Detailed attack pattern

Draft

CAPEC-14: Client-side Injection-induced Buffer Overflow

This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.

High

Typical severity

Per MITRE

Medium

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-14 (Client-side Injection-induced Buffer Overflow) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Identify target client-side application] The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.
Step 2
Experiment
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
- Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors.
- Examine APIs of the client-side application and look for areas where a buffer overflow might be possible.
Step 3
Experiment
[Create hostile service] The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
- If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser.
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
Step 4
Exploit
[Overflow the buffer] Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.
- If the adversary is targeting a local client-side application, they just need to use the service themselves.
- If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser.

CAPEC-14: Client-side Injection-induced Buffer Overflow

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

How to detect it

Examples

Frequently asked questions

What is CAPEC-14?

How does a Client-side Injection-induced Buffer Overflow attack work?

How do you prevent CAPEC-14?

What weaknesses does CAPEC-14 target?

How severe is CAPEC-14?

References

Defend against CAPEC-14

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Related

Frequently asked questions

What is CAPEC-14?

How does a Client-side Injection-induced Buffer Overflow attack work?

How do you prevent CAPEC-14?

What weaknesses does CAPEC-14 target?

How severe is CAPEC-14?

References

Defend against CAPEC-14