| Name |
Subverting Environment Variable Values |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker. |
| Prerequisites |
An environment variable is accessible to the user. An environment variable used by the application can be tainted with user supplied data. Input data used in an environment variable is not validated properly. The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attempt to manipulate that variable. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
The attacker probes the application for information. Which version of the application is running? Are there known environment variables? etc. |
|
| 2 |
Experiment |
The attacker gains control of an environment variable and ties to find out what process(es) the environment variable controls. |
|
| 3 |
Exploit |
The attacker modifies the environment variable to abuse the normal flow of processes or to gain access to privileged resources. |
|
|
| Solutions | Protect environment variables against unauthorized read and write access. Protect the configuration files which contain environment variables against illegitimate read and write access. Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-15 |
External Control of System or Configuration Setting |
| CWE-20 |
Improper Input Validation |
| CWE-73 |
External Control of File Name or Path |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 |
Improper Authorization |
| CWE-302 |
Authentication Bypass by Assumed-Immutable Data |
| CWE-353 |
Missing Support for Integrity Check |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-10 |
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. |
| CAPEC-14 |
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. |
| CAPEC-77 |
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1562.003 |
Impair Defenses:Impair Command History Logging |
| 1574.006 |
Hijack Execution Flow:LD_PRELOAD |
| 1574.007 |
Hijack Execution Flow:Path Interception by PATH Environment Variable |
|