CAPEC-93

Log Injection-Tampering-Forging
Wysoki
Wysoki
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alert dla konkretnego CAPEC
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CAPEC.
Zarządzaj powiadomieniami

Opisy CAPEC

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

Informacje CAPEC

Przebieg wykonania

1) Explore

[Determine Application's Log File Format] The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

Technika
  • Determine logging utility being used by application (e.g. log4j)
  • Gain access to application's source code to determine log file formats.
  • Install or obtain access to instance of application and observe its log file format.
2) Exploit

[Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

Technika

    Wymagania wstępne

    The target host is logging the action and data of the user.
    The target host insufficiently protects access to the logs or logging mechanisms.

    Wymagane umiejętności

    This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.
    A more sophisticated attack can try to defeat the input validation mechanism.

    Łagodzenie

    Carefully control access to physical log files.
    Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.
    Use synchronization to control the flow of execution.
    Use static analysis tools to identify log forging vulnerabilities.
    Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.

    Powiązane słabości

    CWE-ID Nazwa słabości

    CWE-117

    		 Improper Output Neutralization for Logs
    The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

    CWE-75

    		 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
    The product does not adequately filter user-controlled input for special elements with control implications.

    CWE-150

    		 Improper Neutralization of Escape, Meta, or Control Sequences
    The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

    Odniesienia

    REF-131

    Building Secure Software
    J. Viega, G. McGraw.

    REF-550

    The night the log was forged
    A. Muffet.
    http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm

    REF-551

    The OWASP Application Security Desk Reference
    https://www.owasp.org/index.php/Log_Injection

    REF-552

    SAMATE - Software Assurance Metrics And Tool Evaluation
    Fortify Software.
    https://samate.nist.gov/SRD/view_testcase.php?tID=1579

    Zgłoszenie

    Nazwa Organizacja Data Data wydania
    CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

    Modyfikacje

    Nazwa Organizacja Data Komentarz
    CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00 Updated References
    CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Related_Attack_Patterns, Related_Weaknesses
    CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Examples-Instances, References
    CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Description, Mitigations, Related_Attack_Patterns
    CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Weaknesses
    CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances, Execution_Flow, Taxonomy_Mappings
    Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.