CWE - CWE-95: Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection') (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-95: Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')

Improper Sanitization of Directives in Dynamically Evaluated Code ('Eval Injection')

Weakness ID: 95 (Weakness Base)

Status: Incomplete

Description

Description Summary

The software receives input from an upstream component, but it does not sanitize or incorrectly sanitizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Extended Description

This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

Java

Javascript

Python

Perl

PHP

Ruby

Interpreted Languages

Modes of Introduction

This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.

Likelihood of Exploit

Medium

Demonstrative Examples

Example 1

edit-config.pl: This CGI script is used to modify settings in a configuration file.

(Bad Code)

Perl

use CGI qw(:standard);

sub config_file_add_key {

my ($fname, $key, $arg) = @_;

# code to add a field/key to a file goes here

}

sub config_file_set_key {

my ($fname, $key, $arg) = @_;

# code to set key to a particular file goes here

}

sub config_file_delete_key {

my ($fname, $key, $arg) = @_;

# code to delete key from a particular file goes here

}

sub handleConfigAction {

my ($fname, $action) = @_;

my $key = param('key');

my $val = param('val');

# this is super-efficient code, especially if you have to invoke

# any one of dozens of different functions!

my $code = "config_file_$action_key(\$fname, \$key, \$val);";

eval($code);

}

$configfile = "/home/cwe/config.txt";

print header;

if (defined(param('action'))) {

handleConfigAction($configfile, param('action'));

}

else {

print "No action specified!\n";

}

The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: add_key(",","); system("/bin/ls"); This would produce the following string in handleConfigAction(): config_file_add_key(",","); system("/bin/ls"); Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated.

Observed Examples

Reference	Description
CVE-2008-5071	Eval injection in PHP program.
CVE-2002-1750	Eval injection in Perl program.
CVE-2008-5305	Eval injection in Perl program using an ID that should only contain hyphens and numbers.
CVE-2002-1752	Direct code injection into Perl eval function.
CVE-2002-1753	Eval injection in Perl program.
CVE-2005-1527	Direct code injection into Perl eval function.
CVE-2005-2837	Direct code injection into Perl eval function.
CVE-2005-1921	MFV. code injection into PHP eval statement using nested constructs that should not be nested.
CVE-2005-2498	MFV. code injection into PHP eval statement using nested constructs that should not be nested.
CVE-2005-3302	Code injection into Python eval statement from a field in a formatted file.
CVE-2007-1253	Eval injection in Python program.
CVE-2001-1471	chain: Resultant eval injection. An invalid value prevents initialization of variables, which can be modified by attacker and later injected into PHP eval statement.

Potential Mitigations

Phase	Description
	Refactor your code so that it does not need to use eval() at all.
	Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

Other Notes

Factors: special character errors can play a role in increasing the variety of code that can be injected, although some vulnerabilities do not require special characters at all, e.g. when a single function without arguments can be referenced and a terminator character is not necessary.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	94	Failure to Control Generation of Code ('Code Injection')	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	714	OWASP Top Ten 2007 Category A3 - Malicious File Execution	Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf	Category	727	OWASP Top Ten 2004 Category A6 - Injection Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711

Research Gaps

This issue is probably under-reported. Most relevant CVEs have been for Perl and PHP, but eval injection applies to most interpreted languages. Javascript eval injection is likely to be heavily under-reported.

Causal Nature

Explicit

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Direct Dynamic Code Evaluation ('Eval Injection')
OWASP Top Ten 2007	A3	CWE More Specific	Malicious File Execution
OWASP Top Ten 2004	A6	CWE More Specific	Injection Flaws

References

<http://www.rubycentral.com/book/taint.html>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-08-15		Veracode	External
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Applicable Platforms, Description, Modes of Introduction, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Description, Observed Examples, Other Notes, Research Gaps
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Alternate Terms, Applicable Platforms, Demonstrative Examples, Description, Name, References

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us