CAPEC-177: Create files with the same name as files protected with a higher classification

Overview

CAPEC-177 (Create files with the same name as files protected with a higher classification) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

What the attacker needs

Prerequisites

The target application must include external files. Most non-trivial applications meet this criterion.
The target application does not verify that a located file is the one it was looking for through means other than the name. Many applications fail to perform checks of this type.
The directories the target application searches to find the included file include directories writable by the attacker which are searched before the protected directory containing the actual files. It is much less common for applications to meet this criterion, but if an attacker can manipulate the application's search path (possibly by controlling environmental variables) then they can force this criterion to be met.

Resources required

The attacker must have sufficient access to place an arbitrarily named file somewhere early in the application's search path.

The CWE weaknesses that CAPEC-177 exploits.

CWE-706: Use of Incorrectly-Resolved Name or Reference

How this attack relates to others in the CAPEC hierarchy.

Parent

CAPEC-17: Using Malicious Files

Terminology & mappings

Mapped taxonomies

ATTACK: Masquerading (1036)

Frequently asked questions

Common questions about CAPEC-177.

What is CAPEC-177?

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

What weaknesses does CAPEC-177 target?

CAPEC-177 exploits 1 CWE weakness, including CWE-706 (Use of Incorrectly-Resolved Name or Reference).

How severe is CAPEC-177?

MITRE rates CAPEC-177 as Very High severity.

References

MITRE CAPEC definition (CAPEC-177) (opens in a new tab)

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.