This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.

How does a String Format Overflow in syslog() attack work?

It typically unfolds over 4 phases. It begins with: [Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack, adversaries look for applications that use syslog() incorrectly.

How do you prevent CAPEC-67?

The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog(): syslog(LOG_ERR, "%s", cmdBuf); The following code shows a vulnerable usage of Syslog(): syslog(LOG_ERR, cmdBuf); // the buffer cmdBuff is taking user supplied data.

What weaknesses does CAPEC-67 target?

CAPEC-67 exploits 6 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')), CWE-134 (Use of Externally-Controlled Format String).

How severe is CAPEC-67?

MITRE rates CAPEC-67 as Very High severity with high likelihood of attack.

CAPEC-67: String Format Overflow in syslog()

CAPEC-67 (String Format Overflow in syslog()) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

CAPEC-67: String Format Overflow in syslog()

Overview

How the attack works

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-67?

How does a String Format Overflow in syslog() attack work?

How do you prevent CAPEC-67?

What weaknesses does CAPEC-67 target?

How severe is CAPEC-67?

References

Defend against CAPEC-67

Overview

How the attack works

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-67?

How does a String Format Overflow in syslog() attack work?

How do you prevent CAPEC-67?

What weaknesses does CAPEC-67 target?

How severe is CAPEC-67?

References

Defend against CAPEC-67