CAPEC-76

Manipulating Web Input to File System Calls
HIGH
Draft
2014-06-23 00:00 +00:00
2022-09-29 00:00 +00:00

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Informations

Execution Flow

1) Explore

[Fingerprinting of the operating system] In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

Technique
  • Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
  • TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
  • Induce errors to find informative error messages

2) Explore

[Survey the Application to Identify User-controllable Inputs] The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user

Technique
  • Spider web sites for all available links, entry points to the web site.
  • Manually explore application and inventory all application inputs

3) Experiment

[Vary inputs, looking for malicious results] Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Technique
  • Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
  • Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
  • Inject context-appropriate malicious file system control syntax

4) Exploit

[Manipulate files accessible by the application] The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

Technique
  • The attacker injects context-appropriate malicious file path to access the content of the targeted file.
  • The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
  • The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
  • The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
  • The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
  • The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.

Prerequisites

Program must allow for user controlled variables to be applied directly to the filesystem

Skills Required

To identify file system entry point and execute against an over-privileged system interface

Mitigations

Design: Enforce principle of least privilege.
Design: Ensure all input is validated, and does not contain file system commands
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.
Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Related Weaknesses

CWE-ID Weakness Name
CWE-23 Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-346 Origin Validation Error
The product does not properly verify that the source of data or communication is valid.
CWE-348 Use of Less Trusted Source
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-272 Least Privilege Violation
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
CWE-59 Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-15 External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user.

References

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2017-01-09 +00:00 Updated Examples-Instances, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Execution_Flow
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2021-10-21 +00:00 Updated Execution_Flow
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.