Attackers aware that more data is being fed into a multicast or public
information distribution means can 'select' information bound only for
another client, even if the distribution means itself forces users to
authenticate in order to connect initally.
Doing so allows the attacker to gain access to possibly privileged
information, possibly perpetrate other attacks through the distribution
means by impersonation.
If the channel/message being manipulated is an input rather than output
mechanism for the system, (such as a command bus), this style of attack
could change its identifier from a less privileged to more so privileged
channel or command.
Attack Execution Flow
Determine the nature of messages being transported
as well as the identifiers to be used as part of the
attack
If required, authenticate to the distribution
channel
If any particular client's information is
available through the transport means simply by
selecting a particular identifier, an attacker can
simply provide that particular identifier.
Attackers with client access connecting to output
channels could change their channel identifier and
see someone else's (perhaps more privileged)
data.
Attack Prerequisites
Information and client-sensitive (and client-specific) data must be
present through a distribution channel available to all users.
Distribution means must code (through channel, message identifiers, or
convention) message destination in a manner visible within the distribution
means itself (such as a control channel) or in the messages
themselves.
Typical Likelihood of Exploit
Likelihood: Very High
Examples-Instances
Description
A certain B2B interface on a large application codes for messages
passed over a MQSeries queue, on a single "Partners" channel. Messages
on that channel code for their client destination based on a partner_ID
field, held by each message. That field is a simple integer. Attackers
having access to that channel, perhaps a particularly nosey partner, can
simply choose to store messages of another parnter's ID and read them as
they desire. Note that authentication does not prevent a partner from
leveraging this attack on other partners. It simply disallows Attackers
without partner status from conducting this attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
All the attacker needs to discover is the format of the messages on
the channel/distribution means and the particular identifier used within
the messages.
Resources Required
The Attacker needs the ability to control source code or application
configuration responsible for selecting which message/channel id is absorbed
from the public distribution means.
Probing Techniques
Assisted protocol analysis: because the protocol under attack is a public
channel, or one in which the attacker likely has authorized access to, they
need simply to decode the aspect of channel or message interpretation that
codes for message identifiers.
Probing is as simple as changing this value and watching its
effect.
Solutions and Mitigations
Associate some ACL (in the form of a token) with an authenticated user
which they provide middleware. The middleware uses this token as part of its
channel/message selection for that client, or part of a discerning
authorization decision for privileged channels/messages.
The purpose is to architect the system in a way that associates proper
authentication/authorization with each channel/message.
Rearchitect system input/output channels as appropriate to distribute
self-protecting data. That is, encrypt (or otherwise protect)
channels/messages so that only authorized readers can see them.
Use Authentication Mechanisms, Where Appropriate, Correctly
Use Authorization Mechanisms Correctly: this refers to Ambiguity of
authentication. Many authorization systems use ambiguous symbols (i.e.,
principal names) to identify principals allowing circumvention of
authorization by using a different, though equivalent, principal name. For
example, there are many implementations for restricting remote host access
to local services that may allow many proper—but apparently different—names
for unique hosts (e.g., fully qualified domain names, shortened names,
CNAMEs, IPv4 addresses, IPv6 addresses).
Purposes
Penetration
CIA Impact
Confidentiality Impact: Medium
Integrity Impact: Low
Availability Impact: Low
Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
John Steven
Cigital, Inc
2007-02-10
Initial core pattern content
Modifications
Modifier
Organization
Date
Comments
Chiradeep B. Chhaya
Cigital, Inc
2007-02-23
Fleshed out pattern with extra
content
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description
and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2010, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
