| Attack Pattern ID | Pattern Abstraction: Standard 17 |
| Typical Severity | Very High |
| Description | Summary
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
|
| Attack Prerequisites |
System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subkect and the object is set incorrectly or assumes a benign environment.
|
| Typical Likelihood of Exploit |
High
|
| Methods of Attack | - Modification of Resources
- API Abuse
|
| Examples-Instances | Description
Consider a directory on a web server with the following permissions
drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot
This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.
|
| Attacker Skill or Knowledge Required |
Low → to identify and execute against an overprivileged system interface
|
| Resources Required |
Ability to communicate synchronously or asynchronously with server that publishes an overprivileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
|
| Solutions and Mitigations |
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
|
| Attack Motivation-Consequences | - Run Arbitrary Code
- Data Modification
- Information Leakage
- Privilege Escalation
|
| Context Description |
“Attack Pattern: Direct Access to Executable Files
A privileged program is directly accessible. The program performs operations on behalf of the attacker that allow privilege escalation or shell access. For Web servers, this is often a fatal issue. If a server runs external executables provided by a user (or even simply named by a user), the user can cause the system to behave in unanticipated ways. This may be accomplished by passing in command-line options or by spinning an interactive session. A problem like this is almost always as bad as giving complete shell access to an attacker.
The most common targets for this kind of attack are Web servers. The attack is so easy that attackers have been known to use Internet search engines to find potential targets. The Altavista search engine is a great resource for attackers looking for such targets. Google works too."
[Hoglund and McGraw 04]
|
| Injection Vector |
Payload delivered through standard communication protocols.
|
| Payload |
Command(s) executed directly on host
|
| Activation Zone |
Client machine and client network
|
| Payload Activation Impact |
Enables attacker to execute server side code with any commands that the program owner has privileges to.
|
| Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 285 | Missing or Inconsistent Access Control | Targeted | | 272 | Least Privilege Violation | Targeted | | 59 | Failure to Resolve Links Before File Access (aka 'Link Following') | Targeted | | 282 | Improper Ownership Management | Targeted | | 275 | Permission Issues | Targeted | | 264 | Permissions, Privileges, and Access Controls | Targeted | | 270 | Privilege Context Switching Error | Targeted |
|
| Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 1 | Accessing Functionality Not Properly Constrained by ACLs | More Detailed | |
|
| Purpose | Penetration |
| CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | Medium | Low |
|
| Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
|
| References |
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.
|
| Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Description and Examples | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
