CAPEC-76 - Manipulating Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • Injection
  • API Abuse
  • Modification of Resources
  • Purposes 1
  • Exploitation
  • Scopes 2
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Modify application data
  • Integrity

Low level: To identify file system entry point and execute against an over-privileged system interface

Program must allow for user controlled variables to be applied directly to the filesystem

Step 1 - Fingerprinting of the operating system

In order to create a valid file injection, the attacker needs to know what the underlying OS is..

Tecnique ID: 1 - Environment(s) env-Local env-CommProtocol env-Peer2Peer env-ClientServer

Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.

Tecnique ID: 2 - Environment(s) env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-Web

TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.

Tecnique ID: 3 - Environment(s) env-All

Induce errors to find informative error messages

Indicator ID: 1 - Environment(s) env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-Web

Type: Positive

The target software accepts connections via the network.


Security Control ID: 1

Type: Preventative

Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).

Security Control ID: 2

Type: Preventative

Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.

Security Control ID: 3

Type: Detective

Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.


Outcome ID: 1

Type: Success

Operating environment (operating system, language, and/or middleware) is correctly identified.

Outcome ID: 2

Type: Inconclusive

Multiple candidate operating environments are suggested.


Step 2 - Survey the Application to Identify User-controllable Inputs

The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user.

Tecnique ID: 1 - Environment(s) env-Web

Spider web sites for all available links, entry points to the web site.

Tecnique ID: 2 - Environment(s) env-All

Manually explore application and inventory all application inputs

Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Security Control ID: 2

Type: Detective

Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.

Security Control ID: 3

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be automated.

Security Control ID: 4

Type: Detective

Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).


Outcome ID: 1

Type: Success

The attacker develops a list of likely interesting path (application or OS related)



Step 1 - Vary inputs, looking for malicious results

Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application.

Tecnique ID: 1 - Environment(s) env-CommProtocol env-Web env-Peer2Peer env-ClientServer

Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)

Tecnique ID: 2 - Environment(s) env-Web

Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests

Tecnique ID: 3 - Environment(s) env-CommProtocol env-Web env-Peer2Peer env-ClientServer

Inject context-appropriate malicious file system control syntax

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Inventorying in prior step is successful.


Outcome ID: 1

Type: Success

One or more injections that are appropriate to the platform provoke an unexpected response from the software, which can be varied by the attacker based on the input.



Step 1 - Manipulate files accessible by the application

The attacker may steal information or directly manipulate files (delete, copy, flush, etc.).

Tecnique ID: 1 - Environment(s) env-All

The attacker injects context-appropriate malicious file path to access the content of the targeted file.

Tecnique ID: 2 - Environment(s) env-All

The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.

Tecnique ID: 3 - Environment(s) env-All

The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.

Tecnique ID: 4 - Environment(s) env-All

The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.

Tecnique ID: 5 - Environment(s) env-All

The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.

Tecnique ID: 6 - Environment(s) env-All

The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.

Security Control ID: 1

Type: Detective

Use a system that logs file modification and/or access.

Security Control ID: 2

Type: Preventative

Make the application run in a low-privileged mode to prevent such attack to access important files.


Outcome ID: 1

Type: Success

The software performs an action the attacker desires. This might be displaying information, storing information in a file, delete a file or some other malicious activity.



Design: Enforce principle of least privilege.

Design: Ensure all input is validated, and does not contain file system commands

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.