|
|
| Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1) | View the CAPEC List |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Individual CAPEC Dictionary Definition (Release 1.1)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Hijacking a Privileged Thread of Execution | |||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Attack Pattern ID | Pattern Abstraction: Standard 30 | ||||||||||||||||||||||||||||
| Typical Severity | Very High | ||||||||||||||||||||||||||||
| Description | Summary Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. Attack Execution Flow
| ||||||||||||||||||||||||||||
| Attack Prerequisites | The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute. | ||||||||||||||||||||||||||||
| Typical Likelihood of Exploit | Low | ||||||||||||||||||||||||||||
| Methods of Attack |
| ||||||||||||||||||||||||||||
| Examples-Instances | Description Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations. | ||||||||||||||||||||||||||||
| Attacker Skill or Knowledge Required | High: Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread. | ||||||||||||||||||||||||||||
| Resources Required | The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required. The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malacious code. This is the case even if the attacker conducts the attack remotely. | ||||||||||||||||||||||||||||
| Probing Techniques | The attacker may attach a debugger to the executing process and observe the spawning and clean up of threads, as well as the switches in privilege levels The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution. | ||||||||||||||||||||||||||||
| Solutions and Mitigations | Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code. Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope. | ||||||||||||||||||||||||||||
| Attack Motivation- |
| ||||||||||||||||||||||||||||
| Context Description | This pattern applies to circumstances in which the Attacker knows the victim API and can compile, link, and deploy code in which the victim's privileged threads will call malicious code. This, in most circumstances, will involve being 'in process' with the victim. The pattern does, however, apply in network-based circumstances in which remote object/callback interaction is allowed through RPC-like technologies. In either case (local or remote) the Attacker must be able to gain control of the thread through 'normal' means, which may require privilege-enough to register a call back, subscribe to a service, or similar. | ||||||||||||||||||||||||||||
| Related Weaknesses |
| ||||||||||||||||||||||||||||
| Relevant Security Requirements | Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary. The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertant caller who may not have a clue about the innards of the callee. | ||||||||||||||||||||||||||||
| Related Security Principles |
| ||||||||||||||||||||||||||||
| Related Guidelines |
| ||||||||||||||||||||||||||||
| Purpose | Exploitation | ||||||||||||||||||||||||||||
| CIA Impact |
| ||||||||||||||||||||||||||||
| Technical Context |
| ||||||||||||||||||||||||||||
| Source |
| ||||||||||||||||||||||||||||
|
|
|