Buffer Overflow via Environment Variables |
Attack Pattern ID: 10 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Attack Execution Flow
The attacker tries to find an environment variable which can be overwritten for instance by gathering information about the target host (error pages, software's version number, etc.).
The attacker manipulates the environment variable to contain excessive-length content to cause a buffer overflow.
The attacker potentially leverages the buffer overflow to inject maliciously crafted code in an attempt to execute privileged command on the target environment.
The application uses environment variables.
An environment variable exposed to the user is vulnerable to a buffer overflow.
The vulnerable environment variable uses untrusted data.
Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.
Description
A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable.
Related Vulnerabilities
CVE-1999-0906
Description
A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.
Related Vulnerabilities
CVE-1999-0046
Skill or Knowledge Level: Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
High : Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
While interacting with a system an attacker would typically investigate for environment variables that can be overwritten. The more a user knows about a system the more likely she will find a vulnerable environment variable.
On a web environment, the attacker can read the client side code and search for environment variables that can be overwritten.
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/) which is an environment variable fuzzer for Unix that support loading a shared library. Attackers can use such tools to uncover a buffer overflow in an environment variable.
If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should triger an alert.
Do not expose environment variable to the user.
Do not use untrusted data in your environment variables.
Use a language or compiler that performs automatic bounds checking
There are tools such as Sharefuzz (http://sharefuzz.sourceforge.net/) which is an environment variable fuzzer for Unixes that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.
- Denial of Service
- Run Arbitrary Code
- Information Leakage
- Data Modification
- Privilege Escalation
When the subroutine which uses the environment variable returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Targeted |
302 | Authentication Bypass by Assumed-Immutable Data | Targeted |
118 | Improper Access of Indexable Resource ('Range Error') | Targeted |
119 | Failure to Constrain Operations within the Bounds of a Memory Buffer | Targeted |
74 | Failure to Sanitize Data into a Different Plane ('Injection') | Targeted |
99 | Improper Control of Resource Identifiers ('Resource Injection') | Targeted |
20 | Improper Input Validation | Targeted |
680 | Integer Overflow to Buffer Overflow | Targeted |
733 | Compiler Optimization Removal or Modification of Security-critical Code | Secondary |
697 | Insufficient Comparison | Targeted |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 77 | Manipulating User-Controlled Variables | Mechanism of Attack1000 | |
ChildOf | Attack Pattern | 100 | Overflow Buffers | Mechanism of Attack (primary)1000 | |
ChildOf | Category | 340 | WASC Threat Classification 2.0 - WASC-07 - Buffer Overflow | WASC Threat Classification 2.0333 | |
ParentOf | Attack Pattern | 9 | Buffer Overflow in Local Command-Line Utilities | Mechanism of Attack1000 | |
PeerOf | Attack Pattern | 13 | Subverting Environment Variable Values | Mechanism of Attack1000 | |
PeerOf | Attack Pattern | 46 | Overflow Variables and Tags | Mechanism of Attack1000 | |
ParentOf | Attack Pattern | 69 | Target Programs with Elevated Privileges | Mechanism of Attack1000 |
CWE - Buffer Errors
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-03-01 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Eric Dalci | Cigital, Inc | 2007-02-13 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | ||
Sean Barnum | Cigital, Inc | 2007-03-05 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |