CAPEC-14: Client-side Injection-induced Buffer Overflow
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.
执行流程
步骤 1 Explore
[Identify target client-side application] The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.
步骤 2 Experiment
[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
- Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors.
- Examine APIs of the client-side application and look for areas where a buffer overflow might be possible.
步骤 3 Experiment
[Create hostile service] The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
- If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser.
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
步骤 4 Exploit
[Overflow the buffer] Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.
- If the adversary is targeting a local client-side application, they just need to use the service themselves.
- If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser.
前提条件
- The targeted client software communicates with an external server.
- The targeted client software has a buffer overflow vulnerability.
所需技能
后果影响
影响范围: Confidentiality
技术影响: Read Data
影响范围: Integrity
技术影响: Modify Data
影响范围: Availability
技术影响: Resource Consumption
说明: Denial of Service
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
缓解措施
The client software should not install untrusted code from a non-authenticated server.
The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.
Perform input validation for length of buffer inputs.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Ensure all buffer uses are consistently bounds-checked.
Use OS-level preventative functionality. Not a complete solution.