CAPEC-10: Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Last updated
Overview
Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.
- Step 2Experiment
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
- Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.
- Step 3Experiment
[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
- Step 4Exploit
[Overflow the buffer] Using the injection vector, the adversary injects the crafted overflow content into the buffer.
What the attacker needs
Prerequisites
- The application uses environment variables.
- An environment variable exposed to the user is vulnerable to a buffer overflow.
- The vulnerable environment variable uses untrusted data.
- Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.
Skills required
- Low skill: An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
- High skill: Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
Consequences
What a successful CAPEC-10 attack can achieve.
Unreliable Execution
Affects: Availability
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Run Arbitrary Code
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-10.
- Do not expose environment variable to the user.
- Do not use untrusted data in your environment variables.
- Use a language or compiler that performs automatic bounds checking
- There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.
How to detect it
Indicators that this attack may be underway.
- If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.
Examples
A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. See also: CVE-1999-0906
A buffer overflow in the rlogin program involves its consumption of the $TERM environmental variable. See also: CVE-1999-0046
Terminology & mappings
Mapped taxonomies
- OWASP Attacks: Buffer Overflow via Environment Variables
Frequently asked questions
Common questions about CAPEC-10.
- What is CAPEC-10?
- This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- How does a Buffer Overflow via Environment Variables attack work?
- It typically unfolds over 4 phases. It begins with: [Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.
- How do you prevent CAPEC-10?
- Do not expose environment variable to the user.
- What weaknesses does CAPEC-10 target?
- CAPEC-10 exploits 10 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-99 (Improper Control of Resource Identifiers ('Resource Injection')), CWE-118 (Incorrect Access of Indexable Resource ('Range Error')).
- How severe is CAPEC-10?
- MITRE rates CAPEC-10 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-10
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.