An attack of this type exploits the host's trust in executing remote
content including binary files. The files are poisoned with a malicious
payload (targeting the file systems accessible by the target software) by
the attacker and may be passed through standard channels such as via email,
and standard web content like PDF and multimedia files. The attacker
exploits known vulnerabilities or handling routines in the target processes.
Vulnerabilities of this type have been found in a wide variety of commercial
applications from Microsoft Office to Adobe Acrobat and Apple Safari web
browser. When the attacker knows the standard handling routines and can
identify vulnerabilities and entry points they can be exploited by otherwise
seemingly normal content. Once the attack is executed, the attacker's
program can access relative directories such as C:\Program Files or other
standard system directories to launch further attacks. In a worst case
scenario, these programs are combined with other propagation logic and work
as a virus.
Attack Prerequisites
The target software must consume files.
The attacker must have access to modify files that the target software
will consume.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
API Abuse
Examples-Instances
Description
PHP is a very popular web server. When PHP is used with global
variables, a vulnerability may be opened that affects the file system. A
standard HTML form that allows for remote users to upload files, may
also place those files in a public directory where the attacker can
directly access and execute them through a browser. This vulnerability
allows remote attackers to execute arbitrary code on the system, and can
result in the attacker being able to erase intrusion evidence from
system and application logs.
Design: Validate all input for content including files. Ensure that if
files and remote content must be accepted that once accepted, they are
placed in a sandbox type location so that lower assurance clients cannot
write up to higher assurance processes (like Web server processes for
example)
Design: Execute programs with constrained privileges, so parent process
does not open up further vulnerabilities. Ensure that all directories,
temporary directories and files, and memory are executing with limited
privileges to protect against remote execution.
Design: Proxy communication to host, so that communications are terminated
at the proxy, sanitizing the requests before forwarding to server
host.
Implementation: Virus scanning on host
Implementation: Host integrity monitoring for critical files, directories,
and processes. The goal of host integrity monitoring is to be aware when a
security issue has occurred so that incident response and other forensic
activities can begin.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Injection Vector
Payload delivered through standard communication protocols.
Payload
Command(s) executed directly on host filesystem
Activation Zone
Client machine and client network
Payload Activation Impact
Description
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
Description
