50%
99%
48%
A vulnerability in the Policy and Charging Rules Function (PCRF) of the Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The attacker would also have to have access to the internal VLAN where CPS is deployed. The vulnerability is due to incorrect permissions of certain system files and not sufficiently protecting sensitive data that is at rest. An attacker could exploit the vulnerability by using certain tools available on the internal network interface to request and view system files. An exploit could allow the attacker to find out sensitive information about the application. Cisco Bug IDs: CSCvf77666.
A vulnerability in the Policy and Charging Rules Function (PCRF) of the Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The attacker would also have to have access to the internal VLAN where CPS is deployed. The vulnerability is due to incorrect permissions of certain system files and not sufficiently protecting sensitive data that is at rest. An attacker could exploit the vulnerability by using certain tools available on the internal network interface to request and view system files. An exploit could allow the attacker to find out sensitive information about the application. Cisco Bug IDs: CSCvf77666.
CVSS 3.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N).
The following code sets the umask of the process to 0 before creating a file and writing "Hello world" into the file.
}/* Ignore CWE-59 (link following) for brevity */fclose(out);After running this program on a UNIX system, running the "ls -l" command might return the following output:
-rw-rw-rw- 1 username 13 Nov 24 17:58 hello.outThe "rw-rw-rw-" string indicates that the owner, group, and world (all users) can read the file and write to it.
This code creates a home directory for a new user, and makes that user the owner of the directory. If the new directory cannot be owned by the user, the directory is deleted.
}return true;return false;return false;Because the optional "mode" argument is omitted from the call to mkdir(), the directory is created with the default permissions 0777. Simply setting the new user as the owner of the directory does not explicitly change the permissions of the directory, leaving it with the default. This default allows any user to read and write to the directory, allowing an attack on the user's files. The code also fails to change the owner group of the directory, which may result in access by unexpected groups.
This code may also be vulnerable to Path Traversal (CWE-22) attacks if an attacker supplies a non alphanumeric username.
The following code snippet might be used as a monitor to periodically record whether a web site is alive. To ensure that the file can always be modified, the code uses chmod() to make the file world-writable.
close($outFH);chmod 0777, $fileName;ExitError("Couldn't append to $fileName: $!");The first time the program runs, it might create a new file that inherits the permissions from its environment. A file listing might look like:
-rw-r--r-- 1 username 13 Nov 24 17:58 secretFile.outThis listing might occur when the user has a default umask of 022, which is a common setting. Depending on the nature of the file, the user might not have intended to make it readable by everyone on the system.
The next time the program runs, however - and all subsequent executions - the chmod will set the file's permissions so that the owner, group, and world (all users) can read the file and write to it:
-rw-rw-rw- 1 username 13 Nov 24 17:58 secretFile.outPerhaps the programmer tried to do this because a different process uses different permissions that might prevent the file from being updated.
The following command recursively sets world-readable permissions for a directory and all of its children:
chmod -R ugo+r DIRNAMEIf this command is run from a program, the person calling the program might not expect that all the files under the directory will be world-readable. If the directory is expected to contain private data, this could become a security problem.
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
This code writes a user's login information to a cookie so the user does not have to login again later.
}setcookie ("userdata", $data);The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.
Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).
The following code attempts to establish a connection, read in a password, then store it to a buffer.
...While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in plaintext.
This Java example shows a properties file with a plaintext username / password pair.
...# Java Web App ResourceBundle properties fileThe following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in plaintext.
...<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" />Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information and avoid CWE-260 and CWE-13.
ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.
If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.