Support
Articles and Tutorials
Policy
FAQ
Glossary
Products
Sax2 NIDS
Sax2 Screenshots
Buy Now
White Papers
Awards
Download
Contact Us

Consulting:

Technical Support:

Sales:

General Information:

 
 

Special Element Injection
 

Description

Special Element Injection is a type of injection attack that exploits weakness related to reserved words and special character.

Every programming language and operational system has special characters considered as reserved words for it. However, when an application receives such data as user input, it is possible to observe unexpected behavior in the application when parsing this information. This can lead to information disclosure, access control and authorization bypass, code injection, and many other variants.

According to the characters used, the Special Element Injection attack can be performed using macro symbol, parameter delimiter and null character/null byte, among others.

Severity

Medium to High

Likelihood of exploitation

Medium

Examples

Example 1 - Macro symbol

The Special Element Injection attack based on macro symbol can be performed by inserting macro symbols in input fields or user configuration files. A known example of this attack can be represented by vulnerability exploitation on Quake II server 3.20 and 3.21. This vulnerability allows remote user to access server console variables (cvar), directory lists and execute admin commands by client on the Quake II Server.

On this application, cvars are used by client and server to store configurations and status information. A cvar can be accessed by “$name” syntax, where “name” is the name of the console variable to be expanded.

However, it is possible to modify the client console to send a malicious command to the server, such as “say $rcon_password” to attempt discovering the content server $rcon_password variables.

By discovering the password, it is possible to perform further actions on the server, like discover directories structures, command execution and visualization of files contents.

Example 2 - Parameter delimiter

Parameter Delimiter is another variant of Special Element Injection. In order to illustrate how this attack can be performed, it’ll be used a vulnerability found on PHP posting system Poster version.two.

This application has a dangerous vulnerability that allows data insertion into fields (username, password, email address and privileges) of the “mem.php” file. This file is responsible for managing application users.

An example of “mem.php” file is shown bellow, where user Jose has admin privileges and Alice has just user access: 

<?
Jose|12345678|jose@attack.com|admin|
Alice|87654321|alice@attack.com|normal|
?>

When a user wants to edit his profile, he must use edit account” option in the “index.php” page and enter his login information. However, using “|” as a parameter delimiter on email field followed by “admin” profile, the user could elevate her privileges to administrator. Example: 

Username: Alice
Password: 87654321
Email: alice@attack.com |admin|

This information will be recorded in “mem.php” file like this: 

Alice|87654321|alice@attack.com|admin|normal|

The next time user Alice logs in, the application will acquire the parameter “|admin|” as user profile, thus elevating her privileges to administrator profile.