CAPEC-36: Using Unpublished Interfaces or Functionality
An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
Last updated
Overview
Adversaries can also search for undocumented bits on a hardware device, commonly known as "chicken bits". These bits are used to enable/disable certain functionality, but are not published. Adversaries can reverse engineer firmware to identify hidden features and change these bits at runtime to achieve malicious behavior.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify services] Discover a service of interest by exploring service registry listings or by connecting on a known port or some similar means.
- Search via internet for known, published services.
- Use automated tools to scan known ports to identify internet-enabled services.
- Dump the code from the chip and then perform reverse engineering to analyze the code.
- Step 2Explore
[Authenticate to service] Authenticate to the service, if required, in order to explore it.
- Use published credentials to access system.
- Find unpublished credentials to access service.
- Use other attack pattern or weakness to bypass authentication.
- Step 3Explore
[Identify all interfaces] Determine the exposed interfaces by querying the registry as well as probably sniffing to expose interfaces that are not explicitly listed.
- For any published services, determine exposed interfaces via the documentation provided.
- For any services found, use error messages from poorly formed service calls to determine valid interfaces. In some cases, services will respond to poorly formed calls with valid ones.
- Step 4Experiment
[Attempt to discover unpublished functions] Using manual or automated means, discover unpublished or undocumented functions exposed by the service.
- Manually attempt calls to the service using an educated guess approach, including the use of terms like' 'test', 'debug', 'delete', etc.
- Use automated tools to scan the service to attempt to reverse engineer exposed, but undocumented, features.
- Step 5Exploit
[Exploit unpublished functions] Using information determined via experimentation, exploit the unpublished features of the service.
- Execute features that are not intended to be used by general system users.
- Craft malicious calls to features not intended to be used by general system users that take advantage of security flaws found in the functions.
What the attacker needs
Prerequisites
- The architecture under attack must publish or otherwise make available services that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere. The service need not be 'discoverable', but in the event it isn't it must have some way of being discovered by an attacker. This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service.
Skills required
- Low skill: A number of web service digging tools are available for free that help discover exposed web services and their interfaces. In the event that a web service is not listed, the attacker does not need to know much more in addition to the format of web service messages that they can sniff/monitor for.
Resources required
- None: No specialized resources are required to execute this type of attack. Web service digging tools may be helpful.
Consequences
What a successful CAPEC-36 attack can achieve.
Read Data
Affects: Confidentiality
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-36.
- Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.
Examples
To an extent, Google services (such as Google Maps) are all well-known examples. Calling these services, or extending them for one's own (perhaps very different) purposes is as easy as knowing they exist. Their unencumbered public use, however, is a purposeful aspect of Google's business model. Most organizations, however, do not have the same business model. Organizations publishing services usually fall back on thoughts that Attackers "will not know services exist" and that "even if they did, they wouldn't be able to access them because they're not on the local LAN." Simple threat modeling exercises usually uncovers simple attack vectors that can invalidate these assumptions.
Frequently asked questions
Common questions about CAPEC-36.
- What is CAPEC-36?
- An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
- How does a Using Unpublished Interfaces or Functionality attack work?
- It typically unfolds over 5 phases. It begins with: [Identify services] Discover a service of interest by exploring service registry listings or by connecting on a known port or some similar means.
- How do you prevent CAPEC-36?
- Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.
- What weaknesses does CAPEC-36 target?
- CAPEC-36 exploits 4 CWE weaknesses, including CWE-306 (Missing Authentication for Critical Function), CWE-693 (Protection Mechanism Failure), CWE-695 (Use of Low-Level Functionality), CWE-1242 (Inclusion of Undocumented Features or Chicken Bits).
- How severe is CAPEC-36?
- MITRE rates CAPEC-36 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-36
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.