Month: June 2019

The Potential of Finding Privilege Escalation Vulnerabilities Through CWE-347

The Potential of Finding Privilege Escalation Vulnerabilities Through CWE-347

Security, Vulnerabilities
I found the concept of privilege escalation attacks quite interesting because in theory, it's easy to understand the goal but it actually requires creativity to execute or even discover. While doing research, I came across CWE-347 that was assigned to "Improper Verification of Cryptographic Signature". Its description follows as "The software does not verify, or incorrectly verifies, the cryptographic signature for data". Having a thought about this, if we talk about verifying cryptographic signature for data, we point out the integrity of the data involved or simply, "is the data tampered or not?" If you've seen the example code given in the CWE-347 page, you'll notice that the verification of the cryptographic signature of data can be in the form of checking if a downloaded file w...