|
|
| Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1) | View the CAPEC List |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Individual CAPEC Dictionary Definition (Release 1.1)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Subverting Environment Variable Values | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Attack Pattern ID | Pattern Abstraction: Standard 13 | ||||||||||||||||||||||||||||||||||||
| Typical Severity | Very High | ||||||||||||||||||||||||||||||||||||
| Description | Summary The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker’s goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker. Attack Execution Flow
| ||||||||||||||||||||||||||||||||||||
| Attack Prerequisites | An environment variable is accessible to the user. An environment variable used by the application can be tainted with user supplied data. Input data used in an environment variable is not validated properly. The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attemp to manipulate that variable. | ||||||||||||||||||||||||||||||||||||
| Typical Likelihood of Exploit | Very High | ||||||||||||||||||||||||||||||||||||
| Methods of Attack |
| ||||||||||||||||||||||||||||||||||||
| Examples-Instances | Description Environment variables Related Vulnerability Path Manipulation (CVE-1999-0073) | ||||||||||||||||||||||||||||||||||||
| Attacker Skill or Knowledge Required | Low: In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism. Medium/High: Some more advanced attacks may require knowledge about protocols and probing technique which help controling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it. | ||||||||||||||||||||||||||||||||||||
| Probing Techniques | An attacker can intentionally modify the client side parameter and monitor how the server behaves in response to that modification. For instance an attacker will look at the cookie data, the URL parameters, the hidden variables in forms, variables used in system calls, etc. If the client uses a program in binary format to connect to the server, disassembler can be used to identify parameter within the binary code, and then the attacker would try to simulate the client application and change some of the parameters sent to the server. For instance the attacker may find that a secret key or a path is hard coded in the binary client application. Environment variables are frequently stored in cleartext configuration files. If the attacker can modify those configuration files, he can control the environment variables. Even a read access can potentially be dangerous since this may give sensitive information to perform this type of attack. Indeed knowing which environment variables the application uses is a prerequisite to this type of attack. | ||||||||||||||||||||||||||||||||||||
| Obfuscation Techniques | The attacker may try to obfuscate its attempts to subvert the target process (such as authentication) by using valid values for the variable she controls. By using valid values the user tries to understand the authentication mechanism. This would be in preparation to a more serious attack. | ||||||||||||||||||||||||||||||||||||
| Solutions and Mitigations | Protect environment variables against unauthorized read and write access. Protect the configuration files which contain environment variables against illegitimate read and write access. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege. | ||||||||||||||||||||||||||||||||||||
| Attack Motivation- |
| ||||||||||||||||||||||||||||||||||||
| Context Description | |||||||||||||||||||||||||||||||||||||
| Injection Vector | The client controlled parameter | ||||||||||||||||||||||||||||||||||||
| Payload | The new value of the client controlled parameter. | ||||||||||||||||||||||||||||||||||||
| Activation Zone | The activation zone is the server side function where the client controlled parameter is consumed. | ||||||||||||||||||||||||||||||||||||
| Payload Activation Impact | Consuming an attacker contolled parameter can defeat the normal process of the application. | ||||||||||||||||||||||||||||||||||||
| Related Weaknesses |
| ||||||||||||||||||||||||||||||||||||
| Related Vulnerabilities |
| ||||||||||||||||||||||||||||||||||||
| Related Attack Patterns |
| ||||||||||||||||||||||||||||||||||||
| Related Security Principles |
| ||||||||||||||||||||||||||||||||||||
| Related Guidelines |
| ||||||||||||||||||||||||||||||||||||
| Purpose | Penetration | ||||||||||||||||||||||||||||||||||||
| CIA Impact |
| ||||||||||||||||||||||||||||||||||||
| Technical Context |
| ||||||||||||||||||||||||||||||||||||
| References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. CWE – Input Validation | ||||||||||||||||||||||||||||||||||||
| Source |
| ||||||||||||||||||||||||||||||||||||