{
	"id": "7486ce06-0ddc-43ab-b179-e604cf81cc10",
	"created_at": "2026-04-06T00:09:30.87031Z",
	"updated_at": "2026-04-10T03:21:15.672131Z",
	"deleted_at": null,
	"sha1_hash": "b45e7c2ee5cba616419ec3f2d7881afb7daf70dd",
	"title": "Binary Planting | OWASP Foundation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47081,
	"plain_text": "Binary Planting | OWASP Foundation\r\nArchived: 2026-04-05 19:58:33 UTC\r\nDescription\r\nBinary planting is a general term for an attack where the attacker places (i.e., plants) a binary file containing\r\nmalicious code to a local or remote file system in order for a vulnerable application to load and execute it.\r\nThere are various ways this attack can occur:\r\n1. Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a\r\ntrusted location. (A typical example is an application installer not properly configuring permissions on\r\ndirectories used to store application files.)\r\n2. One application may be used for planting a malicious binary in another application’s trusted location. (An\r\nexample is the Internet Explorer - Safari blended threat vulnerability)\r\n3. The application searches for a binary in untrusted locations, possibly on remote file systems. (A typical\r\nexample is a Windows application loading a dynamic link library from the current working directory after\r\nthe latter has been set to a network shared folder.)\r\nRisk Factors\r\nExamples\r\nInsecure Access Permissions-based Attack\r\n1. A Windows application installer creates a root directory ( C:\\Application ) and installs the application in\r\nit, but fails to limit write access to the directory for non-privileged users.\r\n2. Suppose the application ( C:\\Application\\App.exe ) loads the WININET.DLL library by calling\r\nLoadLibrary(\"WININET.DLL\") . This library is expected to be found in the Windows System32 folder.\r\n3. Local user A plants a malicious WININET.DLL library in C:\\Application\r\n4. Local user B launches the application, which loads and executes the malicious WININET.DLL` instead of\r\nthe legitimate one.\r\nCurrent Working Directory-based Attack\r\n1. Suppose a Windows application loads the DWMAPI.DLL library by calling LoadLibrary(\"DWMAPI.DLL\") .\r\nThis library is expected to be found in the Windows System32 folder, but only exists on Windows Vista\r\nand Windows 7.\r\n2. Suppose the application is associated with the .bp file extension.\r\n3. The attacker sets up a network shared folder and places files honeypot.bp and DWMAPI.DLL in this folder\r\n(possibly marking the latter as hidden).\r\n4. The attacker invites a Windows XP user to visit the shared folder with Windows Explorer.\r\nhttps://owasp.org/www-community/attacks/Binary_planting\r\nPage 1 of 2\n\n5. When the user double-clicks on honeypot.bp , user’s Windows Explorer sets the current working\r\ndirectory to the remote share and launches the application for opening the file.\r\n6. The application tries to load DWMAPI.DLL , but failing to find it in the Windows system directories, it loads\r\nand executes it from the attacker’s network share.\r\nIntranet Attacker\r\nInternet Attacker\r\nCode Injection\r\nPortability Flaw\r\nProcess Control\r\nReferences\r\nCWE-114: Process Control\r\nElevation of Privilege Vulnerability in iTunes for Windows - example of Insecure Access Permissions-based Attack\r\nRemote Binary Planting in Apple iTunes for Windows - example of Current Working Directroy-based\r\nAttack\r\nSource: https://owasp.org/www-community/attacks/Binary_planting\r\nhttps://owasp.org/www-community/attacks/Binary_planting\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://owasp.org/www-community/attacks/Binary_planting"
	],
	"report_names": [
		"Binary_planting"
	],
	"threat_actors": [],
	"ts_created_at": 1775434170,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b45e7c2ee5cba616419ec3f2d7881afb7daf70dd.pdf",
		"text": "https://archive.orkl.eu/b45e7c2ee5cba616419ec3f2d7881afb7daf70dd.txt",
		"img": "https://archive.orkl.eu/b45e7c2ee5cba616419ec3f2d7881afb7daf70dd.jpg"
	}
}