Home > CAPEC List > CAPEC-30: Hijacking a Privileged Thread of Execution (Version 2.11)  

CAPEC-30: Hijacking a Privileged Thread of Execution

Hijacking a Privileged Thread of Execution
Definition in a New Window Definition in a New Window
Attack Pattern ID: 30
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

Adversaries can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. This can allow the adversary may to access functionality the system's designer didn't intend for them to, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way.

+ Attack Steps
  1. Adversary determines the underlying system thread that is subject to user-control

  1. Adversary then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread

  1. Upon successful hijacking, the adversary enjoys elevated privileges, and can possibly have the hijacked thread do his bidding

+ Attack Prerequisites
  • The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users

  • In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread.

    This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.

    This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Low

+ Methods of Attack
  • Analysis
  • Modification of Resources
  • API Abuse
+ Examples-Instances


Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.

+ Resources Required

None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread.

The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.

+ Probing Techniques

The adversary may attach a debugger to the executing process and observe the spawning and cleanup of threads, as well as the switches in privilege levels

The adversary can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution.

+ Solutions and Mitigations

Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.

Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Gain privileges / assume identity
Execute unauthorized code or commands
Run Arbitrary Code
+ Relevant Security Requirements

Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary.

The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertent caller who may not have a clue about the innards of the callee.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Probing_Techniques, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017