CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Overflow Variables and Tags
Attack Pattern ID
Pattern Abstraction: Detailed

46

Typical Severity

High

Description

Summary

This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.

Attack Execution Flow

  1. 1- The attacker modifies a tag or variable from a formatted configuration data. For instance she changes it to an oversized string.

  2. 2- The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow.

Attack Prerequisites

The target program consumes user-controllable data in the form of tags or variables.

The target program does not perform sufficient boundary checking.

Typical Likelihood of Exploit

High

Methods of Attack
  • Injection
Examples-Instances

Description

Attack Example: Overflow Variables and Tags in MidiPlug

A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.

Related Vulnerability

CVE-1999-0946

Description

Attack Example: Overflow Variables and Tags in Exim

A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file.

Related Vulnerability

CVE-1999-0971

Attacker Skill or Knowledge Required

Low : An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High : Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

Probing Techniques

An attacker can modify the variables and tag exposed by the target program.

An attacker can automate the probing by input injection with script or automated tools.

Solutions and Mitigations

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

Do not trust input data from user. Validate all user input.

Attack Motivation-Consequences
  • Denial of Service
  • Run Arbitrary Code
  • Information Leakage
  • Data Modification
Context Description

Content-Based Buffer Overflow

Data files are ubiquitous. They are used to store everything from documents to content media and critical computer settings. Every file has an inherent format that often encompasses special information such as file length, media type, and which fonts are boldface, all encoded directly in the data file. The attack vector against data files like these is simple: Mess up the data file and wait for some unsuspecting user to open it.

Some kinds of files are strikingly simple and others have complex binary structures and numerical data embedded in them. Sometimes the simple act of opening a complex file in a hex editor and tweaking a few bytes is enough to cause the (unsuspecting) program that consumes the file to crash and burn.

What’s really interesting from an attacker’s point of view is formatting data file-embedded poison pills in such a way that virus code is activated. A great example of this involved the Winamp program in which an overly long IDv3 tag would cause a buffer overflow. In the header of an MP3 file, there is a location where a normal text string can be placed. This is called the IDv3 tag, and if an overly long tag were to be supplied, Winamp would suffer a buffer overflow. This could be used by an attacker to construct malicious music files that attack the computer once they are opened in Winamp.

Injection Vector

The variable or tag exposed to the user.

Payload

The new value of the variable or tag (could be an oversized string).

Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

Payload Activation Impact

The most common is remote code execution.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
120Unbounded Transfer ('Classic Buffer Overflow')Targeted
118Range ErrorsTargeted
119Failure to Constrain Operations within the Bounds of an Allocated Memory BufferTargeted
74Failure to Sanitize Data into a Different Plane (aka 'Injection')Targeted
20Insufficient Input ValidationTargeted
Related Attack Patterns
IDNameRelationship TypeRelationship Description
100Overflow BuffersMore Detailed
8Buffer Overflow in an API CallSimilar
10Buffer Overflow via Environment VariablesSimilar
Related Security Principles
  • Reluctance to trust
Purpose

Penetration

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighHigh
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

CWE – Buffer Errors

Source
Submission(s)
SubmitterOrganizationDateComment
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-03-01
Modification(s)
ModifierOrganizationDateComment
Eric DalciCigital, Inc2007-02-13Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-05Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
 
Page Last Updated: April 18, 2008