CAPEC-93 Détail

CAPEC-93

Nom

Log Injection-Tampering-Forging

Probabilité d'attaque

Haute

Gravité typique

Haute

Statut

Draft

Publié

2014-06-23
00h00 +00:00

Modifié

2022-09-29
00h00 +00:00

Liens officiels

CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Gestion des notifications

Liste des Notifications

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CAPEC ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CAPEC

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

Informations du CAPEC

Flux d'exécution

1) Explore

[Determine Application's Log File Format] The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

Technique

Determine logging utility being used by application (e.g. log4j)
Gain access to application's source code to determine log file formats.
Install or obtain access to instance of application and observe its log file format.

2) Exploit

[Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

Technique

Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:

"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in"

may add the following forged entry into a log file:

"[Thu Nov 12 12:11:22]:Info: User admin logged in"

Different applications may require different encodings of the carriage return and line feed characters.
Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain

The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).

Conditions préalables

The target host is logging the action and data of the user.
The target host insufficiently protects access to the logs or logging mechanisms.

Compétences requises

This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.
A more sophisticated attack can try to defeat the input validation mechanism.

Atténuations

Carefully control access to physical log files.
Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.
Use synchronization to control the flow of execution.
Use static analysis tools to identify log forging vulnerabilities.
Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.

Faiblesses connexes

CWE-ID	Nom de la faiblesse
CWE-117	Improper Output Neutralization for Logs The product does not neutralize or incorrectly neutralizes output that is written to logs.
CWE-75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) The product does not adequately filter user-controlled input for special elements with control implications.
CWE-150	Improper Neutralization of Escape, Meta, or Control Sequences The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Références

REF-131

Building Secure Software
J. Viega, G. McGraw.

REF-550

The night the log was forged
A. Muffet.
http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm

REF-551

The OWASP Application Security Desk Reference
https://www.owasp.org/index.php/Log_Injection

REF-552

SAMATE - Software Assurance Metrics And Tool Evaluation
Fortify Software.
https://samate.nist.gov/SRD/view_testcase.php?tID=1579

Soumission

Nom	Organisation	Date	Date de publication
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Nom	Organisation	Date	Commentaire
CAPEC Content Team	The MITRE Corporation	2015-11-09 +00:00	Updated References
CAPEC Content Team	The MITRE Corporation	2017-05-01 +00:00	Updated Related_Attack_Patterns, Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2018-07-31 +00:00	Updated Examples-Instances, References
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Description, Mitigations, Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Example_Instances, Execution_Flow, Taxonomy_Mappings

Détail du CAPEC-93