Name |
Retrieve Embedded Sensitive Data |
|
Likelyhood of attack |
Typical severity |
High |
Very High |
|
Summary |
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack. |
Prerequisites |
In order to feasibly execute this type of attack, some valuable data must be present in client software. Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files. |
- Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
- Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.
|
2 |
Exploit |
[Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest. |
- API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
- Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
- Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
- Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.
|
|
Solutions | |
Related Weaknesses |
CWE ID
|
Description
|
CWE-226 |
Sensitive Information in Resource Not Removed Before Reuse |
CWE-311 |
Missing Encryption of Sensitive Data |
CWE-312 |
Cleartext Storage of Sensitive Information |
CWE-314 |
Cleartext Storage in the Registry |
CWE-315 |
Cleartext Storage of Sensitive Information in a Cookie |
CWE-318 |
Cleartext Storage of Sensitive Information in Executable |
CWE-525 |
Use of Web Browser Cache Containing Sensitive Information |
CWE-1239 |
Improper Zeroization of Hardware Register |
CWE-1258 |
Exposure of Sensitive System Information Due to Uncleared Debug Information |
CWE-1266 |
Improper Scrubbing of Sensitive Data from Decommissioned Device |
CWE-1272 |
Sensitive Information Uncleared Before Debug/Power State Transition |
CWE-1278 |
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques |
CWE-1301 |
Insufficient or Incomplete Data Removal within Hardware Component |
CWE-1330 |
Remanent Data Readable after Memory Erase |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-167 |
An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. |
|
Taxonomy: ATTACK |
Entry ID
|
Entry Name
|
1005 |
Data from Local System |
1552.004 |
Unsecured Credentials: Private Keys |
|