CAPEC-636 Hiding Malicious Data or Code within Files

CAPEC-636 Metadata

Likelihood of Attack

Low

Typical Severity

High

Overview

Summary

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.

Prerequisites

The operating system must support a file system that allows for alternate data storage for a file.

Potential Solutions / Mitigations

Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.

Related Weaknesses (CWE)

CWE ID	Description
CWE-506	Embedded Malicious Code

Related CAPECs

CAPEC ID	Description
CAPEC-165	An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.

CAPEC ID

Description

CAPEC-165

An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1001.002	Data Obfuscation: Steganography
1027.003	Obfuscated Files or Information: Steganography
1027.004	Obfuscated Files or Information: Compile After Delivery
1218.001	Signed Binary Proxy Execution: Compiled HTML File
1221	Template Injection

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.