Unsafe Native Invoke

ABSTRACT

Platform Invocation Service 使用不當會導致受管應用程序很容易受到其他語言的安全漏洞攻擊。

EXPLANATION

當受管應用程序使用 P/Invoke 調用以其他編程語言編寫的本機（非受管）代碼時，會發生 Unsafe Native Invoke 漏洞。



例如：以下 C# 代碼定義了一個名為 Echo 的類。這個類聲明了一個本地方法（下文定義），使用 C 語言將控制臺上輸入的命令回顯給用戶。

class Echo
{
[DllImport("mylib.dll")]
internal static extern void RunEcho();
	
static void main(String[] args)
  {
RunEcho();
  }
}

#include <stdio.h>

void __stdcall RunEcho() 
{
char* buf = (char*) malloc(64 * sizeof(char));
gets(buf);
printf(buf);
}

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I

[3] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3510 CAT I

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 111

[5] How to:Call Native DLLs from Managed Code Using PInvoke

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[8] Standards Mapping - FIPS200 - (FISMA) SI