ByteOS Network

CAPEC-93:Log Injection-Tampering-Forging

Attack Pattern ID:93

Version:v3.9

Attack Pattern Name:Log Injection-Tampering-Forging

Abstraction:Detailed

Status:Draft

Likelihood of Attack:High

Typical Severity:High

Details Content History Related Weaknesses Reports

▼Description

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

▼Relationships

Nature	Type	ID	Name
ChildOf	S	268	Audit Log Manipulation
CanPrecede	D	592	Stored XSS

Nature: ChildOf

Type: Standard

ID: 268

Name: Audit Log Manipulation

Nature: CanPrecede

Type: Detailed

ID: 592

Name: Stored XSS

▼Execution Flow

Explore

Determine Application's Log File Format

The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

Technique
Determine logging utility being used by application (e.g. log4j)
Gain access to application's source code to determine log file formats.
Install or obtain access to instance of application and observe its log file format.

Exploit

Manipulate Log Files

The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

Technique
Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example: "%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in" may add the following forged entry into a log file: "[Thu Nov 12 12:11:22]:Info: User admin logged in" Different applications may require different encodings of the carriage return and line feed characters.
Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).

Technique

Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:

"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in"

may add the following forged entry into a log file:

"[Thu Nov 12 12:11:22]:Info: User admin logged in"

Different applications may require different encodings of the carriage return and line feed characters.

Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain

The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).

▼Prerequisites

The target host is logging the action and data of the user.

The target host insufficiently protects access to the logs or logging mechanisms.

▼Skills Required

Low

This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.

Medium

A more sophisticated attack can try to defeat the input validation mechanism.

▼Consequences

Scope	Likelihood	Impact	Note
Integrity	N/A	Modify Data	N/A

Scope: Integrity

Likelihood: N/A

Impact: Modify Data

Note: N/A

▼Mitigations

Carefully control access to physical log files.

Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.

Use synchronization to control the flow of execution.

Use static analysis tools to identify log forging vulnerabilities.

Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-117	Improper Output Neutralization for Logs
CWE-150	Improper Neutralization of Escape, Meta, or Control Sequences
CWE-75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

ID: CWE-117

Name: Improper Output Neutralization for Logs

ID: CWE-150

Name: Improper Neutralization of Escape, Meta, or Control Sequences

ID: CWE-75

Name: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

▼References

Reference ID: REF-131

Title: Building Secure Software

Author: J. Viega, G. McGraw

Publication:

Publisher:Addison-Wesley

Day:N/A

Month:N/A

Year:2002

Reference ID: REF-550

Title: The night the log was forged

Author: A. Muffet

Publication:

URL:http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-551

Title: The OWASP Application Security Desk Reference

Publication:

Publisher:The Open Web Application Security Project (OWASP)

URL:https://www.owasp.org/index.php/Log_Injection

Day:N/A

Month:N/A

Year:2009

Reference ID: REF-552

Title: SAMATE - Software Assurance Metrics And Tool Evaluation

Author: Fortify Software

Publication:

Publisher:National Institute of Standards and Technology (NIST)

URL:https://samate.nist.gov/SRD/view_testcase.php?tID=1579

Day:22

Month:06

Year:2006