Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Skill or Knowledge Level: Low
An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique.
Skill or Knowledge Level: Medium
Skill or Knowledge Level: High
More advanced attack may require knowledge of the protocol spoken by the host service.
Probing technique include fuzzing (sending random data in order to fail the service on the host target), brute forcing (with automated tools), network scanning to determine which services are available and running on the target host.
There are freely available tools to probe and gather information from host target. For instance, the attacker can find out that a host target has not been patched by collecting such information.
The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity.
The attacker may try to hide her attack by forging the host's logs. The attacker has interest in mimicking a legitimate call to the program or service under threat.
Apply the principle of least privilege.
Validate all untrusted data.
Apply the latest patches.
Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.
Avoid revealing information about your system (e.g., version of the program) to anonymous users.
Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs.
If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.
Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.
Monitor traffic and resource usage and pay attention if resource exhaustion occurs.
Protect your log file from unauthorized modification and log forging.
[R.69.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
[R.69.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-214: Failure to protect stored data from modification. Draft. The MITRE Corporation. <http://cwe.mitre.org/data/definitions/214.html>.
[R.69.3] [REF-3] "Common Weakness Enumeration (CWE)". CWE-15: Setting manipulation. Draft. The MITRE Corporation. <http://cwe.mitre.org/data/definitions/15.html>.
[R.69.4] [REF-3] "Common Weakness Enumeration (CWE)". CWE-250: Often Misused: Privilege Management. Draft. The MITRE Corporation. <http://cwe.mitre.org/data/definitions/250.html>.
[R.69.5] [REF-3] "Common Weakness Enumeration (CWE)". CWE-264: Permissions, Privileges, and Access Controls. Draft. The MITRE Corporation. <http://cwe.mitre.org/data/definitions/264.html>.
More information is available — Please select a different filter.