CAPEC-67: String Format Overflow in syslog()

Description

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.

Extended Description

This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.

Severity :

Very High

Possibility :

High

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-69: Target Programs with Elevated Privileges Target Programs with Elevated Privileges CAPEC-100: Overflow Buffers Overflow Buffers CAPEC-135: Format String Injection Format String Injection

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The Syslog function is used without specifying a format string argument, allowing user input to be placed direct into the function call as a format string.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

WASC | Format String

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-134: Use of Externally-Controlled Format String

CWE-680: Integer Overflow to Buffer Overflow

CWE-697: Incorrect Comparison

Visit http://capec.mitre.org/ for more details.