CAPEC-159 Detail

CAPEC-159

Name

Redirect Access to Libraries

Likihood attacks

High

Typical Severity

Status

Stable

Published

2014-06-23
00h00 +00:00

Modified

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

Informations CAPEC

Execution Flow

1) Explore

[Identify Target] The adversary identifies the target application and determines what libraries are being used.

Technique

Find public source code and identify library dependencies.
Gain access to the system hosting the application and look for libraries in common locations.

2) Experiment

[Deploy Malicious Libraries] The adversary crafts malicious libraries and deploys them on the system where the application is running, or in a remote location that can be loaded by the application.

3) Exploit

[Redirect Library Calls to Malicious Library] Once the malicious library crafted by the adversary is deployed, the adversary will manipulate the flow of the application such that it calls the malicious library. This can be done in a variety of ways based on how the application is loading and calling libraries.

Technique

Poison the DNS cache of the system so that it loads a malicious library from a remote location hosted by the adversary instead of the legitimate location
Create a symlink that tricks the application into thinking that a malicious library is the legitimate library.
Use DLL side-loading to place a malicious verison of a DLL in the windows directory.

Prerequisites

The target must utilize external libraries and must fail to verify the integrity of these libraries before using them.

Skills Required

To modify the entries in the configuration file pointing to malicious libraries
To force symlink and timing issues for redirecting access to libraries
To reverse engineering the libraries and inject malicious code into the libraries

Mitigations

Implementation: Restrict the permission to modify the entries in the configuration file.
Implementation: Check the integrity of the dynamically linked libraries before use them.
Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.

Related Weaknesses

CWE-ID	Weakness Name
CWE-706	Use of Incorrectly-Resolved Name or Reference The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

References

REF-29

Share Library Call Redirection Via ELF PLT Infection
Silvio Cesare.
http://phrack.org/issues/56/7.html

REF-30

OWASP Top 10 2007
https://www.owasp.org/www-pdf-archive/OWASP_Top_10_2007.pdf

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2015-11-09 +00:00	Updated References
CAPEC Content Team	The MITRE Corporation	2018-07-31 +00:00	Updated Attack_Phases, Description, Description Summary, References, Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2019-04-04 +00:00	Updated Related_Attack_Patterns, Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Taxonomy_Mappings
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated References
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Attack_Patterns, Taxonomy_Mappings
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Execution_Flow
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Related_Attack_Patterns