Home > CAPEC List > CAPEC-17: Accessing, Modifying or Executing Executable Files (Version 2.11)  

CAPEC-17: Accessing, Modifying or Executing Executable Files

 
Accessing, Modifying or Executing Executable Files
Definition in a New Window Definition in a New Window
Attack Pattern ID: 17
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

+ Attack Prerequisites
  • System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
  • API Abuse
+ Examples-Instances

Description

Consider a directory on a web server with the following permissions

drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot

This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To identify and execute against an over-privileged system interface

+ Resources Required

Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

+ Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify application data
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Injection Vector

Payload delivered through standard communication protocols.

+ Payload

Command(s) executed directly on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.17.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.17.2] ATT&CK Project. "File System Permissions Weakness (T1044)". MITRE. <https://attack.mitre.org/wiki/Technique/T1044>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated ReferencesInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017