logo

Return of Wrong Status Code

Draft Base
Structure: Simple
Description

A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.

Extended Description

This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the product to assume that an action is safe or correct, even when it is not.
Common Consequences 1
Scope: IntegrityOther

Impact: Unexpected StateAlter Execution Logic

This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors.
Detection Methods 1
FuzzingHigh
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Demonstrative Examples 1

ID : DX-186

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

Code Example:

Bad
Java
java

// something that might throw IOException* ...} catch (IOException ioe) { ``` response.sendError(SC_NOT_FOUND); }

  
Observed Examples 4
CVE-2003-1132DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
CVE-2001-1509Hardware-specific implementation of system call causes incorrect results from geteuid.
CVE-2001-1559Chain: System call returns wrong value (Return of Wrong Status Code), leading to a resultant NULL dereference (NULL Pointer Dereference).
CVE-2014-1266chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). Incorrect Control Flow Scoping (Incorrect Control Flow Scoping) -> Dead Code (Dead Code) -> Improper Certificate Validation (Improper Certificate Validation) -> Return of Wrong Status Code (Return of Wrong Status Code) -> Channel Accessible by Non-Endpoint (Channel Accessible by Non-Endpoint).
   
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Incorrect Provision of Specified Functionality (CWE-684) 
  ChildOf:
 Improper Check or Handling of Exceptional Conditions (CWE-703) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • Software Fault Patterns
  
Notes 
RelationshipThis can be primary or resultant, but it is probably most often primary to other issues.