New to CAPEC? Start Here
Home > CAPEC List > CAPEC-14: Client-side Injection-induced Buffer Overflow (Version 3.9)  

CAPEC-14: Client-side Injection-induced Buffer Overflow

Attack Pattern ID: 14
Abstraction: Detailed
View customized information:
+ Description
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.100Overflow Buffers
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.13Subverting Environment Variable Values
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Identify target client-side application: The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.

Experiment
  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    Techniques
    Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors.
    Examine APIs of the client-side application and look for areas where a buffer overflow might be possible.
  2. Create hostile service: The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    Techniques
    If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser.
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
Exploit
  1. Overflow the buffer: Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.

    Techniques
    If the adversary is targeting a local client-side application, they just need to use the service themselves.
    If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser.
+ Prerequisites
The targeted client software communicates with an external server.
The targeted client software has a buffer overflow vulnerability.
+ Skills Required
[Level: Low]
To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector.
[Level: High]
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level.
+ Indicators
An example of indicator is when the client software crashes after executing code downloaded from a hostile server.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Read Data
Integrity
Modify Data
Availability
Resource Consumption
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
+ Mitigations
The client software should not install untrusted code from a non-authenticated server.
The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.
Perform input validation for length of buffer inputs.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Ensure all buffer uses are consistently bounds-checked.
Use OS-level preventative functionality. Not a complete solution.
+ Example Instances

Authors often use <EMBED> tags in HTML documents. For example

<EMBED TYPE="audio/midi" SRC="/path/file.mid" AUTOSTART="true">

In Internet Explorer 4.0 an adversary attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild.

+ References
[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-01-09
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated References
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018