CAPEC-44
Alerte pour un CAPEC
Description
Informations
Execution Flow
1) Explore
[Identify target software] The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means.
2) Experiment
[Find injection vector] The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location. The adversary then deploys the file to the software to determine if a buffer overflow was successful.
3) Experiment
[Craft overflow content] Once the adversary has determined that this attack is viable, they will specially craft the binary file in a way that achieves the desired behavior. If the source code is available, the adversary can carefully craft the malicious file so that the return address is overwritten to an intended value. If the source code is not available, the adversary will iteratively alter the file in order to overwrite the return address correctly.
Technique
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
4) Exploit
[Overflow the buffer] Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software, either by serving it directly to the software or placing it in a shared location for a victim to load into the software.
Prerequisites
Target software processes binary resource files.Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file.
Skills Required
To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerabilityMitigations
Perform appropriate bounds checking on all buffers.Design: Enforce principle of least privilege
Design: Static code analysis
Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes
Implementation: Keep software patched to ensure that known vulnerabilities are not available for adversaries to target on host.
Related Weaknesses
| Weakness Name | |
|---|---|
| Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. |
|
| Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. |
|
| Incorrect Comparison The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. |
References
REF-1
Exploiting Software: How to Break CodeG. Hoglund, G. McGraw.
Submission
| Name | Organization | Date | Date Release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Execution_Flow | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Execution_Flow, Extended_Description | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Example_Instances, Mitigations |
