CAPEC - CAPEC-35: Leverage Executable Code in Nonexecutable Files (Release 1.4)

Home > CAPEC List > CAPEC-35: Leverage Executable Code in Nonexecutable Files (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-35: Leverage Executable Code in Nonexecutable Files

Leverage Executable Code in Nonexecutable Files

Attack Pattern ID: 35 (Standard Attack Pattern Completeness: Complete)

Typical Severity: Very High

Status: Draft

Description

Summary

An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/)

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.

The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality.

< security-constraint>

<description>Security processing rules for admin screens</description>

<url-pattern>/admin/*</url-pattern>

<http-method>POST</http-method>

<http-method>GET</http-method>

<auth-constraint>

<role-name>administrator</role-name>

<role-name>public</role-name>

</auth-constraint>

</security-constraint>

The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.

Attack Prerequisites

The attacker must have the ability to modify nonexecutable files consumed by the target software.

Typical Likelihood of Exploit

Likelihood: High

Methods of Attack

Injection
API Abuse
Modification of Resources

Examples-Instances

Description

Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerpint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix "cp" command can be rerouted to "rm" or other standard command so the user's intention is subverted.

Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To identify and execute against an overprivileged system interface

Resources Required

Ability to communicate synchronously or asynchronously with server that publishes an overprivileged directory, program, or itnerface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.

Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.

Attack Motivation-Consequences

Run Arbitrary Code
Data Modification
Privilege Escalation

Injection Vector

Nonexecutable files

Payload

Executable code

Activation Zone

Client machine and client network

Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
94	Failure to Control Generation of Code (aka 'Code Injection')	Targeted
96	Insufficient Control of Directives in Statically Saved Code (Static Code Injection)	Targeted
95	Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')	Targeted
97	Failure to Sanitize Server-Side Includes (SSI) Within a Web Page	Targeted
272	Least Privilege Violation	Secondary
59	Failure to Resolve Links Before File Access (aka 'Link Following')	Secondary
282	Improper Ownership Management	Secondary
275	Permission Issues	Secondary
264	Permissions, Privileges, and Access Controls	Secondary
270	Privilege Context Switching Error	Secondary
714	OWASP Top Ten 2007 Category A3 - Malicious File Execution	Targeted

Related Attack Patterns

Nature	Type	ID	Name	View(s) this relationship pertains to
PeerOf	Attack Pattern	23	File System Function Injection, Content Based	Mechanism of Attack1000
PeerOf	Attack Pattern	75	Manipulating Writeable Configuration Files	Mechanism of Attack1000
ChildOf	Attack Pattern	165	File Manipulation	Mechanism of Attack (primary)1000
PeerOf	Attack Pattern	44	Overflow Binary Resource File	Mechanism of Attack1000

Purposes

Exploitation

CIA Impact

Confidentiality Impact: Medium

Integrity Impact: High

Availability Impact: Low

Technical Context

Architectural Paradigms	All
Frameworks	All
Platforms	All
Languages	All

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

Content History

Submissions
Submitter	Organization	Date
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.	Cigital, Inc	2007-01-01

Modifications
Modifier	Organization	Date	Comments
Gunnar Peterson	Cigital, Inc	2007-02-28	Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean Barnum	Cigital, Inc	2007-03-09	Review and revise
Richard Struse	VOXEM, Inc	2007-03-26	Review and feedback leading to changes in Related Attack Patterns
Sean Barnum	Cigital, Inc	2007-04-13	Modified pattern content according to review and feedback

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us