CWE-374: Passing Mutable Objects to an Untrusted Method
Learn about CWE-374 (Passing Mutable Objects to an Untrusted Method), its security impact, exploitation methods, and prevention guidelines.
What is Passing Mutable Objects to an Untrusted Method?
• Overview: Passing mutable objects to an untrusted method involves sending data that can be modified to a function or method without first creating a copy. This allows the called method to change the data, potentially violating the assumptions about the data's state in the original context.
• Exploitation Methods:
- Attackers can manipulate the passed data to introduce unexpected behavior or vulnerabilities.
- Common attack patterns include altering state in ways that violate integrity, causing logic errors, or triggering unexpected side effects.
• Security Impact:
- Direct consequences include data corruption, unexpected behavior, or application crashes.
- Potential cascading effects could involve security policy violations or further exploitation of modified data.
- Business impact might involve data breaches, loss of customer trust, or financial loss due to malfunctioning systems.
• Prevention Guidelines:
- Specific code-level fixes include cloning or creating defensive copies of mutable objects before passing them to untrusted methods.
- Security best practices involve validating and sanitizing input, using immutable objects when possible, and clearly documenting method expectations.
- Recommended tools and frameworks include static analysis tools to identify and flag risky data handling patterns and libraries that provide immutable data structures.
Corgea can automatically detect and fix Passing Mutable Objects to an Untrusted Method in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit:
Affected Languages: C, C++, Java, C#
Affected Technologies: Not specified
Vulnerable Code Example
#include <stdio.h>
#include <string.h>
// Function that appends a message to a given buffer
// This function is untrusted and may modify the buffer in unexpected ways
void untrusted_append(char *buffer, const char *message) {
strcat(buffer, message); // Potentially unsafe: modifies the input buffer directly
}
int main() {
char user_data[100] = "User data: ";
// Passing the mutable user_data buffer to an untrusted function
untrusted_append(user_data, "Sensitive Info");
printf("%s\n", user_data); // Vulnerable: user_data may have been tampered
return 0;
}
In this vulnerable example, the untrusted_append function directly modifies the user_data buffer, which is passed to it. Since this function is untrusted, it might alter user_data in unexpected ways, potentially leading to security issues such as data corruption or leakage.
How to fix Passing Mutable Objects to an Untrusted Method?
To address this vulnerability, avoid passing mutable objects directly to untrusted functions. Instead, pass a copy of the object to ensure that the original data remains unchanged. This can be achieved by creating a local copy of the data before passing it to the untrusted method. This way, any modifications made by the untrusted function will not affect the original data.
Fixed Code Example
#include <stdio.h>
#include <string.h>
// Function that appends a message to a given buffer
// This function remains unchanged
void untrusted_append(char *buffer, const char *message) {
strcat(buffer, message);
}
int main() {
char user_data[100] = "User data: ";
char safe_copy[100];
// Create a local copy of user_data
strcpy(safe_copy, user_data);
// Pass the safe copy to the untrusted function
untrusted_append(safe_copy, "Sensitive Info");
printf("Original: %s\n", user_data); // Safe: original data is intact
printf("Modified: %s\n", safe_copy); // Modified copy with appended message
return 0;
}
In the fixed code example, the original user_data buffer is protected from any unintended modifications by creating a copy safe_copy. The copy is passed to the untrusted function, preserving the integrity of the original data. This approach ensures that even if the untrusted function modifies the buffer, it doesn't impact the original data, thereby maintaining data integrity and preventing potential security vulnerabilities.