Home > CAPEC List > CAPEC-141: Cache Poisoning (Version 2.10)  

CAPEC-141: Cache Poisoning

 
Cache Poisoning
Definition in a New Window Definition in a New Window
Attack Pattern ID: 141
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

+ Attack Execution Flow
Explore
  1. Identify and explore caches:

    Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Run tools that check available entries in the cache.

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Entries do not exist in the cache.

    env-All
    2Positive

    Applications or servers are not updated to new versions.

    env-All
    3Negative

    Entries exist in the cache.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of server's information. No target entry found in the cache.
    2Success
    A list of browser's information. No target entry found in the cache.
    3Failure
    The results show target entries in the cache.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor network scans and examine system logs. The scans may be from unknown local IP or MAC address.
Experiment
  1. Cause specific data to be cached:

    An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Request that the attacker intercepts includes transaction ID.

    env-All
    2Positive

    The attacker successfully sends response before authorized server.

    env-All
    3Inconclusive

    Transaction ID has been randomized.

    env-Web env-CommProtocol env-ClientServer
    4Inconclusive

    The application or server cache has recorded correct table entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed

    env-All
    5Inconclusive

    The attacker fails to send responses before authorized responses. In this case, the attacker needs to figure out a way to overwrite table entries to succeed

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    Any request of the targeted form results in the seeded response.
    2Failure
    Any request of the targeted form results in the correct response and not the seeded response.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor log file and see a large number of responses sent from the same host. This host may be manipulated by attacker.
Exploit
  1. Redirect users to malicious website:

    As the attacker succeeds in exploiting the vulnerability, he is able to manipulate and interpose malicious response data to targeted victim queries.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

    env-Web
    2

    Man-in-the-Middle intercepts secure communication between two parties.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Any request of the targeted form results in the seeded response.
    2Failure
    Any request of the targeted form results in the correct response and not the seeded response.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Be less trusting of the information passed to them by other parties, and ignoring any records passed back which are not directly relevant to the query.
+ Attack Prerequisites
  • The attacker must be able to modify the value stored in a cache to match a desired value.

  • The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.

Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com

When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

To overwrite/modify targeted cache

+ Solutions and Mitigations

Configuration: Disable client side caching.

Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.141.1] [REF-6] "Wikipedia". DNS Cache Poisoning. The Wikimedia Foundation, Inc. 2011-07-10. <http://en.wikipedia.org/wiki/DNS_cache_poisoning>.
[R.141.2] [REF-7] "DNS Threats and DNS Weaknesses". DNS Threats & Weaknesses of the Domain Name System. DNSSEC. <http://www.dnssec.net/dns-threats.php>.
[R.141.3] [REF-6] "Wikipedia". Arp Spoofing. The Wikimedia Foundation, Inc. 2011-07-17. <http://en.wikipedia.org/wiki/ARP_spoofing>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017