Home > CAPEC List > CAPEC-76: Manipulating Web Input to File System Calls (Version 2.11)  

CAPEC-76: Manipulating Web Input to File System Calls

 
Manipulating Web Input to File System Calls
Definition in a New Window Definition in a New Window
Attack Pattern ID: 76
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

+ Attack Steps
Explore
  1. Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is.

    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.

    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.

    Induce errors to find informative error messages

  2. Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user

    Spider web sites for all available links, entry points to the web site.

    Manually explore application and inventory all application inputs

Experiment
  1. Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

    Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)

    Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests

    Inject context-appropriate malicious file system control syntax

Exploit
  1. Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

    The attacker injects context-appropriate malicious file path to access the content of the targeted file.

    The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.

    The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.

    The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.

    The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.

    The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.

+ Attack Prerequisites
  • Program must allow for user controlled variables to be applied directly to the filesystem

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • API Abuse
  • Modification of Resources
+ Examples-Instances

Description

The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.

(Attack)
 
http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd

However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.

Then an attacker creates special payloads to bypass this filter:

(Attack)
 
http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd

When the application gets this input string, it will be the desired vector by the attacker.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To identify file system entry point and execute against an over-privileged system interface

+ Solutions and Mitigations

Design: Enforce principle of least privilege.

Design: Ensure all input is validated, and does not contain file system commands

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
+ Injection Vector

Payload delivered through standard communication protocols and inputs.

+ Payload

File system commands and specifiers

+ Activation Zone

File system

+ Payload Activation Impact

File access or modification.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.76.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Examples-Instances, Related_Attack_PatternsInternal
Previous Entry Names
DatePrevious Entry Name
2017-01-09Manipulating Input to File System Calls

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017