Attackers can capture application code bound for an authorized client
during patching and can use it, as-is or through reverse-engineering, to
glean sensitive information or exploit the trust relationship between the
client and server.
Attack Execution Flow
Explore
Set up a sniffer:
The attacker sets up a sniffer in the path between
the server and the client and watches the
traffic.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker sets up a sniffer in the path
between the server and the client.
env-ClientServer
Outcomes
ID
Type
Outcome Description
1
Success
The attacker successfully sets
up a sniffer in the path between the server and
client.
2
Failure
The attacker could not set up a
sniffer in the path between the server and
client.
Security Controls
ID
Type
Security Control Description
1
Detective
Check the network
interface (e.g., ifconfig/ipconfig) to see whether
the network adapter is running in promiscuous
mode.
2
Preventative
Encrypt all
communications between the server and
client.
Exploit
Capturing Application Code Bound During
Patching:
Attacker receives notification that the
computer/OS/application has an available update for
patching, loads the sniffer set up during Explore
phase, and extracts patching code from subsequent
communication. The attacker then proceeds to reverse
engineer the captured code.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker loads the sniffer to capture the
application code bound during patching.
env-Web
2
The attacker proceeds to reverse engineer
the captured code.
env-All
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The attacker can capture the application
code bound for the target.
env-Web
2
Inconclusive
The communication between the server and
client is encrypted. The attacker may still
possible to lift key material from the
client.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker captures the
application code bound for the target and reverse
engineers the captured code.
Security Controls
ID
Type
Security Control Description
1
Detective
Check the network
interface (e.g., ifconfig) to detect the
sniffer.
2
Preventative
Encrypt all
communications between the server and
client.
Attack Prerequisites
The attacker must be able to employ a sniffer in the path between the
server and client without being detected. The targeted application must
receive some patches from the server.
Typical Likelihood of Exploit
Likelihood: Low
Methods of Attack
API Abuse
Protocol Manipulation
Examples-Instances
Description
In the following example, the attacker sets up a sniffer between a
victim client and the server www.server.com. The attacker sniffs the
traffic and captures the jar file during patching. The attacker reverse
engineers it to gain sensitive information, such as encryption keys,
validation algorithms and such.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker needs to setup a sniffer for a sufficient period of time
so as to capture meaningful quantities of code. The presence of the
sniffer should not be detected on the network.
Skill or Knowledge Level: High
The attacker needs to reverse engineer the binary code if the need
be.
Resources Required
The Attacker needs the ability to capture communications between the client
and server during patching. In the case that encryption obscures client/server
communication the attacker needs to lift key material from the client.
Solutions and Mitigations
Design: Encrypt all communication between the client and server.
Implementation: Use SSL, SSH, SCP.
Operation: Use “ifconfig/ipconfig” or other tools to detect the sniffer
installed in the network.
Description
