CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Overflow Binary Resource File
Attack Pattern ID
Pattern Abstraction: Detailed

44

Typical Severity

Very High

Description

Summary


An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may includes music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.

Attack Prerequisites

Target software processes binary resource files.

Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file.

Typical Likelihood of Exploit

High

Methods of Attack
  • Modification of Resources
Examples-Instances

Description


Binary files like music and video files are appended with additional data to cause buffer overflow on target systems. Because these files may be filled with otherwise popular content, the attacker has an excellent vector for wide distribution. There have been numerous cases, for example of malicious screen savers for sports teams that are distributed on the event of the team winning a championship.

Attacker Skill or Knowledge Required

Medium → to modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability

Solutions and Mitigations

Perform appropriate bounds checking on all buffers.

Design: Enforce principle of least privilege

Design: Static code analysis

Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes

Implementation: Keep software patched to ensure that known vulnerabilities are not available for attackers to target on host.

Attack Motivation-Consequences
  • Denial of Service
  • Run Arbitrary Code
Context Description


“Attack Pattern: Overflow Binary Resource File
The attacker modifies a resource file, such as sound, video, graphic, or font file. Sometimes simply editing the target resource file in a hex editor is possible. The attacker modifies headers and structure data that indicate the length of strings, and so forth."

[Hoglund and McGraw 04]

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
119Failure to Constrain Operations within the Bounds of an Allocated Memory BufferTargeted
Related Attack Patterns
IDNameRelationship TypeRelationship Description
23File System Function Injection, Content BasedSimilar
35Leverage Executable Code in Nonexecutable FilesSimilar
Purpose

Penetration

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighHigh
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

Source
Submission(s)
SubmitterOrganizationDateComment
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-01-01
Modification(s)
ModifierOrganizationDateComment
Gunnar PetersonCigital, Inc2007-02-28Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-09Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
 
Page Last Updated: April 18, 2008