CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Target Programs with Elevated Privileges
Attack Pattern ID
Pattern Abstraction: Standard

69

Typical Severity

Very High

Description

Summary

This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Attack Execution Flow

  1. 1- The attacker probes for programs running with elevated privileges.

  2. 2- The attacker finds a bug in a program running with elevated privileges.

  3. 3- The attacker exploits the bug that she has found. For instance she can try to inject and execute arbitrary code or write to OS resources.

Attack Prerequisites

The targeted program runs with elevated OS privileges.

The targeted program accepts input data from the user or from another program.

The targeted program does not perform input validation properly.

The targeted program does not fail safely. For instance when a program fails it may authorize restricted access to anyone.

The targeted program has a vulnerability such as buffer overflow which may be exploited if a malicious user can inject unvalidated data. For instance a buffer overflow interrupts the program as it executes, and makes it run additional code supplied by the attacker. If the program under attack has elevated privileges to the OS, the attacker can elevate its privileges (such as having root level access).

The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker.

This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target.

Typical Likelihood of Exploit

Very High

Methods of Attack
  • Injection
  • API Abuse
  • Protocol Manipulation
  • Flooding
Attacker Skill or Knowledge Required

Low: An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique. Medium to High: More advanced attack may require knowledge of the protocol spoken by the host service.

Probing Techniques

Probing technique include fuzzing (sending random data in order to fail the service on the host target), brute forcing (with automated tools), network scanning to determine which services are available and running on the target host.

There are freely available tools to probe and gather information from host target. For instance, the attacker can find out that a host target has not been patched by collecting such information.

Indicators-Warnings of Attack

The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity.

Obfuscation Techniques

The attacker may try to hide her attack by forging the host's logs. The attacker has interest in mimicing a legitimate call to the program or service under threat.

Solutions and Mitigations

Apply the principle of least privilege.

Validate all untrusted data.

Apply the latest patches.

Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.

Avoid revealing information about your system (e.g., version of the program) to anonymous users.

Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resiliance to attack? Fail safely when a resource exhaustion occurs.

If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.

Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.

Monitor traffic and resource usage and pay attention if resource exhaustion occurs.

Protect your log file from unauthorized modification and log forging.

Attack Motivation-Consequences
  • Run Arbitrary Code
  • Privilege Escalation
  • Denial of Service
Context Description

Secure programming guides are full of references to the principle of least privilege (see Building Secure Software [Viega and McGraw, 2001], for example). The problem is that most code is not designed to work with least privilege. Often times the code will fail to operate properly if access restrictions are placed on it. The sad thing is that many such programs could very likely be written without requiring Administrator or root access, but they aren’t. As a result, today’s software runs with way too much system wide privilege.

Thinking about privilege requires adjusting your viewpoint to a panoramic, systemwide view. (This is an excellent attacker trick that you should internalize.) Often the OS is the essential service providing privilege and access control checks, but many programs do not properly adhere to the least-privilege concept, so they abuse the OS and request too much privilege (often without being told “no”). Furthermore, the user of the program may or may not notice this issue, but you can be assured that an attacker will. One very interesting technique is to run a target program in a sandbox and examine the security context of each call and operation (something that is made easier in advanced platforms like Java 2). Privilege problems are very likely to surface during this exercise, and thus provide one of the richest forms of attack.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
250Design Principle Violation: Failure to Use Least PrivilegeTargeted
264Permissions, Privileges, and Access ControlsTargeted
217Failure to Protect Stored Data from ModificationSecondary
15External Control of System or Configuration SettingSecondary
Related Vulnerabilities
Vulnerability-IDVulnerability Description
CVE-2004-0213Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.
Related Attack Patterns
IDNameRelationship TypeRelationship Description
8Buffer Overflow in an API CallMore Detailed
9Buffer Overflow in Local Command-Line UtilitiesMore Detailed
10Buffer Overflow via Environment VariablesMore Detailed
67String Format Overflow in syslog()More Detailed
Relevant Security Requirements

A user must be authenticated if she invokes a privileged program.

Related Security Principles
  • Reluctance to Trust
  • Least Privilege
  • Fail Securely
  • Defense in Depth
Related Guidelines
  • Any guideline related to the buffer overflow and format String vulnerability.
  • Patch programs with the latest patches from Vendors.
  • Ensure log integrity
  • Validate all untrusted input
Purpose

Exploitation

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighLow
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
AllAllAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

CWE : Failure to protect stored data from modification

CWE : Setting manipulation

CWE : Often Misused: Privilege Management

CWE : Permissions, Privileges, and Access Controls

Source
Submission(s)
SubmitterOrganizationDateComment
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-03-01
Modification(s)
ModifierOrganizationDateComment
Eric DalciCigital, Inc2007-02-13Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-05Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Name
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us