CAPEC - CAPEC-75: Manipulating Writeable Configuration Files (Release 1.4)

Home > CAPEC List > CAPEC-75: Manipulating Writeable Configuration Files (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-75: Manipulating Writeable Configuration Files

Manipulating Writeable Configuration Files

Attack Pattern ID: 75 (Standard Attack Pattern Completeness: Complete)

Typical Severity: Very High

Status: Draft

Description

Summary

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attacker's behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

Attack Prerequisites

Configuration files must be modifiable by the attacker

Typical Likelihood of Exploit

Likelihood: High

Methods of Attack

Modification of Resources

Examples-Instances

Description

The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml

< CustomRealm

ConfigurationData="java.util.Properties"

Name="CustomRealm"

RealmClassName="Maliciousrealm.jar"

The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence

Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Backup copies of all configuration files

Implementation: Integrity monitoring for configuration files

Implementation: Enforce audit logging on code and configuration promotion procedures.

Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD

Attack Motivation-Consequences

Privilege Escalation

Injection Vector

Configuration files

Payload

Commands or configuration settings

Activation Zone

Configuration file processing routines

Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
349	Acceptance of Extraneous Untrusted Data With Trusted Data	Targeted
99	Insufficient Control of Resource Identifiers (aka 'Resource Injection')	Targeted
77	Failure to Sanitize Data into a Control Plane (aka 'Command Injection')	Targeted
346	Origin Validation Error	Targeted
353	Failure to Add Integrity Check Value	Secondary
354	Failure to Check Integrity Check Value	Secondary
713	OWASP Top Ten 2007 Category A2 - Injection Flaws	Targeted

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	233	Privilege Escalation	Mechanism of Attack (primary)1000
ChildOf	Attack Pattern	176	Configuration/Environment manipulation	Mechanism of Attack (primary)1000
PeerOf	Attack Pattern	35	Leverage Executable Code in Nonexecutable Files	Mechanism of Attack1000

Purposes

Exploitation

CIA Impact

Confidentiality Impact: High

Integrity Impact: High

Availability Impact: Medium

Technical Context

Architectural Paradigms	All
Frameworks	All
Platforms	All
Languages	All

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

Content History

Submissions
Submitter	Organization	Date
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.	Cigital, Inc	2007-01-01

Modifications
Modifier	Organization	Date	Comments
Gunnar Peterson	Cigital, Inc	2007-02-28	Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean Barnum	Cigital, Inc	2007-03-09	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Name and Description
Sean Barnum	Cigital, Inc	2007-04-16	Modified pattern content according to review and feedback

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2010, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us