{
	"id": "954aac66-fd8c-42cf-925b-aca725086f38",
	"created_at": "2026-04-06T00:06:07.757403Z",
	"updated_at": "2026-04-10T13:13:06.229009Z",
	"deleted_at": null,
	"sha1_hash": "1fdf25d83332890a040d7850d7879150b628cec4",
	"title": "CAPEC-13: Subverting Environment Variable Values (Version 3.9)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51404,
	"plain_text": "CAPEC-13: Subverting Environment Variable Values (Version 3.9)\r\nArchived: 2026-04-05 23:38:23 UTC\r\nAttack Pattern ID: 13\r\nAbstraction: Detailed\r\n Description\r\nThe adversary directly or indirectly modifies environment variables used by or controlling the target software. The\r\nadversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.\r\n Likelihood Of Attack\r\nHigh\r\n Typical Severity\r\nVery High\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These\r\nrelationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels\r\nof abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack\r\npatterns that the user may want to explore.\r\nNature Type\r\nChildOf Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attac\r\nPeerOf Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nCanPrecede Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\nView Name Top Level Categories\r\nDomains of Attack Software\r\nMechanisms of Attack Subvert Access Control\r\n Execution Flow\r\nExplore\r\n1. Probe target application: The adversary first probes the target application to determine important information about\r\nthe target. This information could include types software used, software versions, what user input the application\r\nconsumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used\r\nby the underlying software, or even the application itself.\r\nExperiment\r\n1. Find user-controlled environment variables: Using the information found by probing the application, the adversary\r\nattempts to manipulate any user-controlled environment variables they have found are being used by the application,\r\nhttps://capec.mitre.org/data/definitions/13.html\r\nPage 1 of 4\n\nor suspect are being used by the application, and observe the effects of these changes. If the adversary notices any\r\nsignificant changes to the application, they will know that a certain environment variable is important to the\r\napplication behavior and indicates a possible attack vector.\r\nTechniques\r\nAlter known environment variables such as \"$PATH\", \"$HOSTNAME\", or \"LD_LIBRARY_PATH\" and see if\r\napplication behavior changes.\r\nExploit\r\n1. Manipulate user-controlled environment variables: The adversary manipulates the found environment variable(s)\r\nto abuse the normal flow of processes or to gain access to privileged resources.\r\n Prerequisites\r\nAn environment variable is accessible to the user.\r\nAn environment variable used by the application can be tainted with user supplied data.\r\nInput data used in an environment variable is not validated properly.\r\nThe variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and\r\nan adversary may attempt to manipulate that variable.\r\n Skills Required\r\n[Level: Low]\r\nIn a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious\r\ndata and try to bypass the authentication mechanism.\r\n[Level: High]\r\nSome more advanced attacks may require knowledge about protocols and probing technique which help controlling a\r\nvariable. The malicious user may try to understand the authentication mechanism in order to defeat it.\r\n Consequences\r\nThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security\r\nproperty that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in\r\ntheir attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative\r\nto the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a\r\ncertain impact, but a low likelihood that it will be exploited to achieve a different impact.\r\nScope Impact Likelihood\r\nConfidentiality\r\nIntegrity\r\nAvailability\r\nExecute Unauthorized Commands\r\nConfidentiality\r\nAccess Control\r\nAuthorization\r\nBypass Protection Mechanism\r\nAvailability Unreliable Execution\r\nConfidentiality Read Data\r\nhttps://capec.mitre.org/data/definitions/13.html\r\nPage 2 of 4\n\nAccountability Hide Activities\r\n Mitigations\r\nProtect environment variables against unauthorized read and write access.\r\nProtect the configuration files which contain environment variables against illegitimate read and write access.\r\nAssume all input is malicious. Create an allowlist that defines all valid input to the software system based on the\r\nrequirements specifications. Input that does not match against the allowlist should not be permitted to enter into the\r\nsystem.\r\nApply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give\r\nthat privilege.\r\n Example Instances\r\nChanging the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly\r\nTrojan) version of a function library. The Trojan library must be accessible using the target file system and should\r\ninclude Trojan code that will allow the user to log in with a bad password. This requires that the adversary upload the\r\nTrojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support\r\nfile paths that include remote addresses, such as \\\\172.16.2.100\\shared_files\\trojan_dll.dll. See also: Path Manipulation\r\n(CVE-1999-0073)\r\nThe HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually\r\ninto the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a\r\nspace by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it\r\nto \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous\r\nexamples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history. HISTCONTROL does not exist by\r\ndefault on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving\r\ntraces by simply prepending a space to all of their terminal commands.\r\n Taxonomy Mappings\r\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct\r\nCAPEC/ATT\u0026CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant\r\nATT\u0026CK mappings. Note that the ATT\u0026CK Enterprise Framework does not use an inheritance model as part of the\r\nmapping to CAPEC.\r\nRelevant to the ATT\u0026CK taxonomy mapping\r\nEntry ID Entry Name\r\n1562.003 Impair Defenses:Impair Command History Logging\r\n1574.006 Hijack Execution Flow:Dynamic Linker Hijacking\r\n1574.007 Hijack Execution Flow:Path Interception by PATH Environment Variable\r\n References\r\n[REF-1] G. Hoglund and G. McGraw. \"Exploiting Software: How to Break Code\". Addison-Wesley. 2004-02.\r\n Content History\r\nSubmissions\r\nSubmission Date Submitter Organization\r\n2014-06-23\r\n(Version 2.6)\r\nCAPEC Content Team The MITRE Corporation\r\nModifications\r\nModification Date Modifier Organization\r\n2017-01-09 CAPEC Content Team The MITRE Corporation\r\nhttps://capec.mitre.org/data/definitions/13.html\r\nPage 3 of 4\n\n(Version 2.9) Updated Related_Attack_Patterns\r\n2018-07-31\r\n(Version 2.12)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Attacker_Skills_or_Knowledge_Required, Examples-Instances, References\r\n2019-09-30\r\n(Version 3.2)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Example_Instances\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Consequences, Mitigations, Taxonomy_Mappings\r\n2020-12-17\r\n(Version 3.4)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Taxonomy_Mappings\r\n2021-06-24\r\n(Version 3.5)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Taxonomy_Mappings\r\n2022-02-22\r\n(Version 3.7)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Description, Example_Instances, Execution_Flow, Prerequisites\r\nMore information is available — Please select a different filter.\r\nSource: https://capec.mitre.org/data/definitions/13.html\r\nhttps://capec.mitre.org/data/definitions/13.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://capec.mitre.org/data/definitions/13.html"
	],
	"report_names": [
		"13.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433967,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1fdf25d83332890a040d7850d7879150b628cec4.pdf",
		"text": "https://archive.orkl.eu/1fdf25d83332890a040d7850d7879150b628cec4.txt",
		"img": "https://archive.orkl.eu/1fdf25d83332890a040d7850d7879150b628cec4.jpg"
	}
}