An attacker manipulates inputs to the target software which the target
software passes to file system calls in the OS. The goal is to gain access
to, and perhaps modify, areas of the file system that the target software
did not intend to be accessible.
Attack Execution Flow
Explore
Fingerprinting of the operating
system:
In order to create a valid file injection, the
attacker needs to know what the underlying OS
is.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Port mapping. Identify ports that the system
is listening on, and attempt to identify inputs
and protocol types on those ports.
TCP/IP Fingerprinting. The attacker uses
various software to make connections or partial
connections and observe idiosyncratic responses
from the operating system. Using those responses,
he attempts to guess the actual operating
system.
Operating environment
(operating system, language, and/or middleware) is
correctly identified.
2
Inconclusive
Multiple candidate operating
environments are suggested.
Security Controls
ID
type
Security Control Description
1
Preventative
Provide misleading
information on TCIP/IP fingerprints (some
operating systems can be configured to send
signatures that match other operating
systems).
2
Preventative
Provide misleading
information at the server level (e.g., Apache,
IIS, WebLogic, etc.) to announce a different
server software.
3
Detective
Some fingerprinting
techniques can be detected by operating systems or
by network IDS systems because they leave the
network connection half-open, or they do not
belong to a valid, open
connection.
Survey the Application to Identify
User-controllable Inputs:
The attacker surveys the target application to
identify all user-controllable inputs, possibly as a
valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Spider web sites for all available links,
entry points to the web site.
env-Web
2
Manually explore application and inventory
all application inputs
env-All
Outcomes
ID
type
Outcome Description
1
Success
The attacker develops a list of
likely interesting path (application or OS
related)
Security Controls
ID
type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
4
Detective
Monitor velocity of
feature activations (non-web software). Humans who
activate features (click buttons, request actions,
invoke APIs, etc.) will do so far slower and far
less regularly than tools. Tools make requests
very quickly and the requests are typically spaced
apart regularly (e.g. 0.8 seconds between
them).
Experiment
Vary inputs, looking for malicious
results:
Depending on whether the application being
exploited is a remote or local one the attacker
crafts the appropriate malicious input containing
the path of the targeted file or other file system
control syntax to be passed to the
application
One or more injections that are
appropriate to the platform provoke an unexpected
response from the software, which can be varied by
the attacker based on the
input.
Exploit
Manipulate files accessible by the
application:
The attacker may steal information or directly
manipulate files (delete, copy, flush, etc.)
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker injects context-appropriate
malicious file path to access the content of the
targeted file.
env-All
2
The attacker injects context-appropriate
malicious file system control syntax to access the
content of the targeted file.
env-All
3
The attacker injects context-appropriate
malicious file path to cause the application to
create, delete a targeted file.
env-All
4
The attacker injects context-appropriate
malicious file system control syntax to cause the
application to create, delete a targeted
file.
env-All
5
The attacker injects context-appropriate
malicious file path in order to manipulate the
meta-data of the targeted file.
env-All
6
The attacker injects context-appropriate
malicious file system control syntax in order to
manipulate the meta-data of the targeted
file.
env-All
Outcomes
ID
type
Outcome Description
1
Success
The software performs an action
the attacker desires. This might be displaying
information, storing information in a file, delete
a file or some other malicious
activity.
Security Controls
ID
type
Security Control Description
1
Detective
Use a system that logs
file modification and/or
access.
2
Preventative
Make the application
run in a low-privileged mode to prevent such
attack to access important
files.
Attack Prerequisites
Program must allow for user controlled variables to be applied directly to
the filesystem
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
API Abuse
Modification of Resources
Examples-Instances
Description
An example of using path traversal to attack some set of resources on
a web server is to use a standard HTTP request
http://example/../../../../../etc/passwd
From an attacker point of view, this may be sufficient to gain access
to the password file on a poorly protected system. If the attacker can
list directories of critical resources then read only access is not
sufficient to protect the system.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To identify file system entry point and execute against an
overprivileged system interface
Solutions and Mitigations
Design: Enforce principle of least privilege.
Design: Ensure all input is validated, and does not contain file system
commands
Design: Run server interfaces with a non-root account and/or utilize
chroot jails or other configuration techniques to constrain privileges even
if attacker gains some limited access to commands.
Design: For interactive user applications, consider if direct file system
interface is necessary, instead consider having the application proxy
communication.
Implementation: Perform testing such as pentesting and vulnerability
scanning to identify directories, programs, and interfaces that grant direct
access to executables.
Attack Motivation-Consequences
Privilege Escalation
Data Modification
Injection Vector
Payload delivered through standard communication protocols and inputs.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
