CWE - CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') (2.4)

Unintended Proxy or Intermediary ('Confused Deputy')

Weakness ID: 441 (Weakness Class)

Status: Draft

Description

Description Summary

The software receives a request, message, or directive from an upstream component, but the software does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the software's control sphere. This causes the software to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Extended Description

If an attacker cannot directly contact a target, but the software has access to the target, then the attacker can send a request to the software and have it be forwarded from the target. The request would appear to be coming from the software's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker.

Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when:

The software runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component;
The attacker is prevented from making the request directly to the target; and
The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources.

Alternate Terms

Confused Deputy:	This weakness is sometimes referred to as the "Confused deputy" problem, in which an attacker misused the authority of one victim (the "confused deputy") when targeting another victim.

Time of Introduction

Architecture and Design

Applicable Platforms

Languages

Language-independent

Common Consequences

Scope	Effect
Non-Repudiation Access Control	Technical Impact: Gain privileges / assume identity; Hide activities

Observed Examples

Reference	Description
CVE-1999-0017	FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's.
CVE-1999-0168	RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper.
CVE-2005-0315	FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy.
CVE-2002-1484	Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.
CVE-2004-2061	CGI script accepts and retrieves incoming URLs.
CVE-2001-1484	Bounce attack allows access to TFTP from trusted side.
CVE-2010-1637	Web-based mail program allows internal network scanning using a modified POP3 port number.
CVE-2009-0037	URL-downloading library automatically follows redirects to file:// and scp:// URLs

Potential Mitigations

Phase: Architecture and Design

Enforce the use of strong mutual authentication mechanism between the two parties.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	610	Externally Controlled Reference to a Resource in Another Sphere	Research Concepts (primary)1000
ChildOf	Category	902	SFP Cluster: Channel	Software Fault Pattern (SFP) Clusters (primary)888
CanPrecede	Weakness Class	668	Exposure of Resource to Wrong Sphere	Research Concepts1000
RequiredBy	Compound Element: Composite	352	Cross-Site Request Forgery (CSRF)	Research Concepts1000
RequiredBy	Compound Element: Composite	384	Session Fixation	Research Concepts1000
ParentOf	Weakness Base	918	Server-Side Request Forgery (SSRF)	Development Concepts (primary)699 Research Concepts (primary)1000
PeerOf	Weakness Variant	611	Improper Restriction of XML External Entity Reference ('XXE')	Research Concepts1000

Relationship Notes

This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.

Theoretical Notes

It could be argued that the "confused deputy" is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Mapped Node Name
PLOVER		Unintended proxy/intermediary
PLOVER		Proxied Trusted Channel
WASC	32	Routing Detour

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.7.1)
141	Cache Poisoning
142	DNS Cache Poisoning
219	XML Routing Detour Attacks
465	Socket Capable Browser Plugins Result In Transparent Proxy Abuse

References

Norm Hardy. "The Confused Deputy (or why capabilities might have been invented)". 1988. <http://www.cap-lore.com/CapTheory/ConfusedDeputy.html>.

Maintenance Notes

This could possibly be considered as an emergent resource.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
2010-02-16	CWE Content Team	MITRE	Internal
2010-02-16	updated Taxonomy_Mappings
2010-04-05	CWE Content Team	MITRE	Internal
2010-04-05	updated Related_Attack_Patterns
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Other_Notes
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2011-06-27	CWE Content Team	MITRE	Internal
2011-06-27	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Related_Attack_Patterns, Relationships
2012-10-30	CWE Content Team	MITRE	Internal
2012-10-30	updated Potential_Mitigations
2013-02-21	CWE Content Team	MITRE	Internal
2013-02-21	updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type
Previous Entry Names
Change Date	Previous Entry Name
2013-02-21	Unintended Proxy/Intermediary


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us

Common Weakness Enumeration

CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')