Dark Mode

Settings

Capec-10 Detail

Buffer Overflow via Environment Variables

Detailed Software Likelihood: High Typical Severity: High

Parents: 100

Threats: T62

Description

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

Extended Description

Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer.
Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
Exploit

  1. Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

  1. The application uses environment variables.
  2. An environment variable exposed to the user is vulnerable to a buffer overflow.
  3. The vulnerable environment variable uses untrusted data.
  4. Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.

Not present

Low High
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
Integrity Availability Authorization Access Control Confidentiality
Execute Unauthorized Commands (Run Arbitrary Code) Unreliable Execution Gain Privileges Gain Privileges Execute Unauthorized Commands (Run Arbitrary Code)
Modify Data Execute Unauthorized Commands (Run Arbitrary Code) Read Data
Gain Privileges
  1. A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. See also: CVE-1999-0906
  2. A buffer overflow in the rlogin program involves its consumption of the $TERM environmental variable. See also: CVE-1999-0046

We use cookies to ensure you get the best experience on our website.