CAPEC - CAPEC-13: Subverting Environment Variable Values (Release 2.0)

Home > CAPEC List > CAPEC-13: Subverting Environment Variable Values (Release 2.0)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View
Reports

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List
T-Shirt
Contact Us

News & Events
Calendar
Free Newsletter

Compatibility
Program
Requirements
Participants
Make a Declaration

Search the Site

CAPEC-13: Subverting Environment Variable Values

Subverting Environment Variable Values

Attack Pattern ID: 13 (Standard Attack Pattern Completeness: Complete)

Typical Severity: Very High

Status: Draft

Description

Summary

The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.

Attack Execution Flow

The attacker probes the application for information. Which version of the application is running? Are there known environment variables? etc.
The attacker gains control of an environment variable and ties to find out what process(es) the environment variable controls.
The attacker modifies the environment variable to abuse the normal flow of processes or to gain access to privileged ressources.

Attack Prerequisites

An environment variable is accessible to the user.

An environment variable used by the application can be tainted with user supplied data.

Input data used in an environment variable is not validated properly.

The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attemp to manipulate that variable.

Typical Likelihood of Exploit

Likelihood: Very High

Methods of Attack

Injection
Modification of Resources
Protocol Manipulation

Examples-Instances

Description

Environment variables

Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the attacker upload the Trojan library to a specific location on the target.

As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\172.16.2.100\shared_files\trojan_dll.dll.

Related Vulnerabilities

Path Manipulation (CVE-1999-0073)

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism.

Medium/High: Some more advanced attacks may require knowledge about protocols and probing technique which help controling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.

Probing Techniques

Description

An attacker can intentionally modify the client side parameter and monitor how the server behaves in response to that modification. For instance an attacker will look at the cookie data, the URL parameters, the hidden variables in forms, variables used in system calls, etc.

Description

If the client uses a program in binary format to connect to the server, disassembler can be used to identify parameter within the binary code, and then the attacker would try to simulate the client application and change some of the parameters sent to the server. For instance the attacker may find that a secret key or a path is hard coded in the binary client application.

Description

Environment variables are frequently stored in cleartext configuration files. If the attacker can modify those configuration files, he can control the environment variables. Even a read access can potentially be dangerous since this may give sensitive information to perform this type of attack. Indeed knowing which environment variables the application uses is a prerequisite to this type of attack.

Obfuscation Techniques

Description

The attacker may try to obfuscate its attempts to subvert the target process (such as authentication) by using valid values for the variable she controls. By using valid values the user tries to understand the authentication mechanism. This would be in preparation to a more serious attack.

Solutions and Mitigations

Protect environment variables against unauthorized read and write access.

Protect the configuration files which contain environment variables against illegitimate read and write access.

Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.

Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.

Attack Motivation-Consequences

Scope	Technical Impact	Note
Confidentiality Integrity Availability	Execute unauthorized code or commands
Confidentiality Access_Control Authorization	Bypass protection mechanism
Availability	Unexpected State
Confidentiality	Read application data

Injection Vector

The client controlled parameter

Payload

The new value of the client controlled parameter.

Activation Zone

The activation zone is the server side function where the client controlled parameter is consumed.

Payload Activation Impact

Description

Consuming an attacker contolled parameter can defeat the normal process of the application.

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
353	Missing Support for Integrity Check	Targeted
285	Improper Authorization	Secondary
302	Authentication Bypass by Assumed-Immutable Data	Targeted
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	Targeted
15	External Control of System or Configuration Setting	Targeted
73	External Control of File Name or Path	Targeted
20	Improper Input Validation	Secondary
200	Information Exposure	Secondary

Related Vulnerabilities

Vulnerability ID	Relationship Description
CVE-2006-4244	SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value.
CVE-2006-2734	enter.asp in Mini-Nuke 2.3 and earlier makes it easier for remote attackers to conduct password guessing attacks by setting the guvenlik parameter to the same value as the hidden gguvenlik parameter, which bypasses a verification step because the guvenlik parameter is assumed to be immutable by the attacker.
CVE-2006-2527	Admin/admin.php in phpBazar 2.1.0 and earlier allows remote attackers to bypass the authentication process and gain unauthorized access to the administrative section by setting the action parameter to edit_member and the value parameter to 1.
CVE-2006-1505	base_maintenance.php in Basic Analysis and Security Engine (BASE) before 1.2.4 (melissa), when running in standalone mode, allows remote attackers to bypass authentication, possibly by setting the standalone parameter to "yes".

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
PeerOf	Attack Pattern	10	Buffer Overflow via Environment Variables	Mechanism of Attack1000
CanPrecede	Attack Pattern	14	Client-side Injection-induced Buffer Overflow	Mechanism of Attack1000
ChildOf	Attack Pattern	77	Manipulating User-Controlled Variables	Mechanism of Attack1000
ChildOf	Attack Pattern	264	Environment variable manipulation	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	38	Leveraging/Manipulating Configuration File Search Paths	Mechanism of Attack1000
ParentOf	Attack Pattern	76	Manipulating Input to File System Calls	Mechanism of Attack1000

Purposes

Penetration

CIA Impact

Confidentiality Impact: Medium

Integrity Impact: High

Availability Impact: Low

Technical Context

Architectural Paradigms	All
Frameworks	All
Platforms	All
Languages	All

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

CWE - Input Validation

Content History

Submissions
Submitter	Organization	Date
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.	Cigital, Inc	2007-03-01

Modifications
Modifier	Organization	Date	Comments
Eric Dalci	Cigital, Inc	2007-02-13	Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean Barnum	Cigital, Inc	2007-03-05	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Name, Description and Related Attack Patterns
Sean Barnum	Cigital, Inc	2007-04-13	Modified pattern content according to review and feedback

Page Last Updated: May 18, 2012


	CAPEC is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2007 - 2013, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us

Common Attack Pattern Enumeration and Classification

CAPEC-13: Subverting Environment Variable Values