CAPEC-17: Using Malicious Files

Description

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

Extended Description

Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. Although similar to fingerprinting, footprinting aims to get a more holistic view of a system or network, whereas fingerprinting is more targeted to a specific application or operating system. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.

Severity :

Very High

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs Accessing Functionality Not Properly Constrained by ACLs CAPEC-122: Privilege Abuse Privilege Abuse CAPEC-177: Create files with the same name as files protected with a higher classification Create files with the same name as files protected with a higher classification CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels Exploiting Incorrectly Configured Access Control Security Levels CAPEC-233: Privilege Escalation Privilege Escalation CAPEC-263: Force Use of Corrupted Files Force Use of Corrupted Files CAPEC-562: Modify Shared File Modify Shared File CAPEC-563: Add Malicious File to Shared Webroot Add Malicious File to Shared Webroot CAPEC-642: Replace Binaries Replace Binaries CAPEC-650: Upload a Web Shell to a Web Server Upload a Web Shell to a Web Server

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low To identify and execute against an over-privileged system interface

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Hijack Execution Flow: Executable Installer File Permissions Weakness ATTACK | Hijack Execution Flow: Services File Permissions Weakness

Resources required

Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-59: Improper Link Resolution Before File Access ('Link Following')

CWE-270: Privilege Context Switching Error

CWE-272: Least Privilege Violation

CWE-282: Improper Ownership Management

CWE-285: Improper Authorization

CWE-693: Protection Mechanism Failure

CWE-732: Incorrect Permission Assignment for Critical Resource

Visit http://capec.mitre.org/ for more details.