Common Attack Pattern Enumeration and Classification

Common Attack Pattern Enumeration and Classification

1

High

The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.

The various resources, or individual URLs, must be somehow discoverable by the attacker

The deployer must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource.

Very High

• Analysis
• Brute Force

Low: In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.

No special resources are required for the exploit of this pattern.

In the case of web applications, use of a spider or other crawling software can allow an attacker to search for accessible pages not beholden to a security constraint.

More generally, noting the target resource accessed upon performing specific actions drives an understanding of the resources accessible from the current context.

In a J2EE setting, deployers can associate a role that is impossible for the authenticator to grant users, such as "NoAccess", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.. Having done so, any direct access to those protected Servlets will be prohibited by the web container. In a more general setting, the deployer must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.

• Privilege Escalation

The context of this pattern's applicability is most likely a web-based application, subject to an authorization framework.

All resources must be constrained to be inaccessible by default followed by selectively allowing access to resources as dictated by application and business logic

In addition to a central controller, every resource must also restrict, wherever possible, incoming accesses as dictated by the relevant ACL.

• Failing Securely
• Least Privilege
• Reluctance To Trust
• Complete Mediation

• Use Authorization Mechanisms Correctly
• Design Configuration Subsystems Correctly and Distribute Safe Default Configurations

Penetration

2

Medium

The system has a lockout mechanism.

An attacker must be able to reproduce behavior that would result in an account being locked.

High

• API Abuse
• Flooding
• Brute Force

Low

Computer with access to the login portion of the target system

Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.

When implementing security features, consider how they can be misused and made to turn on themselves.

• Denial of Service

6

High

Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.

Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.

High

• Injection

Medium → The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.

Design: Limit program privileges, so if metacharcters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.

Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.

• Privilege Escalation
• Data Modification
• Information Leakage

“Attack Pattern: Argument Injection
"User input is directly pasted into the argument of a shell command. A number of third-party programs allow passthrough to a shell with little or no filtering."
[Hoglund and McGraw 04]

Malicious input delivered through standard input, the attacker inserts additional arguments on the application's standard interface

Varies with instantiation of attack pattern. Malicious payload either pass commands through valid paramters or supply metacharacters that cause unexpected termination that redirects to shell

Client machine and client network (e..g Intranet)

Enables attacker to execute server side code with any commands that the program owner has privileges to, this is particularly problematic when the sprogram is run as a system or privileged account.

• Never Use Input as Part of a Directive to any Internal Component

Penetration

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

96

Medium

An application requires access to external libraries.

An attacker has the priviliges to block application access to external libraries.

Medium

• API Abuse
• Modification of Resources

Low

Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.

• Denial of Service
• Information Leakage
• Privilege Escalation

• Failing Securely

Exploitation

11

High

Web server software must rely on file name or file extension for processing.

Medium

• Injection
• Modification of Resources

Low → To modify file name or file extension Medium → To use misclassification to force the Web server to disclose configuration information, source, or binary data

Ability to execute HTTP request to Web server

Implementation: Server routines should be determined by content not determined by filename or file extension.

• Information Leakage
• Privilege Escalation

“Attack Pattern: Cause Web Server Misclassification
A very famous set of classification problems occurs when a Web server examines the last few characters of a filename to determine what kind of file it is. There are many ways to take advantage of these kinds of problems-appending certain strings to filenames, adding dots, and so forth."
[Hoglund and McGraw 04]

Malicious input delivered through standard Web application calls, e.g. HTTP Request.

Varies with instantiation of attack pattern. Malicious payload may alter or append filename or extension to communicate with processes in unexpected order.

Client machine and client network

Enables attacker to force web server to disclose configuration, source, and data

Reconnaissance

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

12

High

Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.

Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.

Very High

Low: All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages.

The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means.

Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers. Probing is as simple as changing this value and watching its effect.

Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages. The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.

Rearchitect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.

• Information Leakage
• Privilege Escalation

This pattern applies in circumstances in which publically accessible distribution means code (through channel, message identifiers, or convention) for client-specific subscription information about messages being distributed. Commonly, this will happen over message-oriented middleware buses, multicast channels, or feeds.

• Complete Mediation

• Use Authentication Mechanisms, Where Appropriate, Correctly
• Use Authorization Mechanisms Correctly: this refers to Ambiguity of authentication. Many authorization systems use ambiguous symbols (i.e., principal names) to identify principals allowing circumvention of authorization by using a different, though equivalent, principal name. For example, there are many implementations for restricting remote host access to local services that may allow many proper—but apparently different—names for unique hosts (e.g., fully qualified domain names, shortened names, CNAMEs, IPv4 addresses, IPv6 addresses).

Penetration

13

Very High

An environment variable is accessible to the user.

An environment variable used by the application can be tainted with user supplied data.

Input data used in an environment variable is not validated properly.

The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attemp to manipulate that variable.

Very High

• Injection
• Modification of Resources
• Protocol Manipulation

Low: In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism. Medium/High: Some more advanced attacks may require knowledge about protocols and probing technique which help controling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.

An attacker can intentionally modify the client side parameter and monitor how the server behaves in response to that modification. For instance an attacker will look at the cookie data, the URL parameters, the hidden variables in forms, variables used in system calls, etc.

If the client uses a program in binary format to connect to the server, disassembler can be used to identify parameter within the binary code, and then the attacker would try to simulate the client application and change some of the parameters sent to the server. For instance the attacker may find that a secret key or a path is hard coded in the binary client application.

Environment variables are frequently stored in cleartext configuration files. If the attacker can modify those configuration files, he can control the environment variables. Even a read access can potentially be dangerous since this may give sensitive information to perform this type of attack. Indeed knowing which environment variables the application uses is a prerequisite to this type of attack.

The attacker may try to obfuscate its attempts to subvert the target process (such as authentication) by using valid values for the variable she controls. By using valid values the user tries to understand the authentication mechanism. This would be in preparation to a more serious attack.

Protect environment variables against unauthorized read and write access.

Protect the configuration files which contain environment variables against illegitimate read and write access.

Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.

Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.

• Run Arbitrary Code
• Privilege Escalation
• Denial of Service
• Information Leakage

The client controlled parameter

The new value of the client controlled parameter.

The activation zone is the server side function where the client controlled parameter is consumed.

Consuming an attacker contolled parameter can defeat the normal process of the application.

• Reluctance to trust

• Always perform wise data validation. Do not accept tainted data without validation. Do not simply base authentication on the client controlled parameter.
• Avoid relying on client side validation only.

Penetration

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

CWE – Input Validation

15

High

Software's input validation or filtering must not detect and block presence of additional malicious command.

High

• Injection

Medium → The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Design: Perform whitelist validation against a positive specification for command length, type, and parameters.

Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account

Implementation: Perform input validation for all remote content.

Implementation: Use type conversions such as JDBC prepared statements.

• Run Arbitrary Code
• Information Leakage

“Attack Pattern: Command Delimiters
"Using the semicolon or other off-nominal characters, multiple commands can be strung together. Unsuspecting target programs will execute all the commands."
[Hoglund and McGraw 04]

Malicious input delivered through appending delimiters to standard input

Command(s) appended to valid parameters to enable attacker to execute commands on host

Client machine and client network

Enables attacker to execute server side code with any commands that the program owner has privileges to.

Penetration

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

97

Very High

The target software utilizes some sort fo cryptographic algorithm.

An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext.

The encryption algorithm is known to the attacker.

An attacker has access to the ciphertext.

Very Low

• Analysis
• Brute Force

High - Cryptanalysis generally requires a very significant level of understanding of mathematics and computation.

Computing resource requirements will vary based on the complexity of a given cryptanalysis technique. Access to the encryption/decryption routines of the algorithm is also required.

Use proven cryptographic algorithms with recommended key sizes.

Ensure that the algorithms are used properly. That means: 1. Not rolling out your own crypto; Use proven algorithms and implementations. 2. Choosing initialization vectors with sufficiently random numbers 3. Generating key material using good sources of randomness and avoiding known weak keys 4. Using proven protocols and their implementations. 5. Picking the most appropriate cryptographic algorithm for your usage context and data

• Information Leakage
• Data Modification
• Privilege Escalation

Reconnaissance

Wikipedia (Cryptanalysis): www.wikipedia.org

17

Very High

System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subkect and the object is set incorrectly or assumes a benign environment.

High

• Modification of Resources
• API Abuse

Low → to identify and execute against an overprivileged system interface

Ability to communicate synchronously or asynchronously with server that publishes an overprivileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Design: Enforce principle of least privilege

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

• Run Arbitrary Code
• Data Modification
• Information Leakage
• Privilege Escalation

“Attack Pattern: Direct Access to Executable Files
A privileged program is directly accessible. The program performs operations on behalf of the attacker that allow privilege escalation or shell access. For Web servers, this is often a fatal issue. If a server runs external executables provided by a user (or even simply named by a user), the user can cause the system to behave in  unanticipated ways.  This may be accomplished by passing in command-line options or by spinning an interactive session. A problem like this is almost always as bad as giving complete shell access to an attacker.

The most common targets for this kind of attack are Web servers. The attack is so easy that attackers have been known to use Internet search engines to find potential targets. The Altavista search engine is a great resource for attackers looking for such targets. Google works too."
[Hoglund and McGraw 04]

Payload delivered through standard communication protocols.

Command(s) executed directly on host

Client machine and client network

Enables attacker to execute server side code with any commands that the program owner has privileges to.