Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)
| Attack Pattern ID | Pattern Abstraction: Standard 15 | | Typical Severity | High | | Description | Summary
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Attack Execution Flow Explore Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters. |
Attack Step Techniques |
|---|
| Description | Environments |
|---|
| Port mapping using network connection-based software (e.g., nmap, nessus, etc.) | env-ClientServer env-Embedded env-CommProtocol env-Peer2Peer env-Web | | Port mapping by exploring the operating system (netstat, sockstat, etc.) | env-Local | | TCP/IP Fingerprinting | env-All | | Induce errors to find informative error messages | env-All |
|
Indicator of Susceptibility
|
|---|
| ID | Type | Description | Environments |
|---|
| c15s1i1 | Positive | The target software accepts connections via the network. | env-Web env-CommProtocol env-Peer2Peer env-Embedded |
|
Outcomes |
|---|
| ID | Type | Description |
|---|
| c15s1o1 | Success | Operating environment (operating system, language, and/or middleware) is correctly identified. | | c15s1o2 | Inconclusive | Multiple candidate operating environments are suggested. |
|
Security Controls |
|---|
| ID | Type | Description |
|---|
| c15s1s1 | Preventative | Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems). | | c15s1s2 | Preventative | Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software. | | c15s1s3 | Detective | Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection. |
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user |
Attack Step Techniques |
|---|
| Description | Environments |
|---|
| Spidering web sites for all available links | env-Web | | Inventory all application inputs | env-All |
|
Indicator of Susceptibility
|
|---|
| ID | Type | Description | Environments |
|---|
| c15s2i1 | Positive | Attacker develops a list of valid inputs | env-Web env-ClientServer |
|
Outcome |
|---|
| ID | Type | Description |
|---|
| c15s2o1 | Success | The attacker develops a list of likely command delimiters. |
|
Security Controls |
|---|
| ID | Type | Description |
|---|
| c151s2s1 | Detective | Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). | | c151s2s2 | Detective | Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. | | c151s2s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be automated. | | c151s2s4 | Detective | Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). |
Experiment Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time. |
Attack Step Techniques |
|---|
| Description | Environments |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) | env-CommProtocol env-Web env-Peer2Peer env-ClientServer | | Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) | env-Web | | Enter command delimiters directly in input fields. | env-Embedded env-Local env-ClientServer |
|
Indicator of Susceptibility
|
|---|
| ID | Type | Description | Environments |
|---|
| c15s3i1 | Positive | Attack step 2 is successful. | env-All |
|
Outcome |
|---|
| ID | Type | Description |
|---|
| c15s3o1 | Success | One or more command delimiters for the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input. |
Exploit Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software. |
Outcome |
|---|
| ID | Type | Description |
|---|
| c15s4o1 | Success | The software performs as expected by the attacker. |
|
Security Control |
|---|
| ID | Type | Description |
|---|
| c15s4s1 | Detective | |
| | Attack Prerequisites |
Software's input validation or filtering must not detect and block presence of additional malicious command.
| | Typical Likelihood of Exploit |
High
| | Methods of Attack | | | Examples-Instances | Description
By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.
LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.
| | Attacker Skill or Knowledge Required |
Medium → The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.
| | Resources Required |
Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
| | Solutions and Mitigations |
Design: Perform whitelist validation against a positive specification for command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared statements.
| | Attack Motivation-Consequences | - Run Arbitrary Code
- Information Leakage
| | Context Description |
“Attack Pattern: Command Delimiters
"Using the semicolon or other off-nominal characters, multiple commands can be strung together. Unsuspecting target programs will execute all the commands."
[Hoglund and McGraw 04]
| | Injection Vector |
Malicious input delivered through appending delimiters to standard input
| | Payload |
Command(s) appended to valid parameters to enable attacker to execute commands on host
| | Activation Zone |
Client machine and client network
| | Payload Activation Impact |
Enables attacker to execute server side code with any commands that the program owner has privileges to.
| | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 146 | Failure to Sanitize Expression/Command Delimiters | Targeted | | 77 | Failure to Sanitize Data into a Control Plane (aka 'Command Injection') | Targeted | | 184 | Incomplete Blacklist | Targeted | | 78 | Failure to Sanitize Data into an OS Command (aka 'OS Command Injection') | Targeted | | 185 | Regular Expression Error | Targeted | | 93 | Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') | Targeted | | 140 | Failure to Sanitize Delimiters | Targeted | | 157 | Failure to Sanitize Paired Delimiters | Targeted | | 138 | Failure to Sanitize Special Elements | Targeted | | 154 | Failure to Sanitize Variable Name Delimiter | Targeted |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 6 | Argument Injection | More Detailed | |
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References |
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Paco Hope | Cigital, Inc. | 2007-10-20 | Added extended Attack Execution Flow |
|
|
