CWE-1177: Use of Prohibited Code

Description

The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.

The developer - or customers - may wish to restrict or eliminate use of a function, library, or third party component for any number of reasons, including real or suspected vulnerabilities; difficulty to use securely; export controls or license requirements; obsolete or poorly-maintained code; internal code being scheduled for deprecation; etc. To reduce risk of vulnerabilities, the developer might maintain a list of "banned" functions that programmers must avoid using because the functions are difficult or impossible to use securely. This issue can also make the product more costly and difficult to maintain.

Potential Impact

Other

Reduce Maintainability

Demonstrative Examples

The code below calls the gets() function to read in data from the command line.

Bad

char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...}

However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.

Bad

void manipulate_string(char * string){char buf[24];strcpy(buf, string);...}

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Mitigations & Prevention

Build and CompilationImplementation

Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the "banned.h" include file from Microsoft's SDL. [REF-554] [REF-1009] [REF-7]

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2007-1470	Library has multiple buffer overflows using sprintf() and strcpy()
CVE-2007-4004	FTP client uses inherently insecure gets() function and is setuid root on some systems, allowing buffer overflow

Frequently Asked Questions

What is CWE-1177?

CWE-1177 (Use of Prohibited Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.

How can CWE-1177 be exploited?

Attackers can exploit CWE-1177 (Use of Prohibited Code) to reduce maintainability. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1177?

Key mitigations include: Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instru

What is the severity of CWE-1177?

CWE-1177 is classified as a Class-level weakness (High abstraction). It has been observed in 2 real-world CVEs.