Detailedseverity: MediumStable

CAPEC-471Search Order Hijacking

Abstraction
Detailed
Status
Stable
Severity
Medium

Description

An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.

Related weaknesses· 1

CWE-427

MITRE ATT&CK crosswalk· 3

T1574.001: Hijack Execution Flow:DLL search order hijackingT1574.004: Hijack Execution Flow: Dylib HijackingT1574.008: Hijack Execution Flow: Path Interception by Search Order Hijacking

Related attack patterns· 1

CAPEC-159 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessUncontrolled Search Path Elementcwe-427100%live

Related to3

TypeTargetConfidenceTier
SubTechniqueDLL Search Order Hijackingt1574.001100%live
SubTechniqueDylib Hijackingt1574.004100%live
SubTechniquePath Interception by Search Order Hijackingt1574.008100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Redirect Access to Libraries
Sub-technique
DLL Search Order Hijacking
Sub-technique
Path Interception by Search Order Hijacking
CAPEC
Leveraging/Manipulating Configuration File Search Paths
CAPEC
Local Code Inclusion
CAPEC
DLL Side-Loading
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.