Dark Mode
Capec-14 Detail
Client-side Injection-induced Buffer Overflow
Detailed Software Likelihood: Medium Typical Severity: High
Parents: 100
Threats: T62
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-14 | capec | https://capec.mitre.org/data/definitions/14.html | |
| CWE-120 | cwe | http://cwe.mitre.org/data/definitions/120.html | |
| CWE-353 | cwe | http://cwe.mitre.org/data/definitions/353.html | |
| CWE-118 | cwe | http://cwe.mitre.org/data/definitions/118.html | |
| CWE-119 | cwe | http://cwe.mitre.org/data/definitions/119.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-680 | cwe | http://cwe.mitre.org/data/definitions/680.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley |
Explore
-
Identify target client-side application: The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.
Experiment
-
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
-
Create hostile service: The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors. |
| Examine APIs of the client-side application and look for areas where a buffer overflow might be possible. |
| Techniques |
|---|
| If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser. |
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.
| Techniques |
|---|
| If the adversary is targeting a local client-side application, they just need to use the service themselves. |
| If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser. |
- The targeted client software communicates with an external server.
- The targeted client software has a buffer overflow vulnerability.
Not present
| Low | High |
|---|---|
| To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. | |
| Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level. |
| Integrity | Availability | Confidentiality |
|---|---|---|
| Modify Data | Resource Consumption (Denial of Service) | Read Data |
| Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) |
- Authors often use tags in HTML documents. For example In Internet Explorer 4.0 an adversary attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild.