Name |
Target Programs with Elevated Privileges |
|
Likelyhood of attack |
Typical severity |
High |
Very High |
|
Summary |
This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call. |
Prerequisites |
The targeted program runs with elevated OS privileges. The targeted program accepts input data from the user or from another program. The targeted program does not perform input validation properly. The targeted program does not fail safely. For instance when a program fails it may authorize restricted access to anyone. The targeted program has a vulnerability such as buffer overflow which may be exploited if a malicious user can inject unvalidated data. For instance a buffer overflow interrupts the program as it executes, and makes it run additional code supplied by the attacker. If the program under attack has elevated privileges to the OS, the attacker can elevate its privileges (such as having root level access). The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker. This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
The attacker probes for programs running with elevated privileges. |
|
2 |
Explore |
The attacker finds a bug in a program running with elevated privileges. |
|
3 |
Exploit |
The attacker exploits the bug that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources. |
|
|
Solutions | Apply the principle of least privilege. Validate all untrusted data. Apply the latest patches. Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them. Avoid revealing information about your system (e.g., version of the program) to anonymous users. Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs. If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage. Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code. Monitor traffic and resource usage and pay attention if resource exhaustion occurs. Protect your log file from unauthorized modification and log forging. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-15 |
External Control of System or Configuration Setting |
CWE-250 |
Execution with Unnecessary Privileges |
CWE-264 |
Permissions, Privileges, and Access Controls |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-8 |
This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process. |
CAPEC-9 |
This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root. |
CAPEC-10 |
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. |
CAPEC-67 |
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted. |
CAPEC-233 |
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform. |
|