Manipulating Writeable Configuration Files
Attack Pattern ID: 75 (Standard Attack Pattern Completeness: Complete)Typical Severity: Very HighStatus: Draft
+ Description

Summary

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attacker's behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

+ Attack Prerequisites

Configuration files must be modifiable by the attacker

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
+ Examples-Instances

Description

The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml

< CustomRealm
ConfigurationData="java.util.Properties"
Name="CustomRealm"
RealmClassName="Maliciousrealm.jar"
/>

The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence

+ Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Backup copies of all configuration files

Implementation: Integrity monitoring for configuration files

Implementation: Enforce audit logging on code and configuration promotion procedures.

Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD

+ Attack Motivation-Consequences
  • Privilege Escalation
+ Injection Vector

Configuration files

+ Payload

Commands or configuration settings

+ Activation Zone

Configuration file processing routines

+ Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
349Acceptance of Extraneous Untrusted Data With Trusted DataTargeted
99Improper Control of Resource Identifiers ('Resource Injection')Targeted
77Improper Sanitization of Special Elements used in a Command ('Command Injection')Targeted
346Origin Validation ErrorTargeted
353Failure to Add Integrity Check ValueSecondary
354Improper Validation of Integrity Check ValueSecondary
713OWASP Top Ten 2007 Category A2 - Injection FlawsTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern176Configuration/Environment manipulation 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory233Privilege Escalation 
Mechanism of Attack (primary)1000
PeerOfAttack PatternAttack Pattern35Leverage Executable Code in Nonexecutable Files 
Mechanism of Attack1000
+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDate
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-01-01
Modifications
ModifierOrganizationDateComments
Gunnar PetersonCigital, Inc2007-02-28Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-09Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Name and Description
Sean BarnumCigital, Inc2007-04-16Modified pattern content according to review and feedback