CAPEC-10 - Buffer Overflow via Environment Variables

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 1
  • Penetration
  • Sec Principles 1
  • Reluctance to trust
  • Scopes 5
  • DoS: crash / exit / restart
  • Availability
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Read memory
  • Confidentiality
  • Modify memory
  • Integrity
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

High level: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

The application uses environment variables.

An environment variable exposed to the user is vulnerable to a buffer overflow.

The vulnerable environment variable uses untrusted data.

Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.

While interacting with a system an attacker would typically investigate for environment variables that can be overwritten. The more a user knows about a system the more likely she will find a vulnerable environment variable.

On a web environment, the attacker can read the client side code and search for environment variables that can be overwritten.

There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that supports loading a shared library. Attackers can use such tools to uncover a buffer overflow in an environment variable.

Bound checking should be performed when copying data to a buffer.

Step 1 -

The attacker tries to find an environment variable which can be overwritten for instance by gathering information about the target host (error pages, software's version number, etc.)..


Step 1 -

The attacker manipulates the environment variable to contain excessive-length content to cause a buffer overflow..


Step 1 -

The attacker potentially leverages the buffer overflow to inject maliciously crafted code in an attempt to execute privileged command on the target environment..


Do not expose environment variable to the user.

Do not use untrusted data in your environment variables.

Use a language or compiler that performs automatic bounds checking

There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.