CAPEC - CAPEC-30: Hijacking a Privileged Thread of Execution (Release 1.4)

Home > CAPEC List > CAPEC-30: Hijacking a Privileged Thread of Execution (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-30: Hijacking a Privileged Thread of Execution

Hijacking a Privileged Thread of Execution

Attack Pattern ID: 30 (Standard Attack Pattern Completeness: Complete)

Typical Severity: Very High

Status: Draft

Description

Summary

Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.

Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way.

Attack Execution Flow

Attacker determines the underlying system thread that is subject to user-control
Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread
Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding

Attack Prerequisites

The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users

In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread.

This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.

This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.

Typical Likelihood of Exploit

Likelihood: Low

Methods of Attack

Analysis
Modification of Resources
API Abuse

Examples-Instances

Description

Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.

Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.

Resources Required

The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required.

The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malacious code. This is the case even if the attacker conducts the attack remotely.

Probing Techniques

The attacker may attach a debugger to the executing process and observe the spawning and clean up of threads, as well as the switches in privilege levels

The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution.

Solutions and Mitigations

Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.

Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.

Attack Motivation-Consequences

Privilege Escalation
Run Arbitrary Code

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	232	Exploitation of Privilege/Trust	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	235	Implementing a callback to system routine (old AWT Queue)	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	236	Catching exception throw/signal from privileged block	Mechanism of Attack (primary)1000

Relevant Security Requirements

Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary.

The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertant caller who may not have a clue about the innards of the callee.

Purposes

Exploitation

CIA Impact

Confidentiality Impact: High

Integrity Impact: High

Availability Impact: Low

Technical Context

Architectural Paradigms	All
Frameworks	All
Platforms	All
Languages	All

Content History

Submissions
Submitter	Organization	Date	Comments
John Steven	Cigital, Inc	2007-02-10	Initial core pattern content

Modifications
Modifier	Organization	Date	Comments
Chiradeep B. Chhaya	Cigital, Inc	2007-02-28	Fleshed out pattern with extra content
Sean Barnum	Cigital, Inc	2007-03-07	Review and revise

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us