CAPEC - CAPEC-76: Manipulating Web Input to File System Calls (Version 3.9)


Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks

Home > CAPEC List > CAPEC-76: Manipulating Web Input to File System Calls (Version 3.9)

CAPEC-76: Manipulating Web Input to File System Calls

Attack Pattern ID: 76

Abstraction: Detailed

View customized information:

Description

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	126	Path Traversal

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate Data Structures

Execution Flow

Explore

Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

Techniques
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
Induce errors to find informative error messages

Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
Techniques
Spider web sites for all available links, entry points to the web site.
Manually explore application and inventory all application inputs

Experiment

Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Techniques
Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
Inject context-appropriate malicious file system control syntax

Exploit

Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

Techniques
The attacker injects context-appropriate malicious file path to access the content of the targeted file.
The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.

Prerequisites

Program must allow for user controlled variables to be applied directly to the filesystem

Skills Required

[Level: Low]

To identify file system entry point and execute against an over-privileged system interface

Consequences

This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges
Integrity	Modify Data

Mitigations

Design: Enforce principle of least privilege.

Design: Ensure all input is validated, and does not contain file system commands

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Example Instances

The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.

http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd

However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.

Then an attacker creates special payloads to bypass this filter:

http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd

When the application gets this input string, it will be the desired vector by the attacker.

Related Weaknesses

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
23	Relative Path Traversal
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
73	External Control of File Name or Path
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
346	Origin Validation Error
348	Use of Less Trusted Source
285	Improper Authorization
272	Least Privilege Violation
59	Improper Link Resolution Before File Access ('Link Following')
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
15	External Control of System or Configuration Setting

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Examples-Instances, Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Execution_Flow
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Weaknesses
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Manipulating Input to File System Calls

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. CAPEC is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2007–2024, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.

Common Attack Pattern Enumeration and Classification

CAPEC-76: Manipulating Web Input to File System Calls