to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 138 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 138 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Integrity Unexpected State

可能的缓解方案

策略:

Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and whitelists to ensure only valid, expected and appropriate input is processed by the system.

MIT-5 Implementation

策略: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

MIT-20 Implementation

策略: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.

分析过的案例

标识 说明 链接
CVE-2005-2008 Source code disclosure using trailing null. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2008
CVE-2005-3293 Source code disclosure using trailing null. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293
CVE-2005-2061 Trailing null allows file include. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2061
CVE-2002-1774 Null character in MIME header allows detection bypass. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1774
CVE-2000-0149 Web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0149
CVE-2000-0671 Web server earlier allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) in the URL. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0671
CVE-2001-0738 Logging system allows an attacker to cause a denial of service (hang) by causing null bytes to be placed in log messages. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0738
CVE-2001-1140 Web server allows source code for executable programs to be read via a null character (%00) at the end of a request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1140
CVE-2002-1031 Protection mechanism for limiting file access can be bypassed using a null character (%00) at the end of the directory name. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1031
CVE-2002-1025 Application server allows remote attackers to read JSP source code via an encoded null byte in an HTTP GET request, which causes the server to send the .JSP file unparsed. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1025
CVE-2003-0768 XSS protection mechanism only checks for sequences with an alphabetical character following a (<), so a non-alphabetical or null character (%00) following a < may be processed. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0768
CVE-2004-0189 Decoding function in proxy allows regular expression bypass in ACLs via URLs with null characters. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0189
CVE-2005-3153 Null byte bypasses PHP regexp check (interaction error). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3153
CVE-2005-4155 Null byte bypasses PHP regexp check (interaction error). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4155

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Null Character / Null Byte
WASC 28 Null Byte Injection
Software Fault Patterns SFP24 Tainted input to command

相关攻击模式

  • CAPEC-52
  • CAPEC-53

引用