Name |
Create files with the same name as files protected with a higher classification |
|
Likelyhood of attack |
Typical severity |
Medium |
Very High |
|
Summary |
An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name. |
Prerequisites |
The target application must include external files. Most non-trivial applications meet this criterion. The target application does not verify that a located file is the one it was looking for through means other than the name. Many applications fail to perform checks of this type. The directories the target application searches to find the included file include directories writable by the attacker which are searched before the protected directory containing the actual files. It is much less common for applications to meet this criterion, but if an attacker can manipulate the application's search path (possibly by controlling environmental variables) then they can force this criterion to be met. |
Solutions | |
Related Weaknesses |
CWE ID
|
Description
|
CWE-706 |
Use of Incorrectly-Resolved Name or Reference |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-17 |
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface. |
|
Taxonomy: ATTACK |
Entry ID
|
Entry Name
|
1036 |
Masquerading |
|