| Name |
Overflow Binary Resource File |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow. |
| Prerequisites |
Target software processes binary resource files. Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means. |
|
| 2 |
Experiment |
The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location. |
|
| 3 |
Experiment |
The adversary deploys this file to the software, observing its behavior. If the source code is available, the adversary can carefully craft the malicious file to execute the intended behavior. If the source code is not available, the adversary will iteratively alter the file to reach the intended behavior |
|
| 4 |
Exploit |
Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software. |
|
| 5 |
Exploit |
Upon successful exploitation, the system either crashes or control of the program is returned to a location of the adversaries' choice. This can result in execution of arbitrary code or escalated privileges, depending upon the exploited target. |
|
|
| Solutions | Perform appropriate bounds checking on all buffers. Design: Enforce principle of least privilege Design: Static code analysis Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes Implementation: Keep software patched to ensure that known vulnerabilities are not available for attackers to target on host. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-697 |
Incorrect Comparison |
| CWE-713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-23 |
An attack of this type exploits the host's trust in executing remote content, including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the adversary and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus. |
| CAPEC-100 |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
|