Name |
Subverting Environment Variable Values |
|
Likelyhood of attack |
Typical severity |
High |
Very High |
|
Summary |
The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary. |
Prerequisites |
An environment variable is accessible to the user. An environment variable used by the application can be tainted with user supplied data. Input data used in an environment variable is not validated properly. The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an adversary may attempt to manipulate that variable. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Probe target application] The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used by the underlying software, or even the application itself. |
|
2 |
Experiment |
[Find user-controlled environment variables] Using the information found by probing the application, the adversary attempts to manipulate any user-controlled environment variables they have found are being used by the application, or suspect are being used by the application, and observe the effects of these changes. If the adversary notices any significant changes to the application, they will know that a certain environment variable is important to the application behavior and indicates a possible attack vector. |
- Alter known environment variables such as "$PATH", "$HOSTNAME", or "LD_LIBRARY_PATH" and see if application behavior changes.
|
3 |
Exploit |
[Manipulate user-controlled environment variables] The adversary manipulates the found environment variable(s) to abuse the normal flow of processes or to gain access to privileged resources. |
|
|
Solutions | Protect environment variables against unauthorized read and write access. Protect the configuration files which contain environment variables against illegitimate read and write access. Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-15 |
External Control of System or Configuration Setting |
CWE-20 |
Improper Input Validation |
CWE-73 |
External Control of File Name or Path |
CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
CWE-285 |
Improper Authorization |
CWE-302 |
Authentication Bypass by Assumed-Immutable Data |
CWE-353 |
Missing Support for Integrity Check |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-10 |
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. |
CAPEC-14 |
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads. |
CAPEC-77 |
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables. |
|
Taxonomy: ATTACK |
Entry ID
|
Entry Name
|
1562.003 |
Impair Defenses:Impair Command History Logging |
1574.006 |
Hijack Execution Flow:Dynamic Linker Hijacking |
1574.007 |
Hijack Execution Flow:Path Interception by PATH Environment Variable |
|