CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Choosing a Message/Channel Identifier on a Public/Multicast Channel
Attack Pattern ID
Pattern Abstraction: Standard

12

Typical Severity

High

Description

Summary

Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initally.
Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation.
If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.

Attack Execution Flow

  1. Determine the nature of messages being transported as well as the identifiers to be used as part of the attack

  2. If required, authenticate to the distribution channel

  3. If any particular client's information is available through the transport means simply by selecting a particular identifier, an attacker can simply provide that particular identifier.

  4. Attackers with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.

Attack Prerequisites

Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.

Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.

Typical Likelihood of Exploit

Very High

Examples-Instances

Description


A certain B2B interface on a large application codes for messages passed over a MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another parnter's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack.

Attacker Skill or Knowledge Required

Low: All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages.

Resources Required

The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means.

Probing Techniques

Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers. Probing is as simple as changing this value and watching its effect.

Solutions and Mitigations

Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages. The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.

Rearchitect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.

Attack Motivation-Consequences
  • Information Leakage
  • Privilege Escalation
Context Description

This pattern applies in circumstances in which publically accessible distribution means code (through channel, message identifiers, or convention) for client-specific subscription information about messages being distributed. Commonly, this will happen over message-oriented middleware buses, multicast channels, or feeds.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
201Information Leak Through Sent DataTargeted
306No Authentication for Critical FunctionSecondary
Related Attack Patterns
IDNameRelationship TypeRelationship Description
21Exploitation of Session Variables, Resource IDs and other Trusted CredentialsSimilar
Related Security Principles
  • Complete Mediation
Related Guidelines
  • Use Authentication Mechanisms, Where Appropriate, Correctly
  • Use Authorization Mechanisms Correctly: this refers to Ambiguity of authentication. Many authorization systems use ambiguous symbols (i.e., principal names) to identify principals allowing circumvention of authorization by using a different, though equivalent, principal name. For example, there are many implementations for restricting remote host access to local services that may allow many proper—but apparently different—names for unique hosts (e.g., fully qualified domain names, shortened names, CNAMEs, IPv4 addresses, IPv6 addresses).
Purpose

Penetration

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
MediumLowLow
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
Client-ServerAllAllAll
Source
Submission(s)
SubmitterOrganizationDateComment
John StevenCigital, Inc2007-02-10Initial core pattern content
Modification(s)
ModifierOrganizationDateComment
Chiradeep B. ChhayaCigital, Inc2007-02-23Fleshed out pattern with extra content
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Description and Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us