CAPEC-35: Leverage Executable Code in Non-Executable Files
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
前提条件
- The attacker must have the ability to modify non-executable files consumed by the target software.
所需技能
所需资源
- Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
后果影响
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
影响范围: Integrity
技术影响: Modify Data
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
缓解措施
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.
Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.
示例实例
Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerprint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix "cp" command can be rerouted to "rm" or other standard command so the user's intention is subverted.
The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1027.006 | Obfuscated Files or Information: HTML Smuggling |
| ATTACK | 1027.009 | Obfuscated Files or Information: Embedded Payloads |
| ATTACK | 1564.009 | Hide Artifacts: Resource Forking |