CWE-116: Improper Encoding or Escaping of Output

Description

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead.

Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1").

If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.

Example Vulnerable Codes

Example - 1

This code displays an email address that was submitted as part of a form.


<% String email = request.getParameter("email"); %>...Email Address: <%= email %>

The value read from the form parameter is reflected back to the client browser without having been encoded prior to output, allowing various XSS attacks (CWE-79).

Example - 2

Consider a chat application in which a front-end web application communicates with a back-end server. The back-end is legacy code that does not perform authentication or authorization, so the front-end must implement it. The chat protocol supports two commands, SAY and BAN, although only administrators can use the BAN command. Each argument must be separated by a single space. The raw inputs are URL-encoded. The messaging protocol allows multiple commands to be specified on the same line if they are separated by a "|" character.

First let's look at the back end command processor code


// # generate an array of strings separated by the "|" character.// 

// # separate the operator from its arguments based on a single whitespace// 
ExecuteBan($args);
ExecuteSay($args);($operator, $args) = split(/ /, $cmd, 2);$args = UrlDecode($args);if ($operator eq "BAN") {}elsif ($operator eq "SAY") {}$inputString = readLineFromFileHandle($serverFH);@commands = split(/\|/, $inputString);foreach $cmd (@commands) {}

The front end web application receives a command, encodes it for sending to the server, performs the authorization check, and sends the command to the server.


// # removes extra whitespace and also changes CRLF's to spaces// 
die "Error: you are not the admin.\n";
// # communicate with file server using a file handle// 
$inputString = GetUntrustedArgument("command");($cmd, $argstr) = split(/\s+/, $inputString, 2);$argstr =~ s/\s+/ /gs;$argstr = UrlEncode($argstr);if (($cmd eq "BAN") && (! IsAdministrator($username))) {}$fh = GetServerFileHandle("myserver");print $fh "$cmd $argstr\n";

It is clear that, while the protocol and back-end allow multiple commands to be sent in a single request, the front end only intends to send a single command. However, the UrlEncode function could leave the "|" character intact. If an attacker provides:

SAY hello world|BAN user12

then the front end will see this is a "SAY" command, and the $argstr will look like "hello world | BAN user12". Since the command is "SAY", the check for the "BAN" command will fail, and the front end will send the URL-encoded command to the back end:

SAY hello%20world|BAN%20user12

The back end, however, will treat these as two separate commands:


SAY hello worldBAN user12

Notice, however, that if the front end properly encodes the "|" with "%7C", then the back end will only process a single command.

Example - 3

This example takes user input, passes it through an encoding scheme and then creates a directory specified by the user.

return($ARGV[0]);

my($str) = @_;$str =~ s/\&/\&amp;/gs;$str =~ s/\"/\&quot;/gs;$str =~ s/\'/\&apos;/gs;$str =~ s/\</\&lt;/gs;$str =~ s/\>/\&gt;/gs;return($str);

my $uname = encode(GetUntrustedInput("username"));print "<b>Welcome, $uname!</b><p>\n";system("cd /home/$uname; /bin/ls -l");sub GetUntrustedInput {}sub encode {}sub doit {}

The programmer attempts to encode dangerous characters, however the denylist for encoding is incomplete (CWE-184) and an attacker can still pass a semicolon, resulting in a chain with command injection (CWE-77).

Additionally, the encoding routine is used inappropriately with command execution. An attacker doesn't even need to insert their own semicolon. The attacker can instead leverage the encoding routine to provide the semicolon to separate the commands. If an attacker supplies a string of the form:

' pwd

then the program will encode the apostrophe and insert the semicolon, which functions as a command separator when passed to the system function. This allows the attacker to complete the command injection.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 18, 2024 18:18