Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-24:Filter Failure through Buffer Overflow
Attack Pattern ID:24
Version:v3.9
Attack Pattern Name:Filter Failure through Buffer Overflow
Abstraction:Detailed
Status:Draft
Likelihood of Attack:High
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfS100Overflow Buffers
Nature: ChildOf
Type: Standard
ID: 100
Name: Overflow Buffers
▼Execution Flow
Explore
1.

Survey

The attacker surveys the target application, possibly as a valid and authenticated user

Technique
Spidering web sites for inputs that involve potential filtering
Brute force guessing of filtered inputs
Experiment
1.

Attempt injections

Try to feed overly long data to the system. This can be done manually or a dynamic tool (black box) can be used to automate this. An attacker can also use a custom script for that purpose.

Technique
Brute force attack through black box penetration test tool.
Fuzzing of communications protocols
Manual testing of possible inputs with attack data.
2.

Monitor responses

Watch for any indication of failure occurring. Carefully watch to see what happened when filter failure occurred. Did the data get in?

Technique
Boron tagging. Choose clear attack inputs that are easy to notice in output. In binary this is often 0xa5a5a5a5 (alternating 1s and 0s). Another obvious tag value is all zeroes, but it is not always obvious what goes wrong if the null values get into the data.
Check Log files. An attacker with access to log files can look at the outcome of bad input.
Exploit
1.

Abuse the system through filter failure

An attacker writes a script to consistently induce the filter failure.

Technique
DoS through filter failure. The attacker causes the system to crash or stay down because of its failure to filter properly.
Malicious code execution. An attacker introduces a malicious payload and executes arbitrary code on the target system.
An attacker can use the filter failure to introduce malicious data into the system and leverage a subsequent SQL injection, Cross Site Scripting, Command Injection or similar weakness if it exists.
▼Prerequisites
Ability to control the length of data passed to an active filter.
▼Skills Required
Low

An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.

High

Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.

▼Resources Required
▼Indicators
Many exceptions are thrown by the application's filter modules in a short period of time. Check the logs. See if the probes are coming from the same IP address.
▼Consequences
ScopeLikelihoodImpactNote
IntegrityN/AModify DataN/A
ConfidentialityIntegrityAvailabilityN/AExecute Unauthorized CommandsRun Arbitrary Code
ConfidentialityAccess ControlAuthorizationN/ABypass Protection MechanismN/A
AvailabilityN/AUnreliable ExecutionN/A
Scope: Integrity
Likelihood: N/A
Impact: Modify Data
Note: N/A
Scope: Confidentiality, Integrity, Availability
Likelihood: N/A
Impact: Execute Unauthorized Commands
Note: Run Arbitrary Code
Scope: Confidentiality, Access Control, Authorization
Likelihood: N/A
Impact: Bypass Protection Mechanism
Note: N/A
Scope: Availability
Likelihood: N/A
Impact: Unreliable Execution
Note: N/A
▼Mitigations
Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.
Pre-design: Use a language or compiler that performs automatic bounds checking.
Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Operational: Use OS-level preventative functionality. Not a complete solution.
Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.
▼Example Instances
▼Related Weaknesses
IDName
CWE-118Incorrect Access of Indexable Resource ('Range Error')
CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-20Improper Input Validation
CWE-680Integer Overflow to Buffer Overflow
CWE-697Incorrect Comparison
CWE-733Compiler Optimization Removal or Modification of Security-critical Code
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ID: CWE-118
Name: Incorrect Access of Indexable Resource ('Range Error')
ID: CWE-119
Name: Improper Restriction of Operations within the Bounds of a Memory Buffer
ID: CWE-120
Name: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
ID: CWE-20
Name: Improper Input Validation
ID: CWE-680
Name: Integer Overflow to Buffer Overflow
ID: CWE-697
Name: Incorrect Comparison
ID: CWE-733
Name: Compiler Optimization Removal or Modification of Security-critical Code
ID: CWE-74
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
▼Notes
▼References
Reference ID: REF-1
Title: Exploiting Software: How to Break Code
Author: G. Hoglund, G. McGraw
Publication:
Publisher:Addison-Wesley
Edition:
URL:
URL Date:
Day:N/A
Month:02
Year:2004
Details not found