CWE-456 变量未经初始化

Missing Initialization of a Variable

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The software does not initialize critical variables, which causes the execution environment to use unexpected values.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 909 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 909 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 89 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 120 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 98 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 457 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 457 cwe_View_ID: 699

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Integrity', 'Other'] ['Unexpected State', 'Quality Degradation', 'Varies by Context'] The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.

可能的缓解方案

Implementation

策略:

Check that critical variables are initialized.

Testing

策略:

Use a static analysis tool to spot non-initialized variables.

示例代码

Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.

bad Java

private User user;
public void someMethod() {

// Do something interesting.
...

// Throws NPE if user hasn't been properly initialized.
String username = user.getName();
}

This code first authenticates a user, then allows a delete command if the user is an administrator.

bad PHP

if (authenticate($username,$password) && setAdmin($username)){
$isAdmin = true;
}
/.../

if ($isAdmin){
deleteUser($userToDelete);
}

The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.

In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.

bad Java

public class BankManager {

// user allowed to perform bank manager tasks
private User user = null;
private boolean isUserAuthentic = false;

// constructor for BankManager class
public BankManager() {
...
}

// retrieve user from database of users
public User getUserFromUserDatabase(String username){
...
}

// set user variable using username
public void setUser(String username) {
this.user = getUserFromUserDatabase(username);
}

// authenticate user
public boolean authenticateUser(String username, String password) {
if (username.equals(user.getUsername()) && password.equals(user.getPassword())) {
isUserAuthentic = true;
}
return isUserAuthentic;
}

// methods for performing bank manager tasks
...
}

However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.

good Java

public class BankManager {

// user allowed to perform bank manager tasks
private User user = null;
private boolean isUserAuthentic = false;

// constructor for BankManager class
public BankManager(String username) {
user = getUserFromUserDatabase(username);
}

// retrieve user from database of users
public User getUserFromUserDatabase(String username) {...}

// authenticate user
public boolean authenticateUser(String username, String password) {
if (user == null) {
System.out.println("Cannot find user " + username);
}
else {
if (password.equals(user.getPassword())) {
isUserAuthentic = true;
}
}
return isUserAuthentic;
}

// methods for performing bank manager tasks
...

}

分析过的案例

标识 说明 链接
CVE-2005-2978 Product uses uninitialized variables for size and index, leading to resultant buffer overflow. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2978
CVE-2005-2109 Internal variable in PHP application is not initialized, allowing external modification. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2109
CVE-2005-2193 Array variable not initialized in PHP application, leading to resultant SQL injection. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2193

Notes

Relationship This weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested. Research Gap It is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Missing Initialization
Software Fault Patterns SFP1 Glitch in computation
CERT C Secure Coding ERR30-C CWE More Abstract Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure
SEI CERT Perl Coding Standard DCL04-PL Exact Always initialize local variables
SEI CERT Perl Coding Standard DCL33-PL Imprecise Declare identifiers before using them
OMG ASCSM ASCSM-CWE-456
OMG ASCRM ASCRM-CWE-456

引用