Home > CAPEC List > CAPEC-30: Hijacking a Privileged Thread of Execution (Version 3.0)  

CAPEC-30: Hijacking a Privileged Thread of Execution

Attack Pattern ID: 30
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
Adversaries can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. This can allow the adversary to access functionality the system's designer didn't intend for them to, but they may also go undetected or deny other users essential services in a catastrophic (or insidiously subtle) way.
+ Likelihood Of Attack

Low

+ Typical Severity

Very High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.233Privilege Escalation
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.236Catching exception throw/signal from privileged block
+ Execution Flow
Explore
  1. Adversary determines the underlying system thread that is subject to user-control

Experiment
  1. Adversary then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread

Exploit
  1. Upon successful hijacking, the adversary enjoys elevated privileges, and can possibly have the hijacked thread do his bidding

+ Prerequisites
The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users
In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread.This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.
+ Skills Required
[Level: High]
Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.
+ Resources Required
None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread. The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Access Control
Authorization
Gain Privileges
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
+ Mitigations
Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.
Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.
+ Example Instances
Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-01-09CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Probing_Techniques, Resources_Required
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Examples-Instances, Probing_Techniques

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018