CAPEC-65 - Passively Sniff and Capture Application Code Bound for Authorized Client

Attackers can capture application code bound for the client and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.

Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Purposes 2
  • Reconnaissance
  • Exploitation
  • Sec Principles 2
  • Never Assuming that Your Secrets Are Safe
  • Securing the Weakest Link
  • Scopes 2
  • Read application data
  • Confidentiality
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Medium level: The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ a man-in-the-middle attack, the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be.

The attacker must have the ability to place himself in the communication path between the client and server.

The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.

The attacker must be able to employ a sniffer on the network without being detected.

The Attacker needs the ability to capture communications between the client being updated and the server providing the update.

Use Well-Known Cryptography Appropriately and Correctly

Use Authentication Mechanisms, Where Appropriate, Correctly

Step 1 -

The attacker sets up a sniffer in the path between the server and the client and watches the traffic..

Tecnique ID: 1 - Environment(s) env-ClientServer

The attacker sets up a sniffer in the path between the server and the client.

Security Control ID: 1

Type: Detective

Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode.

Security Control ID: 2

Type: Preventative

Encrypt all communications between the server and client.


Outcome ID: 1

Type: Success

The attacker successfully sets up a sniffer in the path between the server and client.

Outcome ID: 2

Type: Failure

The attacker could not set up a sniffer in the path between the server and client.



Step 1 -

Attacker knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The attacker loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The attacker then proceeds to reverse engineer the captured code..

Tecnique ID: 1 - Environment(s) env-Web

Attacker loads the sniffer to capture the application code bound during a dynamic update.

Tecnique ID: 2 - Environment(s) env-All

The attacker proceeds to reverse engineer the captured code.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The attacker can capture the application code bound for the target.

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client.


Security Control ID: 1

Type: Detective

Check the network interface (e.g., ifconfig) to detect the sniffer.

Security Control ID: 2

Type: Preventative

Encrypt all communications between the server and client.


Outcome ID: 1

Type: Success

The attacker captures the application code bound for the target and reverse engineers the captured code.



Do not store secrets in client code

All potentially sensitive data, including code, transmitted to the client must be encrypted

Design: Encrypt all communication between the client and server.

Implementation: Use SSL, SSH, SCP.

Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.