Rich Piazza
132 lines
7.9 KiB
JSON
132 lines
7.9 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--6ba729ab-a6c2-4278-ae4b-00036b0f5801",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed",
|
|
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
|
|
"created": "2014-06-23T00:00:00.000Z",
|
|
"modified": "2020-12-17T00:00:00.000Z",
|
|
"name": "Subverting Environment Variable Values",
|
|
"description": "The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.",
|
|
"external_references": [
|
|
{
|
|
"source_name": "capec",
|
|
"url": "https://capec.mitre.org/data/definitions/13.html",
|
|
"external_id": "CAPEC-13"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/353.html",
|
|
"external_id": "CWE-353"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/285.html",
|
|
"external_id": "CWE-285"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/302.html",
|
|
"external_id": "CWE-302"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/74.html",
|
|
"external_id": "CWE-74"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/15.html",
|
|
"external_id": "CWE-15"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/73.html",
|
|
"external_id": "CWE-73"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/20.html",
|
|
"external_id": "CWE-20"
|
|
},
|
|
{
|
|
"source_name": "cwe",
|
|
"url": "http://cwe.mitre.org/data/definitions/200.html",
|
|
"external_id": "CWE-200"
|
|
},
|
|
{
|
|
"source_name": "ATTACK",
|
|
"description": "Impair Defenses:Impair Command History Logging",
|
|
"url": "https://attack.mitre.org/wiki/Technique/T1562/003",
|
|
"external_id": "T1562.003"
|
|
},
|
|
{
|
|
"source_name": "ATTACK",
|
|
"description": "Hijack Execution Flow:LD_PRELOAD",
|
|
"url": "https://attack.mitre.org/wiki/Technique/T1574/006",
|
|
"external_id": "T1574.006"
|
|
},
|
|
{
|
|
"source_name": "ATTACK",
|
|
"description": "Hijack Execution Flow:Path Interception by PATH Environment Variable",
|
|
"url": "https://attack.mitre.org/wiki/Technique/T1574/007",
|
|
"external_id": "T1574.007"
|
|
},
|
|
{
|
|
"source_name": "reference_from_CAPEC",
|
|
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
|
|
"external_id": "REF-1"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
|
|
],
|
|
"x_capec_abstraction": "Detailed",
|
|
"x_capec_consequences": {
|
|
"Access_Control": [
|
|
"Bypass Protection Mechanism"
|
|
],
|
|
"Accountability": [
|
|
"Hide Activities"
|
|
],
|
|
"Authorization": [
|
|
"Bypass Protection Mechanism"
|
|
],
|
|
"Availability": [
|
|
"Execute Unauthorized Commands (Run Arbitrary Code)",
|
|
"Unreliable Execution"
|
|
],
|
|
"Confidentiality": [
|
|
"Execute Unauthorized Commands (Run Arbitrary Code)",
|
|
"Bypass Protection Mechanism",
|
|
"Read Data"
|
|
],
|
|
"Integrity": [
|
|
"Execute Unauthorized Commands (Run Arbitrary Code)"
|
|
]
|
|
},
|
|
"x_capec_example_instances": [
|
|
"Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the attacker upload the Trojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\\\172.16.2.100\\shared_files\\trojan_dll.dll. See also: Path Manipulation (CVE-1999-0073)",
|
|
"The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands."
|
|
],
|
|
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>The attacker probes the application for information. Which version of the application is running? Are there known environment variables? etc.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>The attacker gains control of an environment variable and ties to find out what process(es) the environment variable controls.</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p>The attacker modifies the environment variable to abuse the normal flow of processes or to gain access to privileged resources.</p></li></ol></div>",
|
|
"x_capec_likelihood_of_attack": "High",
|
|
"x_capec_prerequisites": [
|
|
"An environment variable is accessible to the user.",
|
|
"An environment variable used by the application can be tainted with user supplied data.",
|
|
"Input data used in an environment variable is not validated properly.",
|
|
"The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attempt to manipulate that variable."
|
|
],
|
|
"x_capec_skills_required": {
|
|
"High": "Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.",
|
|
"Low": "In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism."
|
|
},
|
|
"x_capec_status": "Stable",
|
|
"x_capec_typical_severity": "Very High",
|
|
"x_capec_version": "3.4"
|
|
}
|
|
]
|
|
} |