CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
Last updated
Overview
CAPEC-75 (Manipulating Writeable Configuration Files) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- Configuration files must be modifiable by the attacker
Skills required
- Medium skill: To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence
Consequences
What a successful CAPEC-75 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-75.
- Design: Enforce principle of least privilege
- Design: Backup copies of all configuration files
- Implementation: Integrity monitoring for configuration files
- Implementation: Enforce audit logging on code and configuration promotion procedures.
- Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD
Examples
The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.
Frequently asked questions
Common questions about CAPEC-75.
- What is CAPEC-75?
- Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
- How do you prevent CAPEC-75?
- Design: Enforce principle of least privilege
- What weaknesses does CAPEC-75 target?
- CAPEC-75 exploits 6 CWE weaknesses, including CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection')), CWE-99 (Improper Control of Resource Identifiers ('Resource Injection')), CWE-346 (Origin Validation Error), CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data).
- How severe is CAPEC-75?
- MITRE rates CAPEC-75 as Very High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-75
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.