CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Very High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-76 (Manipulating Web Input to File System Calls) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Fingerprinting of the operating system] In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.
- Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
- TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
- Induce errors to find informative error messages
Step 2
Explore
[Survey the Application to Identify User-controllable Inputs] The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
- Spider web sites for all available links, entry points to the web site.
- Manually explore application and inventory all application inputs
Step 3
Experiment
[Vary inputs, looking for malicious results] Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
- Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
- Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
- Inject context-appropriate malicious file system control syntax
Step 4
Exploit
[Manipulate files accessible by the application] The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)
- The attacker injects context-appropriate malicious file path to access the content of the targeted file.
- The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
- The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
- The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
- The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
- The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.

CAPEC-76: Manipulating Web Input to File System Calls

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Frequently asked questions

What is CAPEC-76?

How does a Manipulating Web Input to File System Calls attack work?

How do you prevent CAPEC-76?

What weaknesses does CAPEC-76 target?

How severe is CAPEC-76?

References

Defend against CAPEC-76

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-76?

How does a Manipulating Web Input to File System Calls attack work?

How do you prevent CAPEC-76?

What weaknesses does CAPEC-76 target?

How severe is CAPEC-76?

References

Defend against CAPEC-76