CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Man in the Middle Attack
Attack Pattern ID
Pattern Abstraction: Standard

94

Typical Severity

Very High

Description

Summary

This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakeage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Attack Execution Flow

  1. The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.

  2. The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.

  3. The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.

Attack Prerequisites

There are two components communicating with each other.

An attacker is able to identify the nature and mechanism of communication between the two target components.

An attacker can eavesdrop on the communication between the target components.

Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.

The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.

Typical Likelihood of Exploit

Very High

Methods of Attack
  • Spoofing
  • Analysis
  • Modification of Resources
Examples-Instances

Description

Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications.

Related Vulnerability

CVE-2006-0231

Attacker Skill or Knowledge Required

Medium/High: This attack can get sophisticated since the attack may use cryptography.

Probing Techniques

The attacker can try to get the public-keys of the victims.

There are free software tool to perform man in the middle attack (packet anlaysis, etc.)

Solutions and Mitigations

Get your Public Key signed by a Certificate Authority

Encrypt your communication using cryptography (SSL,...)

Use Strong mutual authentication to always fully authenticate both ends of any communications channel.

Exchange public keys using a secure channel

Attack Motivation-Consequences
  • Data Modification
  • Privilege Escalation
  • Information Leakage
Context Description

A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure.

Injection Vector

The captured or modified data in transit

Payload

The new value of the data or the replay of the same data (e.g. credential)

Activation Zone

The messages exchanged between the two target hosts.

Payload Activation Impact

Privilege escalation. modification of resource, information leakage, etc.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
300Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')Targeted
290Authentication Bypass by SpoofingSecondary
593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are CreatedSecondary
287Insufficient AuthenticationTargeted
294Authentication Bypass by Capture-replaySecondary
Related Security Principles
  • Complete Mediation
Purpose

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighHigh
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAllAll
References

CWE – Man-in-the-middle (MITM)

M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.

Source
Submission(s)
SubmitterOrganizationDateComment
Sean BarnumCigital, Inc.2007-03-25Identified priority for pattern creation
Modification(s)
ModifierOrganizationDateComment
Eric DalciCigital, Inc.2007-03-25Fleshed out content for pattern
Sean BarnumCigital, Inc2007-04-16Review and revise
 
Page Last Updated: April 18, 2008