CWE-242: Use of Inherently Dangerous Function
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product calls a function that can never be guaranteed to work safely.
扩展描述
Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
常见后果
影响范围: Other
技术影响: Varies by Context
潜在缓解措施
阶段: Implementation Requirements
描述: Ban the use of dangerous functions. Use their safe equivalent.
阶段: Testing
描述: Use grep or static analysis tools to spot usage of dangerous functions.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2007-4004
FTP client uses inherently insecure gets() function and is setuid root on some systems, allowing buffer overflow
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Dangerous Functions | - |
| CERT C Secure Coding | POS33-C | Do not use vfork() | CWE More Abstract |
| Software Fault Patterns | SFP3 | Use of an improper API | - |