Home > CAPEC List > VIEW SLICE: CAPEC-2000: Comprehensive CAPEC Dictionary (Version 2.6)  

CAPEC-2000: Comprehensive CAPEC Dictionary

 
Comprehensive CAPEC Dictionary
Definition in a New Window Definition in a New Window
View ID: 2000
Structure: Implicit Slice
Status: Draft
+ Objective

This view (slice) covers all the elements in CAPEC.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

Filter Used: true()

CAPECs in this viewTotal CAPECs
Total544out of544
Views8out of8
Categories73out of73
Attack Patterns463out of463
View Components
View Components
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
 
Abuse of Communication Channels
Definition in a New Window Definition in a New Window
Attack Pattern ID: 216
Abstraction: Meta
Status: Draft
Completeness: Hook
+ Description

Summary

An attacker may take advantage of a setting in communications protocols where security settings or other choices involving the various parameters can be influenced or manipulated to cause compromise to the communications. This can be disclosure of information, insertion or removal of information from the communications stream, and even include remote system compromise.

+ Attack Prerequisites
  • Access to the client/server stream.

+ Resources Required

The attacker needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Abuse of Functionality
Definition in a New Window Definition in a New Window
Category ID: 210
 
Status: Draft
+ Description

Summary

An attacker manipulates one or more functions of an application in order to perform an attack. This is a broad class of attacks wherein the attacker is able to alter the intended result or purpose of the functionality and thereby affect application behavior or information integrity. Outcomes can range from vandalism and reduction in service to the execution of arbitrary code on the target machine.
+ Attack Prerequisites
  • All applications are potentially vulnerable to this class of attack as all applications have by nature, intended functionality.

+ Resources Required

Attacker requirements will vary depending on the nature of the functionality to be manipulated.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
HasMemberAttack PatternAttack Pattern212Functionality Misuse
Mechanisms of Attack (primary)1000
HasMemberCategoryCategory375WASC-42 - Abuse of Functionality
WASC Threat Classification 2.0333
ParentOfAttack PatternAttack Pattern48Passing Local Filenames to Functions That Expect a URL
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern87Forceful Browsing
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern95WSDL Scanning
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern113API Abuse/Misuse
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern133Try All Common Application Switches and Options
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern141Cache Poisoning
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern184Software Integrity Attacks
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern213Directory Traversal
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern216Abuse of Communication Channels
Mechanisms of Attack1000
ParentOfAttack PatternAttack Pattern465Socket Capable Browser Plugins Result In Transparent Proxy Abuse
Mechanisms of Attack (primary)1000
MemberOfViewView1000Mechanisms of Attack
Mechanisms of Attack1000
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Abuse of Transaction Data Structure
Definition in a New Window Definition in a New Window
Attack Pattern ID: 257
Abstraction: Meta
Status: Draft
Completeness: Hook
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Accessing Functionality Not Properly Constrained by ACLs
Definition in a New Window Definition in a New Window
Attack Pattern ID: 1
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.

Attack Execution Flow

Explore
  1. Survey:

    The attacker surveys the target application, possibly as a valid and authenticated user

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Spidering web sites for all available links

    env-Web
    2

    Brute force guessing of resource names

    env-All
    3

    Brute force guessing of user names / credentials

    env-All
    4

    Brute force guessing of function names / actions

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    ACLs or other access control mechanisms are present in the software

    env-Web env-ClientServer
    2Positive

    User IDs or other credentials are present in the software

    env-Web env-ClientServer
    3Positive

    Operating modes with different privileges are present in the software

    env-ClientServer env-Local env-Embedded
  2. Identify Functionality:

    At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use the web inventory of all forms and inputs and apply attack data to those inputs.

    env-Web
    2

    Use a packet sniffer to capture and record network traffic

    env-CommProtocol
    3

    Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.

    env-Local env-Embedded

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker produces a list of functionality or data that can be accessed through the system.
Experiment
  1. Iterate over access capabilities:

    Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)

    env-Web env-Local env-Embedded env-ClientServer

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Negative

    Attempts to create a catalog of access mechanisms and data have failed.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    Functionality is accessible to unauthorized users.
+ Attack Prerequisites
  • The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.

  • The various resources, or individual URLs, must be somehow discoverable by the attacker

  • The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Very High

+ Methods of Attack
  • Analysis
  • Brute Force
+ Examples-Instances

Description

Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a "Single front controller" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets.

If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.

+ Resources Required

No special resources are required for the exploit of this pattern.

+ Probing Techniques

Description

In the case of web applications, use of a spider or other crawling software can allow an attacker to search for accessible pages not beholden to a security constraint.

Description

More generally, noting the target resource accessed upon performing specific actions drives an understanding of the resources accessible from the current context.

+ Solutions and Mitigations

In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as "NoAccess", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.

Having done so, any direct access to those protected Servlets will be prohibited by the web container.

In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Relevant Security Requirements

All resources must be constrained to be inaccessible by default followed by selectively allowing access to resources as dictated by application and business logic

In addition to a central controller, every resource must also restrict, wherever possible, incoming accesses as dictated by the relevant ACL.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Accessing, Modifying or Executing Executable Files
Definition in a New Window Definition in a New Window
Attack Pattern ID: 17
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

+ Attack Prerequisites
  • System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
  • API Abuse
+ Examples-Instances

Description

Consider a directory on a web server with the following permissions

drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot

This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To identify and execute against an over-privileged system interface

+ Resources Required

Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

+ Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify application data
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

Payload delivered through standard communication protocols.

+ Payload

Command(s) executed directly on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Description

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.17.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Accessing/Intercepting/Modifying HTTP Cookies
Definition in a New Window Definition in a New Window
Attack Pattern ID: 31
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems.

The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein.

The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session.

The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.

Attack Execution Flow

Explore
  1. Obtain copy of cookie:

    The attacker first needs to obtain a copy of the cookie. The attacker may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Obtain cookie from local filesystem (e.g. C:\Documents and Settings\*\Cookies and C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.txt in Windows)

    env-Web
    2

    Sniff cookie using a network sniffer such as Wireshark

    env-Web
    3

    Obtain cookie from local memory or filesystem using a utility such as the Firefox Cookie Manager or AnEC Cookie Editor.

    env-Web
    4

    Steal cookie via a cross-site scripting attack.

    env-Web
    5

    Guess cookie contents if it contains predictable information.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Cookies used in web application.

    env-Web
    2Negative

    Cookies not used in web application.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Cookie captured by attacker.
    2Failure
    Cookie cannot be captured by attacker.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    To prevent network sniffing, cookies should be transmitted over HTTPS and not plain HTTP. To enforce this on the client side, the "secure" flag should be set on cookies (javax.servlet.http.Cookie.setSecure() in Java, secure flag in setcookie() function in php, etc.).
Experiment
  1. Obtain sensitive information from cookie:

    The attacker may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.

    env-Web
    2

    Analyze the cookie's contents to determine whether it contains any sensitive information.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Negative

    Cookie only contains a random session ID (e.g. ASPSESSIONID, JSESSIONID, etc.)

    env-Web
    2Positive

    Cookie contains sensitive information (e.g. "ACCTNO=0234234", or "DBIP=0xaf112a22" -- database server's IP address).

    env-Web
    3Inconclusive

    Cookie's contents cannot be deciphered.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Cookie contains sensitive information that developer did not intent the end user to see.
    2Failure
    Cookie does not contain any sensitive information.

    Security Controls

    IDTypeSecurity Control Description
    3Preventative
    Do not store sensitive information in cookies unless they are encrypted such that only the server can decrypt them.
  2. Modify cookie to subvert security controls.:

    The attacker may be able to modify or replace cookies to bypass security controls in the application.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Modify logical parts of cookie and send it back to server to observe the effects.

    env-Web
    2

    Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.

    env-Web
    3

    Modify cookie bitwise and send it back to server to observe the effects.

    env-Web
    4

    Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend his points and then replace his cookie with an older one to restore his balance.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Subversion of security controls on server
    2Failure
    Cookie reset by server

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Web server logs contain many messages indicating that invalid cookies were received from client.
    2Preventative
    Cookies should not contain any information that the user is not allowed to modify, unless that information is never expected to change. In the latter case, the integrity of the cookie should be protected using a digital signature or a message authentication code.
+ Attack Prerequisites
  • Target server software must be a HTTP daemon that relies on cookies.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
  • API Abuse
  • Protocol Manipulation
  • Time and State
+ Examples-Instances

Description

There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the man in the middle attack relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the attacker to accomplish if no other protection mechanisms are in place.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To overwrite session cookie data, and submit targeted attacks via HTTP

Skill or Knowledge Level: High

Exploiting a remote buffer overflow generated by attack

+ Resources Required

Ability to send HTTP request containing cookie to server

+ Solutions and Mitigations

Design: Use input validation for cookies

Design: Generate and validate MAC for cookies

Implementation: Use SSL/TLS to protect cookie in transit

Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

HTTP cookie

+ Payload

Malicious input delivered through cookie in HTTP Request.

+ Activation Zone

Client software, such as a browser and its component libraries, or an intermediary

+ Payload Activation Impact

Description

  1. Enables attacker to leverage state stored in cookie
  2. Enables attacker a vector to attack web server and platform
+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.31.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Action Spoofing
Definition in a New Window Definition in a New Window
Attack Pattern ID: 173
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Attackers may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.

+ Attack Prerequisites
  • The victim must be convinced into performing the decoy action.

+ Typical Severity

Very High

+ Resources Required

The attacker must have enough control over a user's interface to present them with a decoy action as well as the actual malicious action. Simple versions of this attack can be performed using web pages requiring only that the attacker be able to host (or control) content that the user visits.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Active OS Fingerprinting
Definition in a New Window Definition in a New Window
Attack Pattern ID: 312
Abstraction: Standard
Status: Draft
+ Description

Summary

An attacker engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: Any
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: User Datagram Protocol
Relationship Type
Uses Protocol
Related Protocol: Internet Control Messaging Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • The ability to send and receive packets from a remote target, or the ability to passively monitor network communications.

+ Typical Severity

Low

+ Resources Required

Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges. Installing a listener on the network requires access to at least one host, and the privileges to interface with the network interface card.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
+ References
[R.312.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.312.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.312.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Chapter 8. Remote OS Detection. 3rd "Zero Day" Edition,. Insecure.com LLC. 2008.
[R.312.4] [REF-10] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://www.phrack.org/issues.html?issue=51&id=11#article>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Activity Hijack
Definition in a New Window Definition in a New Window
Attack Pattern ID: 501
Abstraction: Detailed
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary, through a previously installed malicious application, intercepts an implicit intent sent to launch a trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and convince the user to enter sensitive data as if they were interacting with the trusted activity.

+ Solutions and Mitigations

To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.

+ References
[REF-51] Erika Chin, Adrienne Porter Felt, Kate Greenwood and David Wagner. "Analyzing Inter-Application Communication in Android". 3.1.2 Activity Hijacking. International Conference on Mobile Systems, Applications, and Services (MobiSys). 2011. <http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
AJAX Fingerprinting
Definition in a New Window Definition in a New Window
Attack Pattern ID: 85
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application.

A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on.

+ Attack Prerequisites
  • The user must allow JavaScript to execute in their browser

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Protocol Manipulation
  • Injection
  • Brute Force
+ Examples-Instances

Description

Footprinting can be executed over almost any protocol including HTTP, TCP, UDP, and ICMP, with the general goal of gaining further information about a host environment to launch further attacks. By appending a malicious script to an otherwise normal looking URL, the attacker can probe the system for banners, vulnerabilities, filenames, available services, and in short anything the host process has access to. The results of the probe are either used to execute additional javascript (for example, if the attackers' footprint script identifies a vulnerability in a firewall permission, then the client side script executes a javascript to change client firewall settings, or an attacker may simply echo the results of the scan back out to a remote host for targeting future attacks).

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

To land and launch a script on victim's machine with appropriate footprinting logic for enumerating services and vulnerabilities in JavaScript

+ Solutions and Mitigations

Design: Use browser technologies that do not allow client side scripting.

Design: Utilize strict type, character, and encoding enforcement

Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.

Implementation: Perform input validation for all remote content.

Implementation: Perform output validation for all remote content.

Implementation: Disable scripting languages such as JavaScript in browser

Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
+ Injection Vector

Payload delivered through standard communication protocols, such as Ajax application.

+ Payload

Command(s) executed directly on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Description

Enables attacker to execute probes against client system.

+ Purposes
  • Reconnaissance
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: LowAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
SOA
Frameworks
All
Platforms
All
Languages
AJAX
+ References
[R.85.1] Shreeraj Shah. "Ajax fingerprinting for Web 2.0 Applications". Help Net Security. <http://www.net-security.org/dl/articles/Ajax_fingerprinting.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Alter System Components
Definition in a New Window Definition in a New Window
Category ID: 526
 
Status: Draft
+ Description

Summary

Attack patterns within this category focus on alteration or manipulation of the components in a system in an attempt to achieve a desired negative technical impact.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
HasMemberAttack PatternAttack Pattern401Hacking Hardware Devices or Components
Mechanisms of Attack (primary)1000
HasMemberAttack PatternAttack Pattern547Physical Destruction of Device or Component
Mechanisms of Attack (primary)1000
MemberOfViewView1000Mechanisms of Attack
Mechanisms of Attack1000
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Altered BIOS Installed After Installation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 532
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

+ Attack Prerequisites
  • Advanced knowledge about the installed target system design.

  • Advanced knowledge about the download and update installation processes.

  • Access to the download and update system(s) used to deliver BIOS images.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Low

The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.

+ Examples-Instances

Description

An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption.

+ References
[R.532.1] [REF-50] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Amplification
Definition in a New Window Definition in a New Window
Attack Pattern ID: 490
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.

+ Attack Prerequisites
  • This type of an attack requires the existence of a 3rd party service that generates a response that is significantly larger than the request that triggers it.

+ Solutions and Mitigations

To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Analyze Target
Definition in a New Window Definition in a New Window
Category ID: 281
 
Status: Draft
+ Description

Summary

Attack patterns within this category focus on the analysis of a target system, protocol, message, or application in order to overcome protections on the target or as a precursor to other attacks. Analysis can involve dissection of an application, analysis of message patterns, formal analysis of protocols, or other methods. The outcome of these attacks can be disclosure of sensitive information, or disclosure of security configuration that leads to further attacks targeted to discovered weaknesses.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ParentOfAttack PatternAttack Pattern97Cryptanalysis
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern188Reverse Engineering
Mechanisms of Attack (primary)1000
MemberOfViewView1000Mechanisms of Attack
Mechanisms of Attack1000
+ Other Notes

Any entity that can be observed by an attacker could potentially be used in an analysis based attack.

Most analysis attacks require tools in order to collect information about the target. For example, scanning suites and packet sniffers might be used to analyze a web service or protocol. Moreover, following collection of information, some attacks require additional tools in order to process the discovered data. Cryptanalysis applications are one example of such tools. Finally, some of these attacks require a high level of sophistication on the part of an attacker in order to extract useful results from collected information.

When possible, minimize the information a system displays about itself, including minimizing unnecessary information in error messages and other descriptive messages.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
API Abuse/Misuse
Definition in a New Window Definition in a New Window
Attack Pattern ID: 113
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker manipulates the processing of Application Programming Interface (API) resulting in the API's function having an adverse impact upon the security of the system or application implementing the API. This can allow the attacker to execute functionality not intended by the API implementation, possibly compromising the system or application which integrates the API. API Abuse can take on a number of forms. For example, the API may trust that the calling function properly validates its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment.

+ Attack Prerequisites
  • The target system must expose API functionality in a manner that can be discovered and manipulated by an attacker. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges.

+ Typical Severity

Medium

+ Resources Required

The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Application API Button Hijacking
Definition in a New Window Definition in a New Window
Attack Pattern ID: 388
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination. For example, an in-game event occurs and the attacker traps the result, which turns out to be a form that will be populated to their primary profile. The attacker, using a MITM proxy, observes the following data:

[Button][Claim_Item]Sourdough_Cookie[URL_IMG]foo[/URL_IMG][Claim_Link]bar[/Claim_Link]

By altering the destination of "Claim_Link" to point to the attackers' server an unwitting victim can be enticed to click the link. Another example would be for the attacker to rewrite the button destinations for an event so that clicking "Yes" or "No" causes the user to load the attackers' code.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Application Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • Targeted software is utilizing application framework APIs

+ Typical Severity

Medium

+ Resources Required

A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

+ References
[R.388.1] [REF-25] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Application API Message Manipulation via Man-in-the-Middle
Definition in a New Window Definition in a New Window
Attack Pattern ID: 384
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system. Despite the use of MITM software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Man-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Application Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • Targeted software is utilizing application framework APIs

+ Typical Severity

Low

+ Resources Required

A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

+ References
[R.384.1] [REF-25] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Application API Navigation Remapping
Definition in a New Window Definition in a New Window
Attack Pattern ID: 386
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • Targeted software is utilizing application framework APIs

+ Typical Severity

Medium

+ Resources Required

A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

+ References
[R.386.1] [REF-25] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Application Fingerprinting
Definition in a New Window Definition in a New Window
Attack Pattern ID: 541
Abstraction: Standard
Status: Draft
+ Description

Summary

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

+ Attack Prerequisites
  • None

+ Typical Severity

Low

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Argument Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 6
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

Attack Execution Flow

Explore
  1. Discovery of potential injection vectors:

    Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manually cover the application and record the possible places where arguments could be passed into external systems.

    env-All
    2

    Use a spider, for web applications, to create a list of URLs and associated inputs.

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Arguments are used by the application in exposed services or methods

    env-All
    2Inconclusive

    No parameters appear to be used.

    env-All
    3Negative

    Application does not use any inputs.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of parameters, arguments to modify is identified.
    2Success
    A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
    2Detective
    Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
    3Preventative
    Use CAPTCHA to prevent the use of the application by an automated tool.
    4Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Experiment
  1. 1. Attempt variations on argument content:

    Possibly using an automated tool, the attacker will perform injection variations of the arguments.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).

    env-All
    2

    Use a proxy tool to record results, error messages and/or log if accessible.

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The application behaves like the injection has been a success.

    env-All
    2Inconclusive

    No result appears.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Failure
    It is possible to monitor the application and to see that the argument has been validated.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Actively monitor malicious inputs.
    2Detective
    Monitor the services and/or methods uses of the arguments.
Exploit
  1. Abuse of the application:

    The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manually inject specific payload into targeted argument.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker observes desired effect.

    Security Controls

    IDTypeSecurity Control Description
    2Preventative
    Actively monitor malicious inputs.
    3Detective
    Monitor the services and/or methods uses of the arguments.
+ Attack Prerequisites
  • Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.

  • Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [R.6.2]

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.

+ Resources Required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

+ Solutions and Mitigations

Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.

Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.

Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
Confidentiality
Read application data
+ Injection Vector

Malicious input delivered through standard input, the attacker inserts additional arguments on the application's standard interface

+ Payload

Varies with instantiation of attack pattern. Malicious payload either pass commands through valid parameters or supply metacharacters that cause unexpected termination that redirects to shell

+ Activation Zone

Client machine and client network (e.g. Intranet)

+ Payload Activation Impact

Description

Enables attacker to execute server side code with any commands that the program owner has privileges to, this is particularly problematic when the program is run as a system or privileged account.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: LowIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.6.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.6.2] Jouko Pynnonen. "Java Web Start argument injection vulnerability". <http://www.securityfocus.com/archive/1/393696>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
ASIC With Malicious Functionality
Definition in a New Window Definition in a New Window
Attack Pattern ID: 539
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.

+ Attack Prerequisites
  • The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.

  • Advanced knowledge about the ASIC installed within the target system.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Low

The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.

+ Examples-Instances

Description

A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes.

+ References
[R.539.1] [REF-50] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Attack through Shared Data
Definition in a New Window Definition in a New Window
Attack Pattern ID: 124
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker exploits a data structure shared between multiple applications or an application pool to affect application behavior. Data may be shared between multiple applications or between multiple threads of a single application. Data sharing is usually accomplished through mutual access to a single memory location. If an attacker can manipulate this shared data (usually by co-opting one of the applications or threads) the other applications or threads using the shared data will often continue to trust the validity of the compromised shared data and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared data, or even cause a crash or compromise of the sharing applications.

+ Attack Prerequisites
  • The target applications (or target application threads) must share data between themselves.

  • The attacker must be able to manipulate some piece of the shared data either directly or indirectly and the other users of the data must accept the changed data as valid.

+ Typical Severity

Medium

+ Resources Required

The attacker must be able to change the shared data. Usually this requires that the attacker be able to compromise one of the sharing applications or threads in order to manipulated the shared data.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Audit Log Manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 268
Abstraction: Meta
Status: Draft
Completeness: Hook
+ Description

Summary

The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.

+ Attack Prerequisites
  • The target host is logging the action and data of the user.

  • The target host insufficiently protects access to the logs or logging mechanisms.

+ Resources Required

The attacker must understand how the logging mechanism works.

Optionally, the attacker must know the location and the format of individual entries of the log files.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Authentication Abuse
Definition in a New Window Definition in a New Window
Attack Pattern ID: 114
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.

+ Attack Prerequisites
  • An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way.

+ Typical Severity

Medium

+ Resources Required

A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Authentication Bypass
Definition in a New Window Definition in a New Window
Attack Pattern ID: 115
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.

+ Attack Prerequisites
  • An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc.

+ Typical Severity

Medium

+ Resources Required

A client application, such as a web browser, or a scripting language capable of interacting with the target.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Blind SQL Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 7
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection.

For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries:

"username' AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108".

If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:

"username'; DROP TABLE trades; --

Attack Execution Flow

Explore
  1. Hypothesize SQL queries in application:

    Generated hypotheses regarding the SQL queries in an application. For example, the attacker may hypothesize that his input is passed directly into a query that looks like:

    "SELECT * FROM orders WHERE ordernum = _____"
    or
    "SELECT * FROM orders WHERE ordernum IN (_____)"
    or
    "SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____"

    Of course, there are many other possibilities.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Research types of SQL queries and determine which ones could be used at various places in an application.

    env-All
  2. Determine how to inject information into the queries:

    Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries:

    "5' OR 1=1; --"
    and
    "5) OR 1=1; --"
    and
    "ordernum DESC; --"

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Add clauses to the SQL queries such that the query logic does not change.

    env-All
    2

    Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    At least one way to complete a hypothesized SQL query that would violate the application developer's assumptions.
Experiment
  1. Determine user-controllable input susceptible to injection:

    Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the attacker knows that the SQL injection was successful.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use web browser to inject input through text fields or through HTTP GET parameters.

    env-Web
    2

    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.

    env-Web
    3

    Use network-level packet injection tools such as netcat to inject input

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    4

    Use modified client (modified by reverse engineering) to inject input.

    env-ClientServer env-Peer2Peer env-CommProtocol

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Attacker receives normal response from server.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2Positive

    Response takes expected amount of time after delay is injected.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    3Negative

    Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDTypeOutcome Description
    1Success
    At least one user-controllable input susceptible to injection found.
    2Failure
    No user-controllable input susceptible to injection found.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Unusual queries such as the ones described in the previous step, in application logs. Log files may contain unusual messages such as "User bob' OR 1=1; -- logged in". Operators should be alerted when such SQL commands appear in the logs.
    2Preventative
    Input validation of user-controlled data before including it in a SQL query
    3Preventative
    Use APIs that help mitigate SQL injection (such as PreparedStatement in Java)
  2. Determine database type:

    Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2

    Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    3

    Inject other database-specific commands into input fields susceptible to SQL Injection. The attacker can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the attacker received a normal response from the server or not).

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Success outcome in previous step

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2Negative

    Failure outcome in previous step

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDTypeOutcome Description
    1Success
    Database platform in use discovered.
    2Failure
    Database platform in use not discovered.
Exploit
  1. Extract information about database schema:

    Extract information about database schema by getting the database to answer yes/no questions about the schema.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Automatically extract database schema using a tool such as Absinthe.

    env-Web
    2

    Manually perform the blind SQL Injection to extract desired information about the database schema.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Success outcome in previous step.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2Negative

    Failure outcome in previous step.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDTypeOutcome Description
    1Success
    Desired information about database schema extracted.
    2Failure
    Desired information about database schema could not be extracted.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Large number of unusual queries in database logs.
  2. Exploit SQL Injection vulnerability:

    Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Success outcome in previous step.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2Negative

    Failure outcome in previous step.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDTypeOutcome Description
    1Success
    Attacker achieves goal of unauthorized system access, denial of service, etc.
    2Failure
    Attacker cannot exploit the information gathered by blind SQL Injection
+ Attack Prerequisites
  • SQL queries used by the application to store, retrieve or modify data.

  • User-controllable input that is not properly validated by the application as part of SQL queries.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • Analysis
+ Examples-Instances

Description

In the PHP application TimeSheet 1.1, an attacker can successfully retrieve username and password hashes from the database using Blind SQL Injection. If the attacker is aware of the local path structure, the attacker can also remotely execute arbitrary code and write the output of the injected queries to the local path. Blind SQL Injection is possible since the application does not properly sanitize the $_POST['username'] variable in the login.php file.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages.

+ Resources Required

None

+ Probing Techniques

Description

In order to determine the right syntax for the query to inject, the attacker tries to determine the right number of parameters to the query and their types. This is achieved by formulating conditions that result in a true/false answer from the database. If the logical condition is true, the database will execute the rest of the query. If not, a custom error page or a default page is returned. Another approach is to ask such true/false questions of the database and note the response times to a query with a logically true condition and one with a false condition.

+ Indicators-Warnings of Attack

Description

The only indicators of successful Blind SQL Injection are the application or database logs that show similar queries with slightly differing logical conditions that increase in complexity over time. However, this requires extensive logging as well as knowledge of the queries that can be used to perform such injection and return meaningful information from the database.

+ Solutions and Mitigations

Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify application data
Confidentiality
Read application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
+ Injection Vector

User-controllable input to the application

+ Payload

SQL statements intended to bypass checks or retrieve information about the database

+ Activation Zone

Back-end database

+ Payload Activation Impact

Description

The injected SQL statements are such that they result in a true/false query to the database. If the database evaluates a statement to be logically true, it responds with the requested data. If the condition is evaluated to be logically false, an error is returned. The attacker modifies the Boolean condition each time to gain information from the database.

+ Relevant Security Requirements

Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.

Special characters in user-controllable input must be escaped before use by the application.

Employ application-level safeguards to filter data and handle exceptions gracefully.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.7.1] [REF-3] "Common Weakness Enumeration (CWE)". CWE-20 - Input Validation. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/20.html>.
[R.7.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-390 - Improper Error Handling. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/390.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Block Access to Libraries
Definition in a New Window Definition in a New Window
Attack Pattern ID: 96
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker.

Attack Execution Flow

Explore
  1. Determine what external libraries the application accesses.

Experiment
  1. Block access to the external libraries accessed by the application.

  2. Monitor the behavior of the system to see if it goes into an insecure/inconsistent state.

  3. If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.

+ Attack Prerequisites
  • An application requires access to external libraries.

  • An attacker has the privileges to block application access to external libraries.

+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • API Abuse
  • Modification of Resources
+ Examples-Instances

Description

A web-based system uses a third party cryptographic random number generation library that derives entropy from machine's hardware. This library is used in generation of user session ids used by the application. If the library is inaccessible, the application instead uses a software based weak pseudo random number generation library. An attacker of the system blocks access of the application to the third party cryptographic random number generation library (by renaming it). The application in turn uses the weak pseudo random number generation library to generate session ids that are predictable. An attacker then leverages this weakness to guess a session id of another user to perform a horizontal elevation of privilege escalation and gain access to another user's account.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

+ Solutions and Mitigations

Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
Alter execution logic
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: LowIntegrity Impact: LowAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Blue Boxing
Definition in a New Window Definition in a New Window
Attack Pattern ID: 5
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.

+ Attack Prerequisites
  • System must use weak authentication mechanisms for administrative functions.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Injection
  • Protocol Manipulation
+ Examples-Instances

Description

An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades.

+ Resources Required

CCITT-5 or other vulnerable lines, with the ability to send tones such as combined 2,400 Hz and 2,600 Hz tones to the switch

+ Solutions and Mitigations

Implementation: Upgrade phone lines. Note this may be prohibitively expensive

Use strong access control such as two factor access control for administrative access to the switch

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: resource consumption (other)
Denial of Service
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

Payload delivered through standard communication protocols.

+ Payload

Command(s) executed directly on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Description

Enables calls to be rerouted.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: LowIntegrity Impact: MediumAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
Other
Frameworks
Other
Platforms
Other
Languages
All
+ References
[R.5.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Browser Fingerprinting
Definition in a New Window Definition in a New Window
Attack Pattern ID: 472
Abstraction: Detailed
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.

+ Attack Prerequisites
  • Victim's browser visits a website that contains attacker's Java Script

    Java Script is not disabled in the victim's browser

+ Typical Severity

Low

+ Examples-Instances

Description

The following code snippets can be used to detect various browsers:

Example Language: Javascript 

Firefox 2/3

FF=/a/[-1]=='a'

Firefox 3

FF3=(function x(){})[-5]=='x'

Firefox 2

FF2=(function x(){})[-6]=='x'

IE

IE='\v'=='v'

Safari

Saf=/a/.__proto__=='//'

Chrome

Chr=/source/.test((/a/.toString+''))

Opera

Op=/^function \(/.test([].sort)
+ Solutions and Mitigations

Configuration: Disable Java Script in the browser

+ References
[R.472.1] Gareth Heyes. "Detecting browsers javascript hacks". The Spanner. January 29, 2009. <http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Brute Force
Definition in a New Window Definition in a New Window
Attack Pattern ID: 112
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions.

The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.

Attack Execution Flow

Explore
  1. Determine secret testing procedure:

    Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded.

    env-All
  2. Reduce search space:

    Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.)

    env-All
    2

    If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space.

    env-All
    3

    If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas.

    env-All
    4

    Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret.

    env-All
  3. Expand victory conditions:

    It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value.

Exploit
  1. Gather information so attack can be performed independently.:

    If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords).

+ Attack Prerequisites
  • The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct.

+ Typical Severity

High

+ Methods of Attack
  • Brute Force
+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located.

+ Resources Required

Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures.

+ Indicators-Warnings of Attack

Description

Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys.

Description

Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files.

Description

If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing.

+ Obfuscation Techniques

Description

The attack is impossible to detect if the attacker can test for successful discovery of the secret value independently, without needing to consult an external authority.

Description

If an external authority must be consulted, the attacker can attempt to space out their guesses to avoid a large number of failed guesses in a short period of time, but doing so slows the attack to the point of making it unworkable against all but the most trivial secret spaces. As such, if an external authority must be consulted the attacked is unlikely to be able to keep the attack secret.

+ Solutions and Mitigations

Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.

Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Relevant Security Requirements

Protect sensitive data, even when the data is encrypted. If an attacker can gain access to encrypted data, they can mount a brute-force attack independently. The defender will not be aware of this attack or be able to do anything about it and at that point it is purely a function of the attackers' available resources as to how long it takes them to learn the secret.

Monitor activity logs for suspicious activity. An attacker that must use an external authority to check their brute-force guesses is easy to detect, but only if that external authority is monitoring activity and detects the abnormally large number of failed guesses.

+ Purposes
  • Penetration
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Buffer Manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 123
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory.

+ Attack Prerequisites
  • The adversary must identify a programmatic means for interacting with a buffer, such as vulnerable C code, and be able to provide input to this interaction.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Buffer Overflow in an API Call
Definition in a New Window Definition in a New Window
Attack Pattern ID: 8
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.

Attack Execution Flow

Experiment
  1. An attacker can call an API exposed by the target host.

  2. On the probing stage, the attacker injects malicious code using the API call and observes the results. The attacker's goal is to uncover a buffer overflow vulnerability.

Exploit
  1. The attacker finds a buffer overflow vulnerability, crafts malicious code and injects it through an API call. The attacker can at worst execute remote code on the target host.

+ Attack Prerequisites
  • The target host exposes an API to the user.

  • One or more API functions exposed by the target host has a buffer overflow vulnerability.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • API Abuse
  • Injection
+ Examples-Instances

Description

A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many programs at risk all at once.

Description

A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Solutions and Mitigations

Use a language or compiler that performs automatic bounds checking.

Use secure functions not vulnerable to buffer overflow.

If you have to use dangerous functions, make sure that you do boundary checking.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
+ Injection Vector

The user supplied data.

+ Payload

The buffer overrun by the attacker.

+ Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

+ Payload Activation Impact

Description

The most common is remote code execution.

+ Relevant Security Requirements

Bound checking should be performed when copying data to a buffer.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.8.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.8.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Buffer Overflow in Local Command-Line Utilities
Definition in a New Window Definition in a New Window
Attack Pattern ID: 9
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.

Attack Execution Flow

Explore
  1. Attacker identifies command utilities exposed by the target host.

Experiment
  1. On the probing stage, the attacker interacts with the command utility and observes the results of its input. The attacker's goal is to uncover a buffer overflow in the command utility. For instance the attacker may find that input data are not properly validated.

Exploit
  1. The attacker finds a buffer overflow vulnerability in the command utility and tries to exploit it. He crafts malicious code and injects it using the command utility. The attacker can at worst execute remote code on the target host.

+ Attack Prerequisites
  • The target host exposes a command-line utility to the user.

  • The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • API Abuse
+ Examples-Instances

Description

Attack Example: HPUX passwd

A buffer overflow in the HPUX passwd command allows local users to gain root privileges via a command-line option.

Attack Example: Solaris getopt

A buffer overflow in Solaris's getopt command (found in libc) allows local users to gain root privileges via a long argv[0].

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Probing Techniques

Description

The attacker can probe for services available on the target host. Many services may expose a command utility. For instance Telnet is a service which can be invoked through a command shell.

+ Solutions and Mitigations

Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow.

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Operational: Use OS-level preventative functionality. Not a complete solution.

Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack.

Do not unnecessarily expose services.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify memory
Availability
DoS: crash / exit / restart
Confidentiality
Read memory
+ Injection Vector

The user supplied data.

+ Payload

The buffer overrun by the attacker.

+ Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

+ Payload Activation Impact

Description

The most common is remote code execution.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.9.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.9.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Buffer Overflow via Environment Variables
Definition in a New Window Definition in a New Window
Attack Pattern ID: 10
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

Attack Execution Flow

Explore
  1. The attacker tries to find an environment variable which can be overwritten for instance by gathering information about the target host (error pages, software's version number, etc.).

Experiment
  1. The attacker manipulates the environment variable to contain excessive-length content to cause a buffer overflow.

Exploit
  1. The attacker potentially leverages the buffer overflow to inject maliciously crafted code in an attempt to execute privileged command on the target environment.

+ Attack Prerequisites
  • The application uses environment variables.

  • An environment variable exposed to the user is vulnerable to a buffer overflow.

  • The vulnerable environment variable uses untrusted data.

  • Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable.

Related Vulnerabilities

Description

A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Probing Techniques

Description

While interacting with a system an attacker would typically investigate for environment variables that can be overwritten. The more a user knows about a system the more likely she will find a vulnerable environment variable.

Description

On a web environment, the attacker can read the client side code and search for environment variables that can be overwritten.

Description

There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that supports loading a shared library. Attackers can use such tools to uncover a buffer overflow in an environment variable.

+ Indicators-Warnings of Attack

Description

If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.

+ Solutions and Mitigations

Do not expose environment variable to the user.

Do not use untrusted data in your environment variables.

Use a language or compiler that performs automatic bounds checking

There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

The user modifiable environment variable.

+ Payload

User supplied data potentially containing malicious code.

+ Activation Zone

When the subroutine which uses the environment variable returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

+ Payload Activation Impact

Description

The most common is remote code execution.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.10.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.10.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
[R.10.3] "Sharefuzz". <http://sharefuzz.sourceforge.net>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Buffer Overflow via Parameter Expansion
Definition in a New Window Definition in a New Window
Attack Pattern ID: 47
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Attack Execution Flow

Explore
  1. Consider parts of the program where user supplied data may be expanded by the program. Use a disassembler and other reverse engineering tools to guide the search.

Experiment
  1. Find a place where a buffer overflow occurs due to the fact that the new expanded size of the string is not correctly accounted for by the program. This may happen perhaps when the string is copied to another buffer that is big enough to hold the original, but not the expanded string. This may create an opportunity for planting the payload and redirecting program execution to the shell code.

Exploit
  1. Write the buffer overflow exploit. To be exploitable, the "spill over" amount (e.g. the difference between the expanded string length and the original string length before it was expanded) needs to be sufficient to allow the overflow of the stack return pointer (in the case of a stack overflow), without causing a stack corruption that would crash the program before it gets to execute the shell code. Heap overflow will be more difficult and will require the attacker to get more lucky, by perhaps getting a chance to overwrite some of the accounting information stored as part of using malloc().

+ Attack Prerequisites
  • The program expands one of the parameters passed to a function with input controlled by the user, but a later function making use of the expanded parameter erroneously considers the original, not the expanded size of the parameter.

  • The expanded parameter is used in the context where buffer overflow may become possible due to the incorrect understanding of the parameter size (i.e. thinking that it is smaller than it really is).

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

Attack Example: FTP glob()

The glob() function in FTP servers has been susceptible to attack as a result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow condition. The overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob().

This buffer overflow occurs in memory that is dynamically allocated. It may be possible for attackers to exploit this vulnerability and execute arbitrary code on the affected host.

To exploit this, the attacker must be able to create directories on the target host.

The glob() function is used to expand short-hand notation into complete file names. By sending to the FTP server a request containing a tilde (~) and other wildcard characters in the pathname string, a remote attacker can overflow a buffer and execute arbitrary code on the FTP server to gain root privileges. Once the request is processed, the glob() function expands the user input, which could exceed the expected length. In order to exploit this vulnerability, the attacker must be able to create directories on the FTP server.

[R.47.1][REF-2]

Related Vulnerabilities

Description

Buffer overflow in the glob implementation in libc in NetBSD-current before 20050914, and NetBSD 2.* and 3.* before 20061203, as used by the FTP daemon, allows remote authenticated users to execute arbitrary code via a long pathname that results from path expansion.

The limit computation of an internal buffer was done incorrectly. The size of the buffer in byte was used as element count, even though the elements of the buffer are 2 bytes long. Long expanded path names would therefore overflow the buffer.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the attacker needs to write the shell code to accomplish his or her goals, but the attacker also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled attacker.

+ Resources Required

Access to the program source or binary. If the program is only available in binary then a disassembler and other reverse engineering tools will be helpful.

+ Solutions and Mitigations

Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Availability
DoS: crash / exit / restart
Integrity
Modify memory
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
C
C++
+ References
[R.47.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Buffer Overflow via Symbolic Links
Definition in a New Window Definition in a New Window
Attack Pattern ID: 45
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.

Attack Execution Flow

Exploit
  1. The attacker creates or modifies a symbolic link pointing to a resources (e.g., file, directory). The content of the symbolic link file includes out-of-bounds (e.g. excessive length) data.

  2. The target host consumes the data pointed to by the symbolic link file. The target host may either intentionally expect to read a symbolic link or it may be fooled by the replacement of the original resource and read the attackers' symbolic link.

  3. While consuming the data, the target host does not check for buffer boundary which can lead to a buffer overflow. If the content of the data is controlled by the attacker, this is an avenue for remote code execution.

+ Attack Prerequisites
  • The attacker can create symbolic link on the target host.

  • The target host does not perform correct boundary checking while consuming data from a resources.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • Modification of Resources
+ Examples-Instances

Description

The EFTP server has a buffer overflow that can be exploited if an attacker uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the attacker uploads some content (the link file) and then the attacker causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

+ Probing Techniques

Description

The attacker will look for temporary files in the world readable directories. Those temporary files are often created and read by the system.

Description

The attacker will look for Symbolic link or link target file that she can override.

+ Indicators-Warnings of Attack

Description

An attacker creating or modifying Symbolic links is a potential signal of attack in progress.

Description

An attacker deleting temporary files can also be a sign that the attacker is trying to replace legitimate resources with malicious ones.

+ Solutions and Mitigations

Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.

Because Symlink can be modified by an attacker, make sure that the ones you read are located in protected directories.

Pay attention to the resource pointed to by your symlink links (See attack pattern named "Forced Symlink race"), they can be replaced by malicious resources.

Always check the size of the input data before copying to a buffer.

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Use OS-level preventative functionality. Not a complete solution.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
+ Injection Vector

The resource pointed to by the Symbolic link (e.g., file, directory, etc.)

+ Payload

The buffer overrun by the attacker.

+ Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.

+ Payload Activation Impact

Description

The most common is remote code execution.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
C
C++
+ References
[R.45.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.45.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Bypassing ATA Password Security
Definition in a New Window Definition in a New Window
Attack Pattern ID: 402
Abstraction: Detailed
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.

+ Attack Prerequisites
  • Access to the system containing the ATA Drive so that the drive can be physically removed from the system.

+ References
[R.402.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Bypassing Card or Badge-Based Systems
Definition in a New Window Definition in a New Window
Attack Pattern ID: 396
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker bypasses the security of a card-based system by using techniques such as cloning access cards or using brute-force techniques. Card-based systems are widespread throughout business, government, and supply-chain management. Attacks against card-based systems vary widely based on the attackers' goals, but commonly include unauthorized reproduction of cards, brute-force creation of valid card-values, and attacks against systems which read or process card data. Due to the inherent weaknesses of card and badge security, high security environments will rarely rely upon the card or badge alone as a security mechanism. Common card based systems are used for financial transactions, user identification, and access control. Cloning attacks involve making an unauthorized copy of a user's card while brute-force attacks involve creating new cards with valid values. Denial of service attacks against card-based systems involve rendering the reader, or the card itself, to become disabled. Such attacks may be useful in a fail-closed system for keeping authorized users out of a location while a crime is in progress, whereas fail-open systems may grant access, or an alarm my fail to trigger, if an attacker disables or damages the card authentication device.

+ References
[R.396.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Bypassing Electronic Locks and Access Controls
Definition in a New Window Definition in a New Window
Attack Pattern ID: 395
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms.

+ References
[R.395.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Bypassing of Intermediate Forms in Multiple-Form Sets
Definition in a New Window Definition in a New Window
Attack Pattern ID: 140
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.

+ Attack Prerequisites
  • The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms.

+ Typical Severity

Medium

+ Resources Required

No special resources are required for this attack.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Bypassing Physical Locks
Definition in a New Window Definition in a New Window
Attack Pattern ID: 391
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.

+ References
[R.391.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Bypassing Physical Security
Definition in a New Window Definition in a New Window
Attack Pattern ID: 390
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points.

+ References
[R.390.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Cache Poisoning
Definition in a New Window Definition in a New Window
Attack Pattern ID: 141
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

Attack Execution Flow

Explore
  1. Identify and explore caches:

    Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Run tools that check available entries in the cache.

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Entries do not exist in the cache.

    env-All
    2Positive

    Applications or servers are not updated to new versions.

    env-All
    3Negative

    Entries exist in the cache.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of server's information. No target entry found in the cache.
    2Success
    A list of browser's information. No target entry found in the cache.
    3Failure
    The results show target entries in the cache.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor network scans and examine system logs. The scans may be from unknown local IP or MAC address.
Experiment
  1. Cause specific data to be cached:

    An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Request that the attacker intercepts includes transaction ID.

    env-All
    2Positive

    The attacker successfully sends response before authorized server.

    env-All
    3Inconclusive

    Transaction ID has been randomized.

    env-Web env-CommProtocol env-ClientServer
    4Inconclusive

    The application or server cache has recorded correct table entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed

    env-All
    5Inconclusive

    The attacker fails to send responses before authorized responses. In this case, the attacker needs to figure out a way to overwrite table entries to succeed

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    Any request of the targeted form results in the seeded response.
    2Failure
    Any request of the targeted form results in the correct response and not the seeded response.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor log file and see a large number of responses sent from the same host. This host may be manipulated by attacker.
Exploit
  1. Redirect users to malicious website:

    As the attacker succeeds in exploiting the vulnerability, he is able to manipulate and interpose malicious response data to targeted victim queries.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

    env-Web
    2

    Man-in-the-Middle intercepts secure communication between two parties.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Any request of the targeted form results in the seeded response.
    2Failure
    Any request of the targeted form results in the correct response and not the seeded response.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Be less trusting of the information passed to them by other parties, and ignoring any records passed back which are not directly relevant to the query.
+ Attack Prerequisites
  • The attacker must be able to modify the value stored in a cache to match a desired value.

  • The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.

Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com

When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

To overwrite/modify targeted cache

+ Solutions and Mitigations

Configuration: Disable client side caching.

Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.141.1] [REF-6] "Wikipedia". DNS Cache Poisoning. The Wikimedia Foundation, Inc. 2011-07-10. <http://en.wikipedia.org/wiki/DNS_cache_poisoning>.
[R.141.2] [REF-7] "DNS Threats and DNS Weaknesses". DNS Threats & Weaknesses of the Domain Name System. DNSSEC. <http://www.dnssec.net/dns-threats.php>.
[R.141.3] [REF-6] "Wikipedia". Arp Spoofing. The Wikimedia Foundation, Inc. 2011-07-17. <http://en.wikipedia.org/wiki/ARP_spoofing>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Calling Signed Code From Another Language Within A Sandbox Allow This
Definition in a New Window Definition in a New Window
Attack Pattern ID: 237
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

The attacker may submit a malicious signed code from another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behave. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.

Attack Execution Flow

Explore
  1. Probing:

    The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox.

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The target application allows calling signed code from another language within a sandbox.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker knows that the target application is calling signed code from another language within a sandbox.
  2. Analysis:

    The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The standard library of the sandbox has some cross code security weaknesses.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker gets a list of cross code security weaknesses in the standard libraries.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.
    2Preventative
    If possible, use obfuscation and other techniques to prevent reverse engineering the libraries.
Experiment
  1. Verify the exploitable security weaknesses:

    The attacker tries to craft malicious signed code from another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker tries to explore the security weaknesses by calling malicious signed code from another language allowed by the sandbox.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker identifies a list exploitable security weaknesses in the standard libraries.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Sanitize the code of the standard libraries to make sure there are no security weaknesses in them.
Exploit
  1. Exploit the security weaknesses in the standard libraries:

    The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker escapes the sandbox to obtain access to privileges that were not intentionally exposed by the sandbox.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.
+ Attack Prerequisites
  • A framework-based language that supports code signing and sandbox (such as Java, .Net, JavaScript, and Flash) Deployed code that has been signed by its authoring vendor, or a partner

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Low

+ Methods of Attack
  • Analysis
  • API Abuse
+ Examples-Instances

Description

Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Exploit:Java/ByteVerify.C attempts to download a file named "msits.exe", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail.

+ Resources Required

No special resource is required.

+ Solutions and Mitigations

Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.

Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.

Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.

Configuration: Get latest updates for the computer.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Access_Control
Authorization
Bypass protection mechanism
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
Java
ASP.NET
C#
JSP
Other
+ References
[R.237.1] J. Cappos, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy and T. Anderson. "Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code". The 17th ACM Conference on Computer and Communications Security (CCS '10). 2010.
[R.237.2] "Malware Protection Center: Threat Research and Response". Exploit: Java/ByteVerify.C. Microsoft Corporation. 2007. <http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AJava%2FByteVerify.C>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Catching exception throw/signal from privileged block
Definition in a New Window Definition in a New Window
Attack Pattern ID: 236
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.

Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way.

Attack Execution Flow

Explore
  1. Attacker determines the underlying system thread that is subject to user-control

Experiment
  1. Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread

Exploit
  1. Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding

+ Attack Prerequisites
  • The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users

  • In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread.

  • This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.

  • This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Low

+ Methods of Attack
  • Analysis
  • Modification of Resources
  • API Abuse
+ Examples-Instances

Description

Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.

+ Resources Required

The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required.

The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malicious code. This is the case even if the attacker conducts the attack remotely.

+ Probing Techniques

Description

The attacker may attach a debugger to the executing process and observe the spawning and cleanup of threads, as well as the switches in privilege levels.

Description

The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution.

+ Solutions and Mitigations

Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.

Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
+ Relevant Security Requirements

Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary.

The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertent caller who may not have a clue about the innards of the callee.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Cause Web Server Misclassification
Definition in a New Window Definition in a New Window
Attack Pattern ID: 11
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.

This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.

Attack Execution Flow

Explore
  1. Footprint file input vectors:

    Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Attacker manually crawls application to identify file inputs

    env-Web
    2

    Attacker uses an automated tool to crawl application identify file inputs

    env-Web
    3

    Attacker manually assesses strength of access control protecting native application files from user control

    env-Web
    4

    Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Application submits files under user control to the web server

    env-Web
    2Negative

    Application does not submit files under user control to the web server

    env-Web
    3Negative

    Application strictly protects all native application files from user control

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    User-controllable files are identified
Experiment
  1. File misclassification shotgunning:

    An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server.

    env-Web
    2

    Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The web server uses the wrong handler to execute the file, as expected by the attacker.

    env-Web
    2Inconclusive

    No result from the web server.

    env-Web
    3Negative

    The web server ignore the manipulation and process the request has it should have been.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Web server exhibits unexpected behavior.

    Security Controls

    IDTypeSecurity Control Description
    2Detective
    Monitor web server logs for excessive file processing errors
    3Preventative
    Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.
  2. File misclassification sniping:

    Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server.

    env-Web
    2

    Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The web server uses the wrong handler to execute the file, as expected by the attacker.

    env-Web
    2Inconclusive

    No result from the web server.

    env-Web
    3Negative

    The web server ignore the manipulation and process the request has it should have been.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Attacker's payload is acted on by web server.
    2Failure
    The attacker cannot get the web server to misclassify a file.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor web server logs for excessive file processing errors
    2Preventative
    Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.
Exploit
  1. Disclose information:

    The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed).

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Manipulate the file names that are explicitly sent to the server.

    env-Web
    2

    Manipulate the MIME sent in order to confuse the web server.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker gets the information from the server

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.
+ Attack Prerequisites
  • Web server software must rely on file name or file extension for processing.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Injection
  • Modification of Resources
+ Examples-Instances

Description

J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser.

(Attack)
 
http://victim.site/login.jsp.

Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue.

[R.11.2]

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To modify file name or file extension

Skill or Knowledge Level: Medium

To use misclassification to force the Web server to disclose configuration information, source, or binary data

+ Resources Required

Ability to execute HTTP request to Web server

+ Solutions and Mitigations

Implementation: Server routines should be determined by content not determined by filename or file extension.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read memory
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

Malicious input delivered through standard Web application calls, e.g. HTTP Request.

+ Payload

Varies with instantiation of attack pattern. Malicious payload may alter or append filename or extension to communicate with processes in unexpected order.

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Description

Enables attacker to force web server to disclose configuration, source, and data

+ Purposes
  • Reconnaissance
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: LowAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.11.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.11.2] "Orion Application Server JSP Source Disclosure Vulnerability (Bugtraq ID: 17204)". SecurityFocus. Mar 23 2006. <http://www.securityfocus.com/bid/17204/info>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Checksum Spoofing
Definition in a New Window Definition in a New Window
Attack Pattern ID: 145
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an attacker modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the attacker) in the message. This would prevent the recipient from realizing that a change occurred.

+ Attack Prerequisites
  • The attacker must be able to intercept a message from the sender (keeping the recipient from getting it), modify it, and send the modified message to the recipient.

  • The sender and recipient must use a checksum to protect the integrity of their message and transmit this checksum in a manner where the attacker can intercept and modify it.

  • The checksum value must be computable using information known to the attacker. A cryptographic checksum, which uses a key known only to the sender and recipient, would thwart this attack.

+ Typical Severity

Medium

+ Resources Required

The attacker must be able to intercept and modify messages between the sender and recipient.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Choosing a Message/Channel Identifier on a Public/Multicast Channel
Definition in a New Window Definition in a New Window
Attack Pattern ID: 12
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially.

Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation.

If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.

Attack Execution Flow

Explore
  1. Determine the nature of messages being transported as well as the identifiers to be used as part of the attack

Experiment
  1. If required, authenticate to the distribution channel

  2. If any particular client's information is available through the transport means simply by selecting a particular identifier, an attacker can simply provide that particular identifier.

  3. Attackers with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.

+ Attack Prerequisites
  • Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.

  • Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Very High

+ Examples-Instances

Description

A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages.

+ Resources Required

The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means.

+ Probing Techniques

Description

Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers.

Probing is as simple as changing this value and watching its effect.

+ Solutions and Mitigations

Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.

The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.

Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: LowAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Clickjacking
Definition in a New Window Definition in a New Window
Attack Pattern ID: 103
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he's clicking on versus what he or she is actually clicking on.

Attack Execution Flow

Experiment
  1. Craft a clickjacking page:

    The attacker utilizes web page layering techniques to try to craft a malicious clickjacking page

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker leveraged iframe overlay capabilities to craft a malicious clickjacking page

    env-Web
    2

    The attacker leveraged Flash file overlay capabilities to craft a malicious clickjacking page

    env-Web
    3

    The attacker leveraged Silverlight overlay capabilities to craft a malicious clickjacking page

    env-Web
    4

    The attacker leveraged cross-frame scripting to craft a malicious clickjacking page

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Overlay capabilities are enabled in the browser

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A page is created that performs unseen actions when the user interacts with the visible UI

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Disable overlay functionality in the browser. This can have obvious impact on the utility of the browser with some sites and web applications.
Exploit
  1. Attacker lures victim to clickjacking page:

    Attacker utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site.

    env-Web
    2

    Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim.

    env-Web
    3

    Lure the victim to the malicious site through a cross-site scripting attack.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The victim loads the clickjacking page.
  2. Trick victim into interacting with the clickjacking page in the desired manner:

    The attacker tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Hide action controls over very commonly used functionality.

    env-Web
    2

    Hide action controls over very psychologically tempting content.

    env-Web
+ Attack Prerequisites
  • The victim is communicating with the target application via a web based UI and not a thick client

  • The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.

  • The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)

  • The victim has an active session with the target system.

  • The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Spoofing
  • Social Engineering
+ Examples-Instances

Description

A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which he or she subscribes with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.

In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an attacker's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Crafting the proper malicious site and luring the victim to this site are not trivial tasks.

+ Resources Required

Low: A computer connected to the internet.

+ Solutions and Mitigations

If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.

Turn off JavaScript, Flash and disable CSS.

When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
Modify files or directories
Modify memory
Confidentiality
Read application data
Read memory
Read files or directories
Availability
DoS: crash / exit / restart
DoS: instability
+ Relevant Security Requirements

Enforce maximum security restrictions in the browser: JavaScript disabled, Flash disabled, CSS disabled, iFrames forbidden

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Client-Server Protocol Manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 220
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions. For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions.

+ Attack Prerequisites
  • The client and/or server must utilize a protocol that has a weakness allowing manipulation of the interaction.

+ Typical Severity

Medium

+ Resources Required

The adversary must be able to identify the weakness in the utilized protocol and exploit it. This may require a sniffing tool as well as packet creation abilities. The adversary will be aided if they can force the client and/or server to utilize a specific protocol known to contain exploitable weaknesses.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Client-side Injection-induced Buffer Overflow
Definition in a New Window Definition in a New Window
Attack Pattern ID: 14
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.

Attack Execution Flow

Explore
  1. The attacker creates a custom hostile service

  2. The attacker acquires information about the kind of client attaching to her hostile service to determine if it contains an exploitable buffer overflow vulnerability.

Exploit
  1. The attacker intentionally feeds malicious data to the client to exploit the buffer overflow vulnerability that she has uncovered.

  2. The attacker leverages the exploit to execute arbitrary code or to cause a denial of service.

+ Attack Prerequisites
  • The targeted client software communicates with an external server.

  • The targeted client software has a buffer overflow vulnerability.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • API Abuse
  • Injection
+ Examples-Instances

Description

Authors often use <EMBED> tags in HTML documents. For example

<EMBED TYPE="audio/midi" SRC="/path/file.mid" AUTOSTART="true">

If an attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector.

Skill or Knowledge Level: High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level.

+ Probing Techniques

Description

The server may look like a valid server, but in reality it may be a hostile server aimed at fooling the client software. For instance the server can use honey pots and get the client to download malicious code.

Description

Once engaged with the client, the hostile server may attempt to scan the client's host for open ports and potential vulnerabilities in the client software.

Description

The hostile server may also attempt to install and run malicious code on the client software. That malicious code can be used to scan the client software for buffer overflow.

+ Indicators-Warnings of Attack

Description

An example of indicator is when the client software crashes after executing code downloaded from a hostile server.

+ Solutions and Mitigations

The client software should not install untrusted code from a non-authenticated server.

The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.

Perform input validation for length of buffer inputs.

Use a language or compiler that performs automatic bounds checking.

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.

Ensure all buffer uses are consistently bounds-checked.

Use OS-level preventative functionality. Not a complete solution.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read memory
Integrity
Modify memory
Availability
DoS: resource consumption (memory)
Denial of Service
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
+ Payload

Attacker-supplied data potentially containing malicious code.

+ Activation Zone

When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to malicious code.

+ Payload Activation Impact

Description

The most common are remote code execution or denial of service.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
Client-Server
Other
Frameworks
All
Platforms
All
Languages
All
+ References
[R.14.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.14.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-119: Buffer Errors. Draft. The MITRE Corporation. 2007. <http://cwe.mitre.org/data/definitions/119.html>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Cloning Magnetic Strip Cards
Definition in a New Window Definition in a New Window
Attack Pattern ID: 397
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.

+ References
[R.397.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Cloning RFID Cards or Chips
Definition in a New Window Definition in a New Window
Attack Pattern ID: 399
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse. RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification.

+ References
[R.399.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Code Inclusion
Definition in a New Window Definition in a New Window
Attack Pattern ID: 175
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker exploits a weakness in input validation on the target to force arbitrary code to be retrieved from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application. One example of this sort of attack is PHP file include attacks where the parameter of an include() function is set by a variable that an attacker is able to control. The result is that arbitrary code could be loaded into the PHP application and executed.

+ Attack Prerequisites
  • The target application must include external code/libraries that are executed when the application runs and the attacker must be able to influence the specific files that get included.

  • The victim must run the targeted application, possibly using the crafted parameters that the attacker uses to identify the code to include.

+ Typical Severity

Very High

+ Resources Required

The attacker may need to be able to host code modules if they wish their own code files to be included.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Code Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 241
Abstraction: Meta
Status: Draft
Completeness: Hook
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Code Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 242
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Command Delimiters
Definition in a New Window Definition in a New Window
Attack Pattern ID: 15
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

Attack Execution Flow

Explore
  1. Assess Target Runtime Environment:

    In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Port mapping using network connection-based software (e.g., nmap, nessus, etc.)

    env-ClientServer env-Embedded env-CommProtocol env-Peer2Peer env-Web
    2

    Port mapping by exploring the operating system (netstat, sockstat, etc.)

    env-Local
    3

    TCP/IP Fingerprinting

    env-All
    4

    Induce errors to find informative error messages

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The target software accepts connections via the network.

    env-Web env-CommProtocol env-Peer2Peer env-Embedded

    Outcomes

    IDTypeOutcome Description
    1Success
    Operating environment (operating system, language, and/or middleware) is correctly identified.
    2Inconclusive
    Multiple candidate operating environments are suggested.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).
    2Preventative
    Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.
    3Detective
    Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.
  2. Survey the Application:

    The attacker surveys the target application, possibly as a valid and authenticated user

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Spidering web sites for all available links

    env-Web
    2

    Inventory all application inputs

    env-All

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Attacker develops a list of valid inputs

    env-Web env-ClientServer

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker develops a list of likely command delimiters.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
    2Detective
    Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
    3Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
    4Detective
    Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Experiment
  1. Attempt delimiters in inputs:

    The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)

    env-CommProtocol env-Web env-Peer2Peer env-ClientServer
    2

    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

    env-Web
    3

    Enter command delimiters directly in input fields.

    env-Embedded env-Local env-ClientServer

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Attack step 2 is successful.

    env-All

    Outcomes

    IDTypeOutcome Description
    1Success
    One or more command delimiters for the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input.
Exploit
  1. Use malicious command delimiters:

    The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

    Outcomes

    IDTypeOutcome Description
    1Success
    The software performs as expected by the attacker.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor user input to the software.
    2Preventative
    Apply appropriate input validation to filter all user-controlled input to the software.
    3Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be attacking the software.
+ Attack Prerequisites
  • Software's input validation or filtering must not detect and block presence of additional malicious command.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.

LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

+ Resources Required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

+ Solutions and Mitigations

Design: Perform whitelist validation against a positive specification for command length, type, and parameters.

Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account

Implementation: Perform input validation for all remote content.

Implementation: Use type conversions such as JDBC prepared statements.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
+ Injection Vector

Malicious input delivered through appending delimiters to standard input

+ Payload

Command(s) appended to valid parameters to enable attacker to execute commands on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Description

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.15.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Command Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 248
Abstraction: Meta
Status: Draft
Completeness: Hook
+ Attack Prerequisites
  • The target application must accept input from the user. In virtually all cases, this must be string input.

  • The target application must fail to adequately filter the user input against the insertion of instructions.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Command Line Execution through SQL Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 108
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Attack Execution Flow

Explore
  1. Probe for SQL Injection vulnerability:

    The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query.

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Negative

    Attacker receives normal response from server.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2Positive

    Attacker receives an error message from server indicating that there was a problem with the SQL query.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    3Negative

    Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDTypeOutcome Description
    1Success
    At least one user-controllable input susceptible to injection found.
    2Failure
    No user-controllable input susceptible to injection found.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
    2Preventative
    Input validation of user-controlled data before including it in a SQL query
    3Preventative
    Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
Exploit
  1. Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive:

    The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive.

    Outcomes

    IDTypeOutcome Description
    1Success
    Attacker's injected code is executed.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Disable xp_cmdshell stored procedure on the database.
    2Detective
    Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
    3Preventative
    Input validation of user-controlled data before including it in a SQL query
    4Preventative
    Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
  2. Inject malicious data in the database:

    Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
    2Preventative
    Input validation of user-controlled data before including it in a SQL query
    3Preventative
    Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
  3. Trigger command line execution with injected arguments:

    The attacker causes execution of command line functionality which leverages previously injected database content as arguments.

    Outcomes

    IDTypeOutcome Description
    1Success
    Attacker's injected code is executed.
+ Attack Prerequisites
  • The application does not properly validate data before storing in the database

  • Backend application implicitly trusts the data stored in the database

  • Malicious data is used on the backend as a command line argument

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Low

+ Methods of Attack
  • Analysis
  • Injection
+ Examples-Instances

Description

SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function (CVE-2006-6799).

Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6799

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding.

+ Resources Required

No specialized resources are required

+ Solutions and Mitigations

Disable MSSQL xp_cmdshell directive on the database

Properly validate the data (syntactically and semantically) before writing it to the database.

Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify application data
Confidentiality
Read memory
Read application data
Availability
DoS: crash / exit / restart
DoS: instability
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
+ Relevant Security Requirements

Validate all data syntactically and semantically before writing it to the database

Do not implicitly trust database data and validate it to ensure that it is safe in the context in which it is being used

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Common Resource Location Exploration
Definition in a New Window Definition in a New Window
Attack Pattern ID: 150
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most, systems, files and resources are organized in the same tree structure. This can be useful for attackers because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may know be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Attackers can take advantage of this to commit other types of attacks.

+ Attack Prerequisites
  • The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type.

+ Typical Severity

Medium

+ Resources Required

No special resources are required for most variants of this attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Communications
Definition in a New Window Definition in a New Window
Category ID: 512
 
Status: Draft
+ Description

Summary

Attack patterns within this category focus on the exploitation of communications and related protocols. The techniques defined by each pattern are used by an adversary to block, manipulate, and steal communications in an attempt to achieve a desired negative technical impact.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
HasMemberAttack PatternAttack Pattern117Interception
Domains of Attack (primary)3000
HasMemberAttack PatternAttack Pattern272Protocol Manipulation
Domains of Attack (primary)3000
MemberOfViewView3000Domains of Attack
Domains of Attack3000
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Comprehensive CAPEC Dictionary
Definition in a New Window Definition in a New Window
View ID: 2000
Structure: Implicit Slice
Status: Draft
+ Objective

This view (slice) covers all the elements in CAPEC.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

Filter Used: true()

CAPECs in this viewTotal CAPECs
Total544out of544
Views8out of8
Categories73out of73
Attack Patterns463out of463
 
Configuration/Environment manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 176
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

+ Attack Prerequisites
  • The target application must consult external files or configuration controls to control its execution. All but the very simplest applications meet this requirement.

+ Typical Severity

Medium

+ Resources Required

The attacker must have the access necessary to affect the files or other environment items the targeted application uses for its operations.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Contaminate Resource
Definition in a New Window Definition in a New Window
Attack Pattern ID: 548
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. The information is exposed to individuals who are not authorized access to such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Content Spoofing
Definition in a New Window Definition in a New Window
Attack Pattern ID: 148
Abstraction: Meta
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the attackers' content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the attacker will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud if the content governs financial transactions, privacy violations, and other results.

+ Attack Prerequisites
  • The target must provide content but fail to adequately protect it against modification.

+ Typical Severity

Medium

+ Resources Required

No special resources are required by the client for most forms of the attack. If the content is to be modified in transit, the attacker must be able to intercept the targeted messages. In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker must be able to host the replacement content.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Content Spoofing Via Application API Manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 389
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Application Layer

Target Attack Surface Localities

Client-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: Any
Protocol 1: HTTP
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • Targeted software is utilizing application framework APIs

+ Typical Severity

Low

+ Resources Required

A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

+ References
[R.389.1] [REF-25] Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Counterfeit Component Supplied
Definition in a New Window Definition in a New Window
Attack Pattern ID: 530
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.

+ Attack Prerequisites
  • Advanced knowledge about the target system and sub-components.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Low

The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.

+ Examples-Instances

Description

The attacker, aware that the victim has contracted with an integrator for system maintenance and that the integrator uses commercial-off-the-shelf network hubs, develops their own network hubs with a built-in malicious capability for remote access, the malicious network hubs appear to be a well-known brand of network hub but are not. The attacker then advertises to the sub-system integrator that they are a legit supplier of network hubs, and offers them at a reduced price to entice the integrator to purchase these network hubs. The integrator then installs the attacker's hubs at the victim's location, allowing the attacker to remotely compromise the victim's network.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Able to develop and manufacture malicious system components that resemble legitimate name-brand components.

+ References
[R.530.1] [REF-50] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Counterfeit Hardware Component Inserted During Product Assembly
Definition in a New Window Definition in a New Window
Attack Pattern ID: 520
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.

+ Attack Prerequisites
  • The attacker will need either physical access or be able to supply malicious hardware components to the product development facility.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Low

The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.

+ Examples-Instances

Description

A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The attacker constructs a counterfeit card that functions normally except that packets from the attacker's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the attacker to bypass the firewall unrestricted.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Resources to maliciously construct components used by the manufacturer.

Skill or Knowledge Level: High

Resources to physically infiltrate manufacturer or manufacturer's supplier.

+ References
[R.520.1] [REF-50] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Counterfeit Organizations
Definition in a New Window Definition in a New Window
Attack Pattern ID: 544
Abstraction: Detailed
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain.

+ Attack Prerequisites
  • None

+ Typical Severity

High

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Counterfeit Websites
Definition in a New Window Definition in a New Window
Attack Pattern ID: 543
Abstraction: Detailed
Status: Draft
Completeness: Stub
+ Description

Summary

Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.

+ Attack Prerequisites
  • None

+ Typical Severity

High

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Create files with the same name as files protected with a higher classification
Definition in a New Window Definition in a New Window
Attack Pattern ID: 177
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

+ Attack Prerequisites
  • The target application must exclude external files. Most non-trivial applications meet this criterion.

  • The target application does not verify that a located file is the one it was looking for through means other than the name. Many applications fail to perform checks of this type.

  • The directories the target application searches to find the included file include directories writable by the attacker which are searched before the protected directory containing the actual files. It is much less common for applications to meet this criterion, but if an attacker can manipulate the application's search path (possibly by controlling environmental variables) then they can force this criterion to be met.

+ Typical Severity

Very High

+ Resources Required

The attacker must have sufficient access to place an arbitrarily named file somewhere early in the application's search path.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
 
Create Malicious Client
Definition in a New Window Definition in a New Window
Attack Pattern ID: 202
Abstraction: Standard
Status: Draft
Completeness: Stub
+ Description

Summary

An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures. For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality. For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance.

Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.

+ Attack Prerequisites
  • The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an adversary.

+ Typical Severity

Medium

+ Resources Required