Dark Mode
Capec-45 Detail
Buffer Overflow via Symbolic Links
Detailed Software Likelihood: High Typical Severity: High
Parents: 100
Threats: T62
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-45 | capec | https://capec.mitre.org/data/definitions/45.html | |
| CWE-120 | cwe | http://cwe.mitre.org/data/definitions/120.html | |
| CWE-285 | cwe | http://cwe.mitre.org/data/definitions/285.html | |
| CWE-302 | cwe | http://cwe.mitre.org/data/definitions/302.html | |
| CWE-118 | cwe | http://cwe.mitre.org/data/definitions/118.html | |
| CWE-119 | cwe | http://cwe.mitre.org/data/definitions/119.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| CWE-680 | cwe | http://cwe.mitre.org/data/definitions/680.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley |
Explore
-
Identify target application: The adversary identifies a target application or program that might load in certain files to memory.
Experiment
-
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
-
Craft overflow file content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| The adversary creates or modifies a symbolic link pointing to those files which contain an excessive amount of data. If creating a symbolic link to one of those files causes different behavior in the application, then an injection vector has been identified. |
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: Using the specially crafted file content, the adversary creates a symbolic link from the identified resource to the malicious file, causing a targeted buffer overflow attack.
- The adversary can create symbolic link on the target host.
- The target host does not perform correct boundary checking while consuming data from a resources.
Not present
| Low | High |
|---|---|
| An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS. | |
| Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. |
| Integrity | Availability | Confidentiality |
|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Unreliable Execution | Execute Unauthorized Commands (Run Arbitrary Code) |
| Modify Data | Execute Unauthorized Commands (Run Arbitrary Code) | Read Data |
- The EFTP server has a buffer overflow that can be exploited if an adversary uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the adversary uploads some content (the link file) and then the adversary causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.