| Name |
Retrieve Embedded Sensitive Data |
|
| Likelyhood of attack |
Typical severity |
| High |
Very High |
|
| Summary |
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack. |
| Prerequisites |
In order to feasibly execute this type of attack, some valuable data must be present in client software. Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files. |
- Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
- Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.
|
| 2 |
Experiment |
[Apply mining techniques] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to extract the information of interest. |
- API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
- Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
- Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
- Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.
|
|
| Solutions | |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-226 |
Sensitive Information in Resource Not Removed Before Reuse |
| CWE-311 |
Missing Encryption of Sensitive Data |
| CWE-312 |
Cleartext Storage of Sensitive Information |
| CWE-314 |
Cleartext Storage in the Registry |
| CWE-315 |
Cleartext Storage of Sensitive Information in a Cookie |
| CWE-318 |
Cleartext Storage of Sensitive Information in Executable |
| CWE-525 |
Use of Web Browser Cache Containing Sensitive Information |
| CWE-1239 |
Improper Zeroization of Hardware Register |
| CWE-1258 |
Exposure of Sensitive System Information Due to Uncleared Debug Information |
| CWE-1266 |
Improper Scrubbing of Sensitive Data from Decommissioned Device |
| CWE-1272 |
Sensitive Information Uncleared Before Debug/Power State Transition |
| CWE-1278 |
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques |
| CWE-1330 |
Remanent Data Readable after Memory Erase |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-167 |
An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1552.004 |
Unsecured Credentials:Private Keys |
|