Multiple Binds to the Same Port

Draft Variant

Structure: Simple

Description

When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.

Extended Description

On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound with INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its UDP packets/TCP connection.

Common Consequences 1

Scope: ConfidentialityIntegrity

Impact: Read Application Data

Packets from a variety of network services may be stolen or the services spoofed.

Potential Mitigations 1

Phase: Policy

Restrict server socket address to known local addresses.

Demonstrative Examples 1

ID : DX-184

This code binds a server socket to port 21, allowing the server to listen for traffic on that port.

Code Example:

Bad

/unlink the socket if already bound to avoid an error when bind() is called/*

This code may result in two servers binding a socket to same port, thus receiving each other's traffic. This could be used by an attacker to steal packets meant for another process, such as a secure FTP server.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Operation

Related Weaknesses

ChildOf:

Multiple Operations on Resource in Single-Operation Context (CWE-675)

ChildOf:

Operation on Resource in Wrong Phase of Lifetime (CWE-666)

Taxonomy Mapping

Software Fault Patterns