Home > CAPEC List > CAPEC-166: Force the System to Reset Values (Version 2.10)  

CAPEC-166: Force the System to Reset Values

 
Force the System to Reset Values
Definition in a New Window Definition in a New Window
Attack Pattern ID: 166
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices.

+ Attack Prerequisites
  • The targeted application must have a reset function that returns the configuration of the application to an earlier state.

  • The reset functionality must be inadequately protected against use.

+ Typical Severity

Medium

+ Resources Required

No special resources are required for execution of this attack. In some cases, the attacker may need special client applications or a given level of access to the application in order to execute the reset functionality.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017