CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Leverage Executable Code in Nonexecutable Files
Attack Pattern ID
Pattern Abstraction: Standard

35

Typical Severity

Very High

Description

Summary


An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/)

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.

The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality.
< security-constraint>
          <description>
             Security processing rules for admin screens</description>
           <url-pattern>/admin/*</url-pattern>
        <http-method>POST</http-method>
           <http-method>GET</http-method>
     <auth-constraint>
       <role-name>administrator</role-name>
           <role-name>public</role-name>
     </auth-constraint>
</security-constraint>

The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.

Attack Prerequisites

The attacker must have the ability to modify nonexecutable files consumed by the target software.

Typical Likelihood of Exploit

High

Methods of Attack
  • Injection
  • API Abuse
  • Modification of Resources
Examples-Instances

Description


Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerpint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix "cp" command can be rerouted to "rm" or other standard command so the user's intention is subverted.

Attacker Skill or Knowledge Required

Low → to identify and execute against an overprivileged system interface

Resources Required

Ability to communicate synchronously or asynchronously with server that publishes an overprivileged directory, program, or itnerface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.

Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.

Attack Motivation-Consequences
  • Run Arbitrary Code
  • Data Modification
  • Privilege Escalation
Context Description


“Attack Pattern: Leverage Executable Code in Nonexecutable Files
Attackers usually need to upload or otherwise inject hostile code into a target processing environment. In some cases, this code does not have to be inside an executable binary. A resource file, for example, may be loaded into a target process space. This resource file may contain graphics or other data and may not have been intended to be executed at all. But, if the attacker can insert some additional code sections into the resource, the process that does the loading may be none the wiser and may just load the new version. An attack can then occur."
[Hoglund and McGraw 04]

Injection Vector

Nonexecutable files

Payload

Executable code

Activation Zone

Client machine and client network

Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
94Code InjectionTargeted
96Insufficient Control of Directives in Statically Saved Code (Static Code Injection)Targeted
95Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')Targeted
97Failure to Sanitize Server-Side Includes (SSI) Within a Web PageTargeted
272Least Privilege ViolationSecondary
59Failure to Resolve Links Before File Access (aka 'Link Following')Secondary
282Improper Ownership ManagementSecondary
275Permission IssuesSecondary
264Permissions, Privileges, and Access ControlsSecondary
270Privilege Context Switching ErrorSecondary
Related Vulnerabilities
Vulnerability-IDVulnerability Description
Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution
Related Attack Patterns
IDNameRelationship TypeRelationship Description
23File System Function Injection, Content BasedSimilar
75Manipulating Writeable Configuration FilesSimilar
Purpose

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
MediumHighLow
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

Source
Submission(s)
SubmitterOrganizationDateComment
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-01-01
Modification(s)
ModifierOrganizationDateComment
Gunnar PetersonCigital, Inc2007-02-28Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-09Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
 
Page Last Updated: April 18, 2008