CWE-234 未对缺失参数进行处理
Failure to Handle Missing Parameter
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: High
基本描述
If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 233 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 233 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Confidentiality', 'Availability', 'Access Control'] | ['Execute Unauthorized Code or Commands', 'Gain Privileges or Assume Identity'] | There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted. |
| Availability | DoS: Crash, Exit, or Restart | Potentially a program could fail if it needs more arguments then are available. |
可能的缓解方案
Build and Compilation
策略:
This issue can be simply combated with the use of proper build process.
Implementation
策略:
Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.
示例代码
例
The following example demonstrates the weakness.
bad C
void foo_funct(int one, int two, int three) {
bad C
va_list ap;
va_start(ap, foo);
for (i = 0; i < sizeof(a) / sizeof(int); i++) a[i] = va_arg(ap, int);
va_end(ap);
int main(int argc, char *argv[]) {
This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2004-0276 | Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0276 |
| CVE-2002-1488 | Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1488 |
| CVE-2002-1169 | Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1169 |
| CVE-2000-0521 | Web server allows disclosure of CGI source code via an HTTP request without the version number. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0521 |
| CVE-2001-0590 | Application server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590 |
| CVE-2003-0239 | Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0239 |
| CVE-2002-1023 | Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1023 |
| CVE-2002-1236 | CGI crashes when called without any arguments. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1236 |
| CVE-2003-0422 | CGI crashes when called without any arguments. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0422 |
| CVE-2002-1531 | Crash in HTTP request without a Content-Length field. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1531 |
| CVE-2002-1077 | Crash in HTTP request without a Content-Length field. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1077 |
| CVE-2002-1358 | Empty elements/strings in protocol test suite affect many SSH2 servers/clients. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1358 |
| CVE-2003-0477 | FTP server crashes in PORT command without an argument. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0477 |
| CVE-2002-0107 | Resultant infoleak in web server via GET requests without HTTP/1.0 version string. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0107 |
| CVE-2002-0596 | GET request with empty parameter leads to error message infoleak (path disclosure). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0596 |
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Missing Parameter Error | ||
| CLASP | Missing parameter |