This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

How does a Buffer Overflow via Environment Variables attack work?

It typically unfolds over 4 phases. It begins with: [Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.

How do you prevent CAPEC-10?

Do not expose environment variable to the user.

What weaknesses does CAPEC-10 target?

CAPEC-10 exploits 10 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-99 (Improper Control of Resource Identifiers ('Resource Injection')), CWE-118 (Incorrect Access of Indexable Resource ('Range Error')).

How severe is CAPEC-10?

MITRE rates CAPEC-10 as High severity with high likelihood of attack.

CAPEC-10: Buffer Overflow via Environment Variables

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.
Step 2
Experiment
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
- Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.
Step 3
Experiment
[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
Step 4
Exploit
[Overflow the buffer] Using the injection vector, the adversary injects the crafted overflow content into the buffer.

How the attack works

CAPEC-10: Buffer Overflow via Environment Variables

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

How to detect it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-10?

How does a Buffer Overflow via Environment Variables attack work?

How do you prevent CAPEC-10?

What weaknesses does CAPEC-10 target?

How severe is CAPEC-10?

References

Defend against CAPEC-10

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Peer

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-10?

How does a Buffer Overflow via Environment Variables attack work?

How do you prevent CAPEC-10?

What weaknesses does CAPEC-10 target?

How severe is CAPEC-10?

References

Defend against CAPEC-10