Leveraging/Manipulating Configuration File Search Paths |
Attack Pattern ID: 38 (Standard Attack Pattern Completeness: Complete) | Typical Severity: Very High | Status: Draft |
Summary
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from mutliple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
A standard UNIX path looks similar to this
If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attacker's behalf:
This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
Description
This attack can be accomplished in two ways. An attacker can insert a malicious program into the path or classpath so that when a known command is executed then the system instead executes the trojans. Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command "rm" could be aliased to "mv" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting
In this case the attacker retains a copy of all the files the victim attempts to remove.
Skill or Knowledge Level: Low
To identify and execute against an overprivileged system interface
Design: Enforce principle of least privilege
Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program
Implementation: Host integrity monitoring
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 13 | Subverting Environment Variable Values | Mechanism of Attack1000 | |
ChildOf | Attack Pattern | 148 | Content Spoofing | Mechanism of Attack (primary)1000 | |
ChildOf | Attack Pattern | 154 | Resource Location Attacks | Mechanism of Attack (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | ||
Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name and Related Attack Patterns | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |