|
|
| Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1) | View the CAPEC List |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Individual CAPEC Dictionary Definition (Release 1.1)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Argument Injection | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Attack Pattern ID | Pattern Abstraction: Standard 6 | ||||||||||||||||||||||||||||||||||||
| Typical Severity | High | ||||||||||||||||||||||||||||||||||||
| Description | Summary
| ||||||||||||||||||||||||||||||||||||
| Attack Prerequisites | Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions. Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client. | ||||||||||||||||||||||||||||||||||||
| Typical Likelihood of Exploit | High | ||||||||||||||||||||||||||||||||||||
| Methods of Attack |
| ||||||||||||||||||||||||||||||||||||
| Examples-Instances | Description A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. | ||||||||||||||||||||||||||||||||||||
| Attacker Skill or Knowledge Required | Medium → The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output. | ||||||||||||||||||||||||||||||||||||
| Resources Required | Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. | ||||||||||||||||||||||||||||||||||||
| Solutions and Mitigations | Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process. Design: Limit program privileges, so if metacharcters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred. Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise. | ||||||||||||||||||||||||||||||||||||
| Attack Motivation- |
| ||||||||||||||||||||||||||||||||||||
| Context Description |
| ||||||||||||||||||||||||||||||||||||
| Injection Vector | Malicious input delivered through standard input, the attacker inserts additional arguments on the application's standard interface | ||||||||||||||||||||||||||||||||||||
| Payload | Varies with instantiation of attack pattern. Malicious payload either pass commands through valid paramters or supply metacharacters that cause unexpected termination that redirects to shell | ||||||||||||||||||||||||||||||||||||
| Activation Zone | Client machine and client network (e..g Intranet) | ||||||||||||||||||||||||||||||||||||
| Payload Activation Impact | Enables attacker to execute server side code with any commands that the program owner has privileges to, this is particularly problematic when the sprogram is run as a system or privileged account. | ||||||||||||||||||||||||||||||||||||
| Related Weaknesses |
| ||||||||||||||||||||||||||||||||||||
| Related Guidelines |
| ||||||||||||||||||||||||||||||||||||
| Purpose | Penetration | ||||||||||||||||||||||||||||||||||||
| CIA Impact |
| ||||||||||||||||||||||||||||||||||||
| Technical Context |
| ||||||||||||||||||||||||||||||||||||
| References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | ||||||||||||||||||||||||||||||||||||
| Source |
| ||||||||||||||||||||||||||||||||||||