An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.
Description
Attack Execution Flow
3
1
Step 1
Explore[Identify target general susceptibility] An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.
The attacker uses a tool such as the OSX 'otool' utility or manually probes whether the target application uses dynamically linked libraries.
The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.
AI Translation
[Identifica la suscettibilità generale del target] Un attaccante utilizza uno strumento automatizzato o individua manualmente se l'applicazione target utilizza librerie collegate dinamicamente e il file di configurazione o tabella di look-up (come la Procedure Linkage Table) che contiene le voci per le librerie collegate dinamicamente.
L'attaccante utilizza uno strumento come l'utilità "otool" di OSX o verifica manualmente se l'applicazione target utilizza librerie collegate dinamicamente.
L'attaccante individua i file di configurazione contenenti le voci per le librerie collegate dinamicamente e modifica le voci per puntare alle librerie dannose create dall'attaccante.
Attack Techniques
-
The attacker uses a tool such as the OSX "otool" utility or manually probes whether the target application uses dynamically linked libraries.
-
The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.IT: L'attaccante utilizza uno strumento come l'utilità "otool" di OSX o effettua manualmente delle verifiche per determinare se l'applicazione target utilizza librerie collegate dinamicamente.
2
Step 2
Experiment[Craft malicious libraries] The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.
The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using 'sleep(2)' and 'usleep()' to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
AI Translation
[Creazione di librerie dannose] L'attaccante utilizza le conoscenze acquisite nella fase Explore per creare librerie dannose a cui reindirizzare il target. Queste librerie dannose potrebbero avere le stesse API della libreria legittima e includere codice dannoso aggiuntivo.
L'attaccante monitora le operazioni sui file eseguite dall'applicazione target utilizzando strumenti come dtrace o FileMon. Inoltre, può ritardare le operazioni usando "sleep(2)" e "usleep()" per preparare le condizioni appropriate per l'attacco, oppure far eseguire all'applicazione compiti impegnativi (analisi di file di grandi dimensioni, ecc.) a seconda dello scopo dell'applicazione.
Attack Techniques
-
The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
3
Step 3
Exploit[Redirect the access to libraries to the malicious libraries] The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.
The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted.
The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132.
The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.
AI Translation
[Reindirizzamento dell'accesso alle librerie alle librerie dannose] L'attaccante reindirizza il target alle librerie dannose che ha creato nella fase di Esperimento. L'attaccante potrà costringere l'applicazione target ad eseguire codice arbitrario quando l'applicazione tenta di accedere alle librerie legittime.
L'attaccante modifica le voci nei file di configurazione puntando alle librerie dannose che ha creato.
L'attaccante sfrutta problemi di symlink/timing per reindirizzare il target all'accesso alle librerie dannose che ha creato. Vedi anche: CAPEC-132.
L'attaccante sfrutta problemi nell'ordine del file search path per reindirizzare il target all'accesso alle librerie dannose che ha creato. Vedi anche: CAPEC-38.
Attack Techniques
-
The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132.
-
The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted.IT: L'attaccante sfrutta problemi di symlink/tempi per reindirizzare l'obiettivo e accedere alle librerie dannose che ha creato. Vedi anche: CAPEC-132.
-
The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.IT: L'attaccante sfrutta problemi di symlink/tempi per reindirizzare l'obiettivo e accedere alle librerie dannose che ha creato. Vedi anche: CAPEC-132.
Mitigations
2
Design: Fix The Windows Loading Process To Eliminate The Preferential Search Order By Looking For Dlls In The Precise Location Where They Are Expected
Design: Sign System Dlls So That Unauthorized Dlls Can Be Detected.
Consequences
Consequence Information
{'impacts': [], 'impacts_translate': [], 'scopes': [], 'scopes_translate': []}
Relationships
Parent CAPECs
Related ATT&CK Techniques
3
T1574.001
DLL
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries …
T1574.004
Dylib Hijacking
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path …
T1574.008
Path Interception by Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs …