CAPEC-36

Using Unpublished Interfaces or Functionality
Medium
High
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

Informations CAPEC

Execution Flow

1) Explore

[Identify services] Discover a service of interest by exploring service registry listings or by connecting on a known port or some similar means.

Technique
  • Search via internet for known, published services.
  • Use automated tools to scan known ports to identify internet-enabled services.
  • Dump the code from the chip and then perform reverse engineering to analyze the code.
2) Explore

[Authenticate to service] Authenticate to the service, if required, in order to explore it.

Technique
  • Use published credentials to access system.
  • Find unpublished credentials to access service.
  • Use other attack pattern or weakness to bypass authentication.
3) Explore

[Identify all interfaces] Determine the exposed interfaces by querying the registry as well as probably sniffing to expose interfaces that are not explicitly listed.

Technique
  • For any published services, determine exposed interfaces via the documentation provided.
  • For any services found, use error messages from poorly formed service calls to determine valid interfaces. In some cases, services will respond to poorly formed calls with valid ones.
4) Experiment

[Attempt to discover unpublished functions] Using manual or automated means, discover unpublished or undocumented functions exposed by the service.

Technique
  • Manually attempt calls to the service using an educated guess approach, including the use of terms like' 'test', 'debug', 'delete', etc.
  • Use automated tools to scan the service to attempt to reverse engineer exposed, but undocumented, features.
5) Exploit

[Exploit unpublished functions] Using information determined via experimentation, exploit the unpublished features of the service.

Technique
  • Execute features that are not intended to be used by general system users.
  • Craft malicious calls to features not intended to be used by general system users that take advantage of security flaws found in the functions.

Prerequisites

The architecture under attack must publish or otherwise make available services that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere. The service need not be 'discoverable', but in the event it isn't it must have some way of being discovered by an attacker. This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service.

Skills Required

A number of web service digging tools are available for free that help discover exposed web services and their interfaces. In the event that a web service is not listed, the attacker does not need to know much more in addition to the format of web service messages that they can sniff/monitor for.

Resources Required

None: No specialized resources are required to execute this type of attack. Web service digging tools may be helpful.

Mitigations

Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.

Related Weaknesses

CWE-ID Weakness Name

CWE-306

 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-693

 Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

CWE-695

 Use of Low-Level Functionality
The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.

CWE-1242

 Inclusion of Undocumented Features or Chicken Bits
The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Attack_Phases, Attack_Prerequisites, Description Summary
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Attack_Phases, Resources_Required
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated @Name, Description, Execution_Flow, Related_Attack_Patterns, Related_Weaknesses, Skills_Required
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated @Name, Description, Execution_Flow, Extended_Description, Related_Attack_Patterns
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.