This type of attack exploits a buffer overflow vulnerability in targeted
client software through injection of malicious content from a custom-built
hostile service.
Attack Execution Flow
The attacker creates a custom hostile
service
The attacker acquires information about the kind
of client attaching to her hostile service to
determine if it contains an exploitable buffer
overflow vulnerability.
The attacker intentionally feeds malicious data to
the client to exploit the buffer overflow
vulnerability that she has uncovered.
The attacker leverages the exploit to execute
arbitrary code or to cause a denial of
service.
Attack Prerequisites
The targeted client software communicates with an external server.
The targeted client software has a buffer oveflow vulnerability.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
API Abuse
Injection
Examples-Instances
Description
Authors often use <EMBED> tags in HTML documents. For
example
If an attacker supplies an overly long path in the SRC= directive, the
mshtml.dll component will suffer a buffer overflow. This is a standard
example of content in a Web page being directed to exploit a faulty
module in the system. There are potentially thousands of different ways
data can propagate into a given system, thus these kinds of attacks will
continue to be found in the wild.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To achieve a denial of service, an attacker can simply overflow a
buffer by inserting a long string into an attacker-modifiable injection
vector.
High : Exploiting a buffer overflow to inject malicious code into the
stack of a software system or even the heap requires a more in-depth
knowledge and higher skill level.
Probing Techniques
The server may look like a valid server, but in reality it may be a
hostile server aimed at fooling the client software. For instance the server
can use honey pots and get the client to download malicious code.
Once engaged with the client, the hostile server may attempt to scan the
client's host for open ports and potential vulnerabilities in the client
software.
The hostile server may also attempt to install and run malicious code on
the client software. That malicious code can be used to scan the client
software for buffer overflow.
Indicators-Warnings of Attack
An example of indicator is when the client software crashes after
executing code downloaded from a hostile server.
Solutions and Mitigations
The client software should not install untrusted code from a non
authenticated server.
The client software should have the latest patches and should be audited
for vulnerabilities before being used to communicate with potentially
hostile servers.
Perform input validation for length of buffer inputs.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete
solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution.
Ensure all buffer uses are consistently bounds-checked.
Use OS-level preventative functionality. Not a complete solution.
Attack Motivation-Consequences
Denial of Service
Run Arbitrary Code
Payload
Attacker-supplied data potentially containing malicious code.
Activation Zone
When the function returns control to the main program, it jumps to the return
address portion of the stack frame. Unfortunately that return address may have
been overwritten by the overflowed buffer and the address may contain a call to
a privileged command or to malicious code.
Payload Activation Impact
The most common are remote code execution or denial of service.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
