CWE

普遍的弱点

社区开发的软件和硬件弱点类型清单
2021 CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
>CWE列表> cwe-单个字典定义(4.10)
ID

CWE-828: Signal Handler with Functionality that is not Asynchronous-Safe

弱点ID:828
抽象:根据
Structure:Simple
查看自定义信息:
+描述
该产品定义一个信号处理程序,其中包含非异步安全的代码序列,即功能不是重新进入的,或者可以中断。
+扩展描述

这可能会导致意外的系统状态,并取决于上下文,包括拒绝服务和代码执行。

信号处理程序通常旨在中断程序甚至其他信号的正常功能,以通知事件的过程。当信号处理程序使用全局或静态变量,或调用最终取决于该状态或其相关元数据的函数时,它可能会损坏正常功能使用的系统状态。这可能使该计划处于种族条件或其他弱点,这些弱点使攻击者能够使程序状态损坏。虽然拒绝服务通常是结果,但在某些情况下,这种弱点可能被利用用于执行代码。

有几种不同的情况引入了此问题:

  • 从处理程序内部调用非伦敦功能。一个示例是malloc(),它在管理内存时修改了内部全局变量。实际上,很少有功能是重新进入的。
  • Code sequences (not necessarily function calls) contain non-atomic use of global variables, or associated metadata or structures, that can be accessed by other functionality of the program, including other signal handlers. Frequently, the same function is registered to handle multiple signals.
  • The signal handler function is intended to run at most one time, but instead it can be invoked multiple times. This could happen by repeated delivery of the same signal, or by delivery of different signals that have the same handler function (CWE-831)。

请注意,在某些环境或上下文中,信号处理程序可能会被中断。

If both a signal handler and the normal behavior of the product have to operate on the same set of state variables, and a signal is received in the middle of the normal execution's modifications of those variables, the variables may be in an incorrect or corrupt state during signal handler execution, and possibly still incorrect or corrupt upon return.

+关系
部分帮助This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
+与观点“研究概念”相关(CWE-1000)
Nature 类型 ID Name
ChildOf 根据基础 - 仍然主要独立于资源或技术的弱点,但有足够的细节来提供特定的检测和预防方法。基本水平的弱点通常用以下维度的2或3来描述问题:行为,财产,技术,语言和资源。 364 信号处理程序种族条件
父母 变体变体- a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 479 信号处理程序的使用非伦特功能
部分帮助This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
+与“软件开发”视图相关(CWE-699)
Nature 类型 ID Name
成员 类别类别 - 包含共享共同特征的其他条目的CWE条目。 387 Signal Errors
+Common Consequences
部分帮助This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
范围 影响 Likelihood
正直
保密
可用性

Technical Impact:DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands

The most common consequence will be a corruption of the state of the product, possibly leading to a crash or exit. However, if the signal handler is operating on state variables for security relevant libraries or protection mechanisms, the consequences can be far more severe, including protection mechanism bypass, privilege escalation, or information exposure.
+示例的例子

示例1

This code registers the same signal handler function with two different signals (CWE-831)。If those signals are sent to the process, the handler creates a log message (specified in the first argument to the program) and exits.

(不良代码)
示例语言:C
char *logmessage;

void handler (int sigNum) {
syslog(log_notice,“%s \ n”,logmessage);
免费(logmessage);
/*人为地增加时间窗口的大小,以使这种弱点更容易。*/

sleep(10);
出口(0);
}

int main (int argc, char* argv[]) {
logMessage = strdup(argv [1]);
/*注册信号处理程序。*/

signal(SIGHUP, handler);
信号(Sigterm,处理程序);
/*人为地增加时间窗口的大小,以使这种弱点更容易。*/

sleep(10);
}

处理程序函数使用全局状态(GlobalVar和LogMessage),并且可以通过Sighup和Sigment信号调用。攻击方案可能会遵循以下界限:

  • 该程序开始执行,初始化logmessage,并注册信号处理程序,以进行叹息和sigterm。
  • The program begins its "normal" functionality, which is simplified as sleep(), but could be any functionality that consumes some time.
  • 攻击者发送了叹息,该叹息是调用处理程序的(称此“叹气手”)。
  • Sighup Handler开始执行,调用Syslog()。
  • syslog()呼叫malloc(),它是非诱饵的。malloc()开始修改元数据以管理堆。
  • 然后,攻击者发送Sigment。
  • SIGHUP-handler is interrupted, but syslog's malloc call is still executing and has not finished modifying its metadata.
  • 调用Sigterm处理程序。
  • SIGTERM-handler records the log message using syslog(), then frees the logMessage variable.

在这一点上,堆的状态尚不确定,因为Malloc仍在修改堆的元数据。元数据可能处于不一致的状态。Sigterm Handler呼叫Free()假设元数据是不一致的,可能会导致其在管理堆时将数据写入错误的位置。结果是内存损坏,可能导致崩溃甚至代码执行,具体取决于代码运行的情况。

Note that this is an adaptation of a classic example as originally presented by Michal Zalewski [REF-360];原始示例被证明是可利用代码执行的。

另请注意,strdup(argv [1])呼叫包含一个潜在的缓冲区过读(CWE-126)如果没有任何参数调用程序,因为ARGC为0,而ARGV [1]将指向数组范围之外。

示例2

以下代码注册一个带有多个信号的信号处理程序,以便在发生特定事件时登录并在退出之前释放关联内存。

(不良代码)
示例语言:C
#include
#include
#include
#include

void *global1, *global2;
char *什么;
void sh (int dummy) {
syslog(LOG_NOTICE,"%s\n",what);
free(global2);
free(global1);
/* Sleep statements added to expand timing window for race condition */

sleep(10);
出口(0);
}

int main(int argc,char* argv []){
什么= argv [1];
global1 = strdup(argv [2]);
global2 = malloc(340);
signal(SIGHUP,sh);
信号(sigterm,sh);
/* Sleep statements added to expand timing window for race condition */

sleep(10);
出口(0);
}

但是,以下事件序列可能会导致双重(CWE-415):

  1. 叹息已经传递给该过程
  2. sh() is invoked to process the SIGHUP
  3. SH()的第一个调用达到了全局1释放的地步
  4. At this point, a SIGTERM is sent to the process
  5. the second invocation of sh() might do another free of global1
  6. this results in a double-free (CWE-415)

这只是上述代码的一种可能的利用。作为另一个例子,Syslog调用可能使用不是异步信号安全的malloc调用。这可能导致堆管理结构的损坏。有关更多详细信息,请咨询“为娱乐和利润传递信号”中的示例[REF-360]。

+观察到的例子
参考 描述
信号处理程序使用最终调用不安全Syslog/malloc/s*printf的功能,从
Chain: Signal handler contains too much functionality (CWE-828),引入种族条件(CWE-362)导致双人免费(CWE-415)。
信号处理程序对库功能的不安全呼叫
Sigurg可用于远程中断信号处理程序;存在其他变体。
SIGCHLD信号到FTP服务器可能会导致重载下的崩溃,同时执行Malloc/Free等非伦敦功能。
在修改计数器时,Sigchld未在守护程序循环中阻塞,导致计数器摆脱同步。
+潜在的缓解

Phases: Implementation; Architecture and Design

消除信号处理程序内部非伦敦功能的使用。这包括用重新输​​入呼叫替换所有非伦敦库呼叫。

注意:这并不总是可能的,可能需要重写甚至重新设计产品的大部分产品。有时,将无法获得重新进入安全库的替代方案。有时,设计系统和信号处理程序之间的非诱因相互作用将需要设计。

有效性:高

阶段:实施

如果必须在信号处理程序中利用非伦敦功能,请确保适当地阻止或掩盖信号。这包括阻止信号处理程序本身内的其他信号,该信号也可能利用该功能。它还包括阻止所有信号在访问或通过产品的正常行为访问或修改功能时。
+分类映射
Mapped Taxonomy Name 节点ID 合身 映射的节点名称
证书C安全编码 Sig31-C 请勿在信号处理程序中访问或修改共享对象
+参考
[Ref-360] Michal Zalewski。“为了娱乐和利润提供信号”。<http://lcamt​​uf.coredump.cx/signals.txt>。
+Content History
+提交
提交日期 提交者 组织
2010-11-08 CWE内容团队 MITRE
+Modifications
Modification Date 修饰符 组织
2011-06-01 CWE内容团队 MITRE
更新的common_cconsquences
2012-05-11 CWE内容团队 MITRE
更新了示范_examples
2014-06-23 CWE内容团队 MITRE
更新了示范_examples, References
2017-11-08 CWE内容团队 MITRE
updated Observed_Examples
2020-02-24 CWE内容团队 MITRE
更新的关系
2021-03-15 CWE内容团队 MITRE
更新了示范_examples
2022-04-28 CWE内容团队 MITRE
updated Observed_Examples
2023-01-31 CWE内容团队 MITRE
更新的common_cconsquences,Description,entife_mitigations
提供更多信息 - 请选择其他过滤器。
Page Last Updated:January 31, 2023

使用共同弱点枚举(CWE)和本网站的相关参考Terms of Use。CWE由美国国土安全部(DHS)网络安全和基础设施安全局(CISA) and managed by the国土安全系统工程和开发研究所(HSSEDI)由manbetx客户端首页(MITER)。版权所有©2006–2023,Miter Comanbetx客户端首页rporation。CWE,CWSS,CWRAF和CWE徽标是Miter Corporation的商标。manbetx客户端首页