This attack pattern involves causing a buffer overflow through
manipulation of environment variables. Once the attacker finds that they can
modify an environment variable, they may try to overflow associated buffers.
This attack leverages implicit trust often placed in environment
variables.
Attack Execution Flow
The attacker tries to find an environment variable
which can be overwritten for instance by gathering
information about the target host (error pages,
software's version number, etc.).
The attacker manipulates the environment variable
to contain excessive-length content to cause a
buffer overflow.
The attacker potentially leverages the buffer
overflow to inject maliciously crafted code in an
attempt to execute privileged command on the target
environment.
Attack Prerequisites
The application uses environment variables.
An environment variable exposed to the user is vulnerable to a buffer
overflow.
The vulnerable environment variable uses untrusted data.
Tainted data used in the environment variables is not properly validated.
For instance boundary checking is not done before copying the input data to
a buffer.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A buffer overflow in sccw allows local users to gain root access via
the $HOME environmental variable.
Related Vulnerabilities
CVE-1999-0906
Description
A buffer overflow in the rlogin program involves its consumption of
the TERM environmental variable.
Related Vulnerabilities
CVE-1999-0046
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string
into an attacker-modifiable injection vector. The result can be a
DoS.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap can require a higher skill
level.
Probing Techniques
Description
While interacting with a system an attacker would typically
investigate for environment variables that can be overwritten. The more
a user knows about a system the more likely she will find a vulnerable
environment variable.
Description
On a web environment, the attacker can read the client side code and
search for environment variables that can be overwritten.
Description
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/)
which is an environment variable fuzzer for Unix that support loading a
shared library. Attackers can use such tools to uncover a buffer
overflow in an environment variable.
Indicators-Warnings of Attack
Description
If the application does bound checking, it should fail when the data
source is larger than the size of the destination buffer. If the
application's code is well written, that failure should triger an
alert.
Solutions and Mitigations
Do not expose environment variable to the user.
Do not use untrusted data in your environment variables.
Use a language or compiler that performs automatic bounds checking
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/)
which is an environment variable fuzzer for Unixes that support loading a
shared library. You can use Sharefuzz to determine if you are exposing an
environment variable vulnerable to buffer overflow.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Availability
DoS: crash / exit /
restart
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
The user modifiable environment variable.
Payload
User supplied data potentially containing malicious code.
Activation Zone
When the subroutine which uses the environment variable returns control to the
main program, it jumps to the return address portion of the stack frame.
Unfortunately that return address may have been overwritten by the overflowed
buffer and the address may contain a call to a privileged command or to a
malicious code.
Description
