CAPEC-44: Overflow Binary Resource File |
Description An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the adversary access to the execution stack and execute arbitrary code in the target process. Extended Description This attack pattern is a variant of standard buffer overflow attack using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The adversary is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application for the victim to download. The adversary then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow. Likelihood Of Attack Typical Severity Execution Flow Explore Identify target software: The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means.
Experiment Find injection vector: The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location. The adversary then deploys the file to the software to determine if a buffer overflow was successful. Craft overflow content: Once the adversary has determined that this attack is viable, they will specially craft the binary file in a way that achieves the desired behavior. If the source code is available, the adversary can carefully craft the malicious file so that the return address is overwritten to an intended value. If the source code is not available, the adversary will iteratively alter the file in order to overwrite the return address correctly. Techniques |
---|
Create malicious shellcode that will execute when the program execution is returned to it. | Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit Overflow the buffer: Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software, either by serving it directly to the software or placing it in a shared location for a victim to load into the software.
Prerequisites
Target software processes binary resource files. |
Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file. |
Skills Required
[Level: Medium] To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability |
Consequences This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Availability | Unreliable Execution | | Confidentiality Integrity Availability | Execute Unauthorized Commands | |
Mitigations
Perform appropriate bounds checking on all buffers. |
Design: Enforce principle of least privilege |
Design: Static code analysis |
Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes |
Implementation: Keep software patched to ensure that known vulnerabilities are not available for adversaries to target on host. |
Example Instances
Binary files like music and video files are appended with additional data to cause buffer overflow on target systems. Because these files may be filled with otherwise popular content, the adversary has an excellent vector for wide distribution. There have been numerous cases, for example of malicious screen savers for sports teams that are distributed on the event of the team winning a championship. |
References
[REF-1] G. Hoglund and
G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
|
Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2014-06-23 (Version 2.6) | CAPEC Content Team | The MITRE Corporation | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2015-12-07 (Version 2.8) | CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | 2020-12-17 (Version 3.4) | CAPEC Content Team | The MITRE Corporation | Updated Execution_Flow | 2021-06-24 (Version 3.5) | CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | 2021-10-21 (Version 3.6) | CAPEC Content Team | The MITRE Corporation | Updated Description, Execution_Flow, Extended_Description | 2022-02-22 (Version 3.7) | CAPEC Content Team | The MITRE Corporation | Updated Description, Example_Instances, Mitigations |
More information is available — Please select a different filter.
|