Manipulating Input to File System Calls |
Attack Pattern ID: 76 (Standard Attack Pattern Completeness: Complete) | Typical Severity: Very High | Status: Draft |
Summary
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Attack Execution Flow
Fingerprinting of the operating system:
In order to create a valid file injection, the attacker needs to know what the underlying OS is.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
env-Local env-CommProtocol env-Peer2Peer env-ClientServer2 TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.
env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-Web3 Induce errors to find informative error messages
env-AllIndicators
ID type Indicator Description Environments 1 Positive The target software accepts connections via the network.
env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-WebOutcomes
ID type Outcome Description 1 Success Operating environment (operating system, language, and/or middleware) is correctly identified.2 Inconclusive Multiple candidate operating environments are suggested.Security Controls
ID type Security Control Description 1 Preventative Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).2 Preventative Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.3 Detective Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.Survey the Application to Identify User-controllable Inputs:
The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Spider web sites for all available links, entry points to the web site.
env-Web2 Manually explore application and inventory all application inputs
env-AllOutcomes
ID type Outcome Description 1 Success The attacker develops a list of likely interesting path (application or OS related)Security Controls
ID type Security Control Description 1 Detective Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).2 Detective Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.3 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be automated.4 Detective Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Vary inputs, looking for malicious results:
Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
Attack Step Techniques
ID Attack Step Technique Description Environments 1 SecurityDatabase\Alert\Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
env-CommProtocol env-Web env-Peer2Peer env-ClientServer2 SecurityDatabase\Alert\Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
env-Web3 SecurityDatabase\Alert\Inject context-appropriate malicious file system control syntax
env-CommProtocol env-Web env-Peer2Peer env-ClientServerIndicators
ID type Indicator Description Environments 1 Positive Inventorying in prior step is successful.
env-AllOutcomes
ID type Outcome Description 1 Success One or more injections that are appropriate to the platform provoke an unexpected response from the software, which can be varied by the attacker based on the input.
Manipulate files accessible by the application:
The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)
Attack Step Techniques
ID Attack Step Technique Description Environments 1 The attacker injects context-appropriate malicious file path to access the content of the targeted file.
env-All2 The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
env-All3 The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
env-All4 The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
env-All5 The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
env-All6 The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.
env-AllOutcomes
ID type Outcome Description 1 Success The software performs an action the attacker desires. This might be displaying information, storing information in a file, delete a file or some other malicious activity.Security Controls
ID type Security Control Description 1 Detective Use a system that logs file modification and/or access.2 Preventative Make the application run in a low-privileged mode to prevent such attack to access important files.
Program must allow for user controlled variables to be applied directly to the filesystem
Description
An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request
http://example/../../../../../etc/passwd
From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.
Skill or Knowledge Level: Low
To identify file system entry point and execute against an overprivileged system interface
Design: Enforce principle of least privilege.
Design: Ensure all input is validated, and does not contain file system commands
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.
Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
23 | Relative Path Traversal | Targeted |
22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Targeted |
73 | External Control of File Name or Path | Targeted |
77 | Improper Sanitization of Special Elements used in a Command ('Command Injection') | Targeted |
346 | Origin Validation Error | Targeted |
348 | Use of Less Trusted Source | Targeted |
285 | Improper Access Control (Authorization) | Secondary |
264 | Permissions, Privileges, and Access Controls | Secondary |
272 | Least Privilege Violation | Targeted |
59 | Improper Link Resolution Before File Access ('Link Following') | Targeted |
74 | Failure to Sanitize Data into a Different Plane ('Injection') | Targeted |
15 | External Control of System or Configuration Setting | Targeted |
715 | OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference | Targeted |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 13 | Subverting Environment Variable Values | Mechanism of Attack1000 | |
ChildOf | Attack Pattern | 137 | Parameter Injection | Mechanism of Attack (primary)1000 | |
ChildOf | Attack Pattern | 171 | Variable Manipulation | Mechanism of Attack (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | ||
Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name and Description | ||
Sean Barnum | Cigital, Inc | 2007-04-16 | Modified pattern content according to review and feedback | ||
Romain Gaucher | Cigital, Inc | 2009-02-10 | Created draft content for detailed description | ||
Sean Barnum | Cigital Federal, Inc | 2009-04-13 | Reviewed and revised content for detailed description |