CAPEC-37 Retrieve Embedded Sensitive Data

CAPEC ID: 37

CAPEC-37 Metadata

Likelihood of Attack

High

Typical Severity

Very High

Overview

Summary

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

Prerequisites

In order to feasibly execute this type of attack, some valuable data must be present in client software. Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack.

Execution Flow

Step Phase Description Techniques
1 Explore [Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.
  • Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
  • Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.
2 Exploit [Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.
  • API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
  • Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
  • Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
  • Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.

Potential Solutions / Mitigations

No specific solutions listed.

Related Weaknesses (CWE)

CWE ID Description
CWE-226 Sensitive Information in Resource Not Removed Before Reuse
CWE-311 Missing Encryption of Sensitive Data
CWE-312 Cleartext Storage of Sensitive Information
CWE-314 Cleartext Storage in the Registry
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-318 Cleartext Storage of Sensitive Information in Executable
CWE-525 Use of Web Browser Cache Containing Sensitive Information
CWE-1239 Improper Zeroization of Hardware Register
CWE-1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
CWE-1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
CWE-1301 Insufficient or Incomplete Data Removal within Hardware Component
CWE-1330 Remanent Data Readable after Memory Erase

Related CAPECs

CAPEC ID Description
CAPEC-167 An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1005 Data from Local System
1552.004 Unsecured Credentials: Private Keys

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.