CWE-344: Use of Invariant Value in Dynamically Changing Context

CWE-344: Use of Invariant Value in Dynamically Changing Context | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code is an example of an internal hard-coded password in the back-end:

Vulnerable example

int VerifyAdmin(char *password) {

Vulnerable example

java

int VerifyAdmin(String password) {

Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."

This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.

Vulnerable example

// Here we can inject code to execute.
int (*pt2Function) (float, char, char)=0x08040000;

The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.

CWE-344: Use of Invariant Value in Dynamically Changing Context

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-344?

What CVEs are caused by CWE-344?

What are the consequences of CWE-344?

Is CWE-344 actively exploited?

References

Stay ahead of CWE-344

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-344?

What CVEs are caused by CWE-344?

What are the consequences of CWE-344?

Is CWE-344 actively exploited?

References

Stay ahead of CWE-344