Home > CAPEC List > CAPEC-77: Manipulating User-Controlled Variables (Version 2.5)  

CAPEC-77: Manipulating User-Controlled Variables

 
Manipulating User-Controlled Variables
Definition in a New Window Definition in a New Window
Attack Pattern ID: 77
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Attack Execution Flow

Explore
  1. The attacker communicates with the application server using a thin client (browser) or thick client.

Experiment
  1. While communicating with the server, the attacker finds that she can control and override a variable consumed by the application server.

Exploit
  1. The attacker overrides the variable and influences the normal behavior of the application server.

+ Attack Prerequisites
  • A variable consumed by the application server is exposed to the client.

  • A variable consumed by the application server can be overwritten by the user.

  • The application server trusts user supplied data to compute business logic.

  • The application server does not perform proper input validation.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Very High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

PHP is a study in bad security. The main idea pervading PHP is "ease of use," and the mantra "don't make the developer go to any extra work to get stuff done" applies in all cases. This is accomplished in PHP by removing formalism from the language, allowing declaration of variables on first use, initializing everything with preset values, and taking every meaningful variable from a transaction and making it available. In cases of collision with something more technical, the simple almost always dominates in PHP.

One consequence of all this is that PHP allows users of a Web application to override environment variables with user-supplied, untrusted query variables. Thus, critical values such as the CWD and the search path can be overwritten and directly controlled by a remote anonymous user.

Another similar consequence is that variables can be directly controlled and assigned from the user-controlled values supplied in GET and POST request fields. So seemingly normal code like this, does bizarre things:

while($count < 10){
// Do something
$count++;
}

Normally, this loop will execute its body ten times. The first iteration will be an undefined zero, and further trips though the loop will result in an increment of the variable $count. The problem is that the coder does not initialize the variable to zero before entering the loop. This is fine because PHP initializes the variable on declaration. The result is code that seems to function, regardless of badness. The problem is that a user of the Web application can supply a request such as

GET /login.php?count=9

and cause $count to start out at the value 9, resulting in only one trip through the loop. Yerg.

Depending on the configuration, PHP may accept user-supplied variables in place of environment variables. PHP initializes global variables for all process environment variables, such as $PATH and $HOSTNAME. These variables are of critical importance because they may be used in file or network operations. If an attacker can supply a new $PATH variable (such as PATH='/var'), the program may be exploitable.

PHP may also take field tags supplied in GET/POST requests and transform them into global variables. This is the case with the $count variable we explored in our previous example.

Consider another example of this problem in which a program defines a variable called $tempfile. An attacker can supply a new temp file such as $tempfile = "/etc/passwd". Then the temp file may get erased later via a call to unlink($tempfile);. Now the passwd file has been erased--a bad thing indeed on most OSs.

Also consider that the use of include() and require() first search $PATH, and that using calls to the shell may execute crucial programs such as ls. In this way, ls may be "Trojaned" (the attacker can modify $PATH to cause a Trojan copy of ls to be loaded). This type of attack could also apply to loadable libraries if $LD_LIBRARY_PATH is modified.

Finally, some versions of PHP may pass user data to syslog as a format string, thus exposing the application to a format string buffer overflow.

Related Vulnerabilities

File upload allows arbitrary file read by setting hidden form variables to match internal variable names (CVE-2000-0860)

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

The malicious user can easily try some well-known global variables and find one which matches.

Skill or Knowledge Level: Medium

The attacker can use automated tools to probe for variables that she can control.

+ Probing Techniques

Description

The attacker can try to change the value of the variables that are exposed on the webpage's source code and send them back to the application server. Depending on what program is running on the application server, the attacker may know which variables should be targeted.

Description

The malicious user may try to guess a global variable just by black box testing at the request level. For instance it is possible to create a variable and assign it a value, then pass it along to the request made to the server.

Description

Web penetration tool can be used to automate the discovery of client controlled global variables.

+ Indicators-Warnings of Attack

Description

A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.

+ Solutions and Mitigations

Do not allow override of global variables and do Not Trust Global Variables.

If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.

A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.

Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.

Use encapsulation when declaring your variables. This is to lower the exposure of your variables.

Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should be rejected by the program.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

The user controlled variable.

+ Payload

The new value of the user controlled variable.

+ Activation Zone

The command or request interpreter on the server side is responsible for interpreting the global variables. Sometime the global variables are controlled by a setting. For instance in PHP, the Boolean setting "register_globals" defines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. As of PHP 4.2.0, this settings defaults to off. This directive was removed in PHP 6.0.0.

+ Payload Activation Impact

Description

Changing the value of a server side variable may have many outcomes. In the case of a DEBUG related variable, there will be an information leak problem. Some other impacts can be privilege escalation, data modification, etc. It really depends on what the variable controls. If a global variable is used for authentication, there may be a vulnerability of privilege escalation. Another common variation of this last problem is to implement a "Remember My Login" feature by storing a user identifier in a cookie, allowing users to change their cookie value to login as whomever they want.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.77.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.77.2] Artur Maj. "Securing PHP: Step-by-Step". Security Focus. June 22, 2003. <http://www.securityfocus.com/infocus/1706>.
[R.77.3] Clancy Malcolm. "Ten Security Checks for PHP, Part 1". 2003-03-20.
[R.77.4] "PHP Manual". Chapter 29. Using Register Globals. The PHP Group. <http://www.php.net/manual/en/security.globals.php>.
+ Content History
Submissions
SubmitterOrganizationDate
[R.77.1][REF-2] Cigital, Inc2007-03-01
Modifications
ModifierOrganizationDateCommentsSource
Eric DalciCigital, Inc2007-02-13Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-07Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Name, Description and Related Attack Patterns
Sean BarnumCigital, Inc2007-04-16Modified pattern content according to review and feedback
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Activation_Zone, Attack_Phases, Attacker_Skills_or_Knowledge_Required, Examples-Instances, Related_GuidelinesInternal

Page Last Updated: May 07, 2014