Home > CAPEC List > CAPEC-10: Buffer Overflow via Environment Variables (Version 2.4)  

CAPEC-10: Buffer Overflow via Environment Variables

 
Buffer Overflow via Environment Variables
Definition in a New Window Definition in a New Window
Attack Pattern ID: 10
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

Attack Execution Flow

Explore
  1. The attacker tries to find an environment variable which can be overwritten for instance by gathering information about the target host (error pages, software's version number, etc.).

Experiment
  1. The attacker manipulates the environment variable to contain excessive-length content to cause a buffer overflow.

Exploit
  1. The attacker potentially leverages the buffer overflow to inject maliciously crafted code in an attempt to execute privileged command on the target environment.

+ Attack Prerequisites
  • The application uses environment variables.

  • An environment variable exposed to the user is vulnerable to a buffer overflow.

  • The vulnerable environment variable uses untrusted data.

  • Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable.

Related Vulnerabilities

Description

A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Probing Techniques

Description

While interacting with a system an attacker would typically investigate for environment variables that can be overwritten. The more a user knows about a system the more likely she will find a vulnerable environment variable.

Description

On a web environment, the attacker can read the client side code and search for environment variables that can be overwritten.

Description

There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that supports loading a shared library. Attackers can use such tools to uncover a buffer overflow in an environment variable.

+ Indicators-Warnings of Attack

Description

If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.

+ Solutions and Mitigations

Do not expose environment variable to the user.

Do not use untrusted data in your environment variables.

Use a language or compiler that performs automatic bounds checking

There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

The user modifiable environment variable.

+ Payload

User supplied data potentially containing malicious code.

+ Activation Zone

When the subroutine which uses the environment variable returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

+ Payload Activation Impact

Description

The most common is remote code execution.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.10.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.10.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
[R.10.3] "Sharefuzz". <http://sharefuzz.sourceforge.net>.
+ Content History
Submissions
SubmitterOrganizationDate
[R.10.1][REF-2] Cigital, Inc2007-03-01
Modifications
ModifierOrganizationDateCommentsSource
Eric DalciCigital, Inc2007-02-13Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-05Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Name
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
CAPEC Content TeamThe MITRE Corporation2013-06-21Updated Description, Skill_or_Knowledge_Level, Skill_or_Knowledge_Type, and Solution_or_MitigationInternal
CAPEC Content TeamThe MITRE Corporation2013-12-18Updated Indicators-Warnings_of_AttackInternal
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Attack_Phases, Probing_Techniques, Solutions_and_MitigationsInternal
CAPEC Content TeamThe MITRE Corporation2014-04-10Updated Solutions_and_MitigationsInternal

Page Last Updated: April 10, 2014