Accessing, Modifying or Executing Executable Files
Attack Pattern ID: 17 (Standard Attack Pattern Completeness: Complete)Typical Severity: Very HighStatus: Draft
+ Description


An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

+ Attack Prerequisites

System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subkect and the object is set incorrectly or assumes a benign environment.

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Modification of Resources
  • API Abuse
+ Examples-Instances


Consider a directory on a web server with the following permissions

drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot

This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To identify and execute against an overprivileged system interface

+ Resources Required

Ability to communicate synchronously or asynchronously with server that publishes an overprivileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

+ Solutions and Mitigations

Design: Enforce principle of least privilege

Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.

Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.

+ Attack Motivation-Consequences
  • Run Arbitrary Code
  • Data Modification
  • Information Leakage
  • Privilege Escalation
+ Injection Vector

Payload delivered through standard communication protocols.

+ Payload

Command(s) executed directly on host

+ Activation Zone

Client machine and client network

+ Payload Activation Impact

Enables attacker to execute server side code with any commands that the program owner has privileges to.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
732Incorrect Permission Assignment for Critical ResourceTargeted
285Improper Access Control (Authorization)Targeted
272Least Privilege ViolationTargeted
59Improper Link Resolution Before File Access ('Link Following')Targeted
282Improper Ownership ManagementTargeted
275Permission IssuesTargeted
264Permissions, Privileges, and Access ControlsTargeted
270Privilege Context Switching ErrorTargeted
693Protection Mechanism FailureTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern1Accessing Functionality Not Properly Constrained by ACLs 
Mechanism of Attack1000
ChildOfAttack PatternAttack Pattern165File Manipulation 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory233Privilege Escalation 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory350WASC Threat Classification 2.0 - WASC-17 - Improper Filesystem Permissions 
WASC Threat Classification 2.0333
+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.Cigital, Inc2007-01-01
Gunnar PetersonCigital, Inc2007-02-28Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software"
Sean BarnumCigital, Inc2007-03-09Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Name, Description and Examples
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback