CAPEC-52

Embedding NULL Bytes
Haute
Haute
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des notifications

Descriptions du CAPEC

An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).

Informations du CAPEC

Flux d'exécution

1) Explore

[Survey the application for user-controllable inputs] Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

Technique
  • Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
  • Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
  • Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
  • Manually inspect the application to find entry points.
2) Experiment

[Probe entry points to locate vulnerabilities] The adversary uses the entry points gathered in the "Explore" phase as a target list and injects postfix null byte(s) to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.

Technique
  • Try different encodings for null such as \0 or %00
3) Exploit

[Remove data after null byte(s)] After determined entry points that are vulnerable, the adversary places a null byte(s) such that they remove data after the null byte(s) in a way that is beneficial to them.

Technique
  • If the input is a directory as part of a longer file path, add a null byte(s) at the end of the input to try to traverse to the given directory.

Conditions préalables

The program does not properly handle postfix NULL terminators

Compétences requises

Directory traversal
Execution of arbitrary code

Atténuations

Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.

Faiblesses connexes

CWE-ID Nom de la faiblesse

CWE-158

 Improper Neutralization of Null Byte or NUL Character
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

CWE-172

 Encoding Error
The product does not properly encode or decode the data, resulting in unexpected values.

CWE-173

 Improper Handling of Alternate Encoding
The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.

CWE-74

 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-20

 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-697

 Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

CWE-707

 Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Références

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

REF-445

Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=126

REF-446

PHP Input Validation Vulnerabilities
http://msgs.securepoint.com/bugtraq/

Soumission

Nom Organisation Date Date de publication
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Nom Organisation Date Commentaire
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Example_Instances
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Example_Instances, Execution_Flow
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Example_Instances