Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-35:Leverage Executable Code in Non-Executable Files
Attack Pattern ID:35
Version:v3.9
Attack Pattern Name:Leverage Executable Code in Non-Executable Files
Abstraction:Detailed
Status:Draft
Likelihood of Attack:High
Typical Severity:Very High
DetailsContent HistoryRelated WeaknessesReports
▼Description
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfS636Hiding Malicious Data or Code within Files
PeerOfS23File Content Injection
PeerOfS75Manipulating Writeable Configuration Files
Nature: ChildOf
Type: Standard
ID: 636
Name: Hiding Malicious Data or Code within Files
Nature: PeerOf
Type: Standard
ID: 23
Name: File Content Injection
Nature: PeerOf
Type: Standard
ID: 75
Name: Manipulating Writeable Configuration Files
▼Execution Flow
▼Prerequisites
The attacker must have the ability to modify non-executable files consumed by the target software.
▼Skills Required
Low

To identify and execute against an over-privileged system interface

▼Resources Required
Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityAvailabilityN/AExecute Unauthorized CommandsRun Arbitrary Code
IntegrityN/AModify DataN/A
ConfidentialityAccess ControlAuthorizationN/AGain PrivilegesN/A
Scope: Confidentiality, Integrity, Availability
Likelihood: N/A
Impact: Execute Unauthorized Commands
Note: Run Arbitrary Code
Scope: Integrity
Likelihood: N/A
Impact: Modify Data
Note: N/A
Scope: Confidentiality, Access Control, Authorization
Likelihood: N/A
Impact: Gain Privileges
Note: N/A
▼Mitigations
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.
Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.
▼Example Instances
▼Related Weaknesses
IDName
CWE-270Privilege Context Switching Error
CWE-272Least Privilege Violation
CWE-282Improper Ownership Management
CWE-59Improper Link Resolution Before File Access ('Link Following')
CWE-94Improper Control of Generation of Code ('Code Injection')
CWE-95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
ID: CWE-270
Name: Privilege Context Switching Error
ID: CWE-272
Name: Least Privilege Violation
ID: CWE-282
Name: Improper Ownership Management
ID: CWE-59
Name: Improper Link Resolution Before File Access ('Link Following')
ID: CWE-94
Name: Improper Control of Generation of Code ('Code Injection')
ID: CWE-95
Name: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
ID: CWE-96
Name: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
ID: CWE-97
Name: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
ATTACK1027.006Obfuscated Files or Information: HTML Smuggling
ATTACK1027.009Obfuscated Files or Information: Embedded Payloads
ATTACK1564.009Hide Artifacts: Resource Forking
Taxonomy Name: ATTACK
Entry ID: 1027.006
Entry Name: Obfuscated Files or Information: HTML Smuggling
Taxonomy Name: ATTACK
Entry ID: 1027.009
Entry Name: Obfuscated Files or Information: Embedded Payloads
Taxonomy Name: ATTACK
Entry ID: 1564.009
Entry Name: Hide Artifacts: Resource Forking
▼Notes
▼References
Reference ID: REF-1
Title: Exploiting Software: How to Break Code
Author: G. Hoglund, G. McGraw
Publication:
Publisher:Addison-Wesley
Edition:
URL:
URL Date:
Day:N/A
Month:02
Year:2004
Details not found