CAPEC - CAPEC-4: Using Alternative IP Address Encodings (Release 1.7.1)

Home > CAPEC List > CAPEC-4: Using Alternative IP Address Encodings (Release 1.7.1)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View
Reports

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List
T-Shirt

News & Events
Calendar
Free Newsletter

Compatibility
Program
Requirements
Make a Declaration
Contact Us
Search the Site

CAPEC-4: Transmission Control Protocol

Using Alternative IP Address Encodings

Attack Pattern ID: 4 (Detailed Attack Pattern Completeness: Complete)

Typical Severity: High

Status: Draft

Description

Summary

This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names, URL, IP address, or IP Address ranges. The issue that the attacker can exploit is that these design assumptions may not be validated against a variety of different possible encodings and network address location formats. Applications that use naming for creating policy namespaces for managing access control may be susceptible to queryin directly by IP addresses, which is ultimately a more generally authoritative way of communicating on a network.

Alternative IP addresses can be used by the attacker to bypass application access control in order to gain access to data that is only protected by obscuring its location.

In addition this type of attack can be used as a reconnaissance mechansim to provide entry point information that the attacker gathers to penetrate deeper into the system.

Attack Prerequisites

The target software must fail to anticipate all of the possible valid encodings of an IP/web address.

Typical Likelihood of Exploit

Likelihood: Medium

Methods of Attack

Injection
Protocol Manipulation
API Abuse

Examples-Instances

Description

An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions.

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

The attacker has only to try IP address combinations.

Resources Required

Ability to communicate with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Solutions and Mitigations

Design: Default deny access control policies

Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)

Implementation: Perform input validation for all remote content.

Attack Motivation-Consequences

Scope	Technical Impact	Note
Confidentiality Access_Control Authorization	Gain privileges / assume identity

Injection Vector

Malicious input delivered through standard input

Payload

Varies with instantiation of attack pattern. Malicious payload may be passed directly from appliation client, such as the web browser.

Activation Zone

Client machine and client network

Payload Activation Impact

Description

Enables attacker to view and access unexpected network services.

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
291	Trusting Self-reported IP Address	Targeted
180	Incorrect Behavior Order: Validate Before Canonicalize	Targeted
41	Improper Resolution of Path Equivalence	Targeted
345	Insufficient Verification of Data Authenticity	Targeted
697	Insufficient Comparison	Targeted
707	Improper Enforcement of Message or Data Structure	Targeted

Purposes

Penetration

CIA Impact

Confidentiality Impact: Medium

Integrity Impact: Medium

Availability Impact: High

Technical Context

Architectural Paradigms	All
Frameworks	All
Platforms	All
Languages	All

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

Content History

Submissions
Submitter	Organization	Date
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.	Cigital, Inc	2007-01-01

Modifications
Modifier	Organization	Date	Comments
Gunnar Peterson	Cigital, Inc	2007-02-28	Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean Barnum	Cigital, Inc	2007-03-09	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Name, Attack Prerequisites,Resources Required and Method of Attack
Sean Barnum	Cigital, Inc	2007-04-13	Modified pattern content according to review and feedback

Page Last Updated: May 04, 2012


	CAPEC is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2009 - 2012, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us