|Manipulating Web Input to File System Calls
|Likelyhood of attack
|An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
|Program must allow for user controlled variables to be applied directly to the filesystem
|[Fingerprinting of the operating system] In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.
- Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
- TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
- Induce errors to find informative error messages
|[Survey the Application to Identify User-controllable Inputs] The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
- Spider web sites for all available links, entry points to the web site.
- Manually explore application and inventory all application inputs
|[Vary inputs, looking for malicious results] Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
- Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
- Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
- Inject context-appropriate malicious file system control syntax
|[Manipulate files accessible by the application] The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)
- The attacker injects context-appropriate malicious file path to access the content of the targeted file.
- The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
- The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
- The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
- The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
- The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.
|Design: Enforce principle of least privilege. Design: Ensure all input is validated, and does not contain file system commands Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
|External Control of System or Configuration Setting
|Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|Relative Path Traversal
|Improper Link Resolution Before File Access ('Link Following')
|External Control of File Name or Path
|Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|Improper Neutralization of Special Elements used in a Command ('Command Injection')
|Least Privilege Violation
|Origin Validation Error
|Use of Less Trusted Source
|An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.