Home > CAPEC List > CAPEC-46: Overflow Variables and Tags (Version 2.6)  

CAPEC-46: Overflow Variables and Tags

 
Overflow Variables and Tags
Definition in a New Window Definition in a New Window
Attack Pattern ID: 46
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.

+ Attack Execution Flow
Experiment
  1. The attacker modifies a tag or variable from a formatted configuration data. For instance she changes it to an oversized string.

Exploit
  1. The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow.

+ Attack Prerequisites
  • The target program consumes user-controllable data in the form of tags or variables.

  • The target program does not perform sufficient boundary checking.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.

Related Vulnerabilities

Description

A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Probing Techniques

An attacker can modify the variables and tag exposed by the target program.

An attacker can automate the probing by input injection with script or automated tools.

+ Solutions and Mitigations

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Do not trust input data from user. Validate all user input.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
+ Injection Vector

The variable or tag exposed to the user.

+ Payload

The new value of the variable or tag (could be an oversized string).

+ Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

+ Payload Activation Impact

The most common is remote code execution.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
C
C++
+ References
[R.46.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.46.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated: December 04, 2014