CAPEC-40: Manipulating Writeable Terminal Devices
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
执行流程
步骤 1 Explore
[Identify attacker-writable terminals] Determine if users TTYs are writable by the attacker.
- Determine the permissions for the TTYs found on the system. Any that allow user write to the TTY may be vulnerable.
- Attempt to write to other user TTYs. This approach could leave a trail or alert a user.
步骤 2 Exploit
[Execute malicious commands] Using one or more vulnerable TTY, execute commands to achieve various impacts.
- Commands that allow reading or writing end user files can be executed.
前提条件
- User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals.
所需技能
所需资源
- Access to a terminal on the target network
后果影响
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
影响范围: Confidentiality
技术影响: Read Data
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
缓解措施
Design: Ensure that terminals are only writeable by named owner user and/or administrator
Design: Enforce principle of least privilege