CAPEC-165: File Manipulation

Description
An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.
Extended Description

For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

Severity :

Medium

Possibility :

Type :

Meta
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-23: File Content Injection File Content Injection CAPEC-73: User-Controlled Filename User-Controlled Filename CAPEC-561: Windows Admin Shares with Stolen Credentials Windows Admin Shares with Stolen Credentials CAPEC-572: Artificially Inflate File Sizes Artificially Inflate File Sizes CAPEC-635: Alternative Execution Due to Deceptive Filenames Alternative Execution Due to Deceptive Filenames CAPEC-636: Hiding Malicious Data or Code within Files Hiding Malicious Data or Code within Files CAPEC-643: Identify Shared Files/Directories on System Identify Shared Files/Directories on System CAPEC-644: Use of Captured Hashes (Pass The Hash) Use of Captured Hashes (Pass The Hash)
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The target must use the affected file without verifying its integrity.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Masquerading: Rename System Utilities
Resources required

None: No specialized resources are required to execute this type of attack. In some cases, tools can be used to better control the response of the targeted application to the modified file.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

Visit http://capec.mitre.org/ for more details.