CAPEC-471 Search Order Hijacking – Attack Pattern Analysis

CAPEC-471 Metadata

Likelihood of Attack

Medium

Typical Severity

Medium

Overview

Summary

An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.

Prerequisites

Attacker has a mechanism to place its malicious libraries in the needed location on the file system.

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Identify target general susceptibility] An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.	The attacker uses a tool such as the OSX "otool" utility or manually probes whether the target application uses dynamically linked libraries. The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.
2	Experiment	[Craft malicious libraries] The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.	The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
3	Exploit	[Redirect the access to libraries to the malicious libraries] The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.	The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted. The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132. The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.

Potential Solutions / Mitigations

Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected Design: Sign system DLLs so that unauthorized DLLs can be detected.

Related Weaknesses (CWE)

CWE ID	Description
CWE-427	Uncontrolled Search Path Element

Related CAPECs

CAPEC ID	Description
CAPEC-159	An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

CAPEC ID

Description

CAPEC-159

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1574.001	Hijack Execution Flow:DLL search order hijacking
1574.004	Hijack Execution Flow: Dylib Hijacking
1574.008	Hijack Execution Flow: Path Interception by Search Order Hijacking

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.