CAPEC-37 Detail

CAPEC-37

Name

Retrieve Embedded Sensitive Data

Likihood attacks

High

Typical Severity

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

Informations CAPEC

Execution Flow

1) Explore

[Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.

Technique

Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.

2) Exploit

[Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.

Technique

API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.

Prerequisites

In order to feasibly execute this type of attack, some valuable data must be present in client software.
Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack.

Skills Required

The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution

Resources Required

The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as "Strings" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources.

Related Weaknesses

CWE-ID	Weakness Name
CWE-226	Sensitive Information in Resource Not Removed Before Reuse The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
CWE-311	Missing Encryption of Sensitive Data The product does not encrypt sensitive or critical information before storage or transmission.
CWE-525	Use of Web Browser Cache Containing Sensitive Information The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
CWE-312	Cleartext Storage of Sensitive Information The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-314	Cleartext Storage in the Registry The product stores sensitive information in cleartext in the registry.
CWE-315	Cleartext Storage of Sensitive Information in a Cookie The product stores sensitive information in cleartext in a cookie.
CWE-318	Cleartext Storage of Sensitive Information in Executable The product stores sensitive information in cleartext in an executable.
CWE-1239	Improper Zeroization of Hardware Register The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.
CWE-1258	Exposure of Sensitive System Information Due to Uncleared Debug Information The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.
CWE-1266	Improper Scrubbing of Sensitive Data from Decommissioned Device The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.
CWE-1272	Sensitive Information Uncleared Before Debug/Power State Transition The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.
CWE-1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.
CWE-1301	Insufficient or Incomplete Data Removal within Hardware Component The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.
CWE-1330	Remanent Data Readable after Memory Erase Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2015-11-09 +00:00	Updated Activation_Zone, Attack_Phases, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Execution_Flow, Related_Weaknesses, Taxonomy_Mappings
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Execution_Flow
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Taxonomy_Mappings