Home > CAPEC List > CAPEC-52: Embedding NULL Bytes (Version 3.0)  

CAPEC-52: Embedding NULL Bytes

Attack Pattern ID: 52
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
+ Likelihood Of Attack


+ Typical Severity


+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.267Leverage Alternate Encoding
+ Execution Flow
  1. Identify a place in the program where user input may be used to escalate privileges by for instance accessing unauthorized file system resources through directory browsing.

  2. An attacker realizes that there is a postfix data that gets in the way of getting to the desired resources

  1. An attacker then ads a postfix NULL terminator to the supplied input in order to "swallow" the postfixed data when the insertion is taking place. With the postfix data that got in the way of the attack gone, the doors are opened for accessing the desired resources.

+ Prerequisites
The program does not properly handle postfix NULL terminators
+ Skills Required
[Level: Medium]
Directory traversal
[Level: High]
Execution of arbitrary code
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Modify Data
Read Data
Access Control
Gain Privileges
Execute Unauthorized Commands
+ Mitigations
Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.
+ Example Instances

Directory Browsing

Assume a Web application allows a user to access a set of reports. The path to the reports directory may be something like web/username/reports. If the username is supplied via a hidden field, an attacker could insert a bogus username such as ../../../../../WINDOWS. If the attacker needs to remove the trailing string /reports, then he can simply insert enough characters so the string is truncated. Alternatively the attacker might apply the postfix NULL character (%00) to determine whether this terminates the string.

Different forms of NULL to think about include

PATH%00 PATH[0x00] PATH[alternate representation of NULL character] <script></script>%00

Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote attackers to execute arbitrary code.

The problem specifically exists upon retrieving a link of the following form:

GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1

Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a "file not found" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an attacker to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here:

0x77F83AE5 MOV EAX,[EDI+8] 0x77F83AE8 MOV ECX,[EDI+C] ... 0x77F83AED MOV [ECX],EAX

The register EDI contains a pointer to a user-supplied string. The attacker therefore has control over both the ECX and EAX registers used in the shown MOV instruction.

Successful exploitation allows remote attackers to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.

An attacker does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script.

Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible [R.52.2].

See also: CVE-2004-0629

Consider the following PHP script:

$whatever = addslashes($_REQUEST['whatever']); include("/path/to/program/" . $whatever . "/header.htm");

A malicious attacker might open the following URL, disclosing the boot.ini file:

+ Memberships
This MemberOf Relationships table shows additional CAPEC Categories and Views that reference this attack pattern as a member. This information is often useful in understanding where a attack pattern fits within the context of external information sources.
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.361WASC-28 - Null Byte Injection
+ References
[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
[REF-445] "Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability". iDefense Labs Public Advisory. Verisign, Inc.. 2004-08-13. <http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=126>.
[REF-446] "PHP Input Validation Vulnerabilities". Bugtraq mailing list archive. <http://msgs.securepoint.com/bugtraq/>.
+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018