Dark Mode
Capec-17 Detail
Using Malicious Files
Standard Software Likelihood: High Typical Severity: Very High
Parents: 122
Children: 177 263 562 563 642 650
Threats: T72 T263 T280 T286 T293 T307 T336 T386 T390 T399 T405
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-17 | capec | https://capec.mitre.org/data/definitions/17.html | |
| CWE-732 | cwe | http://cwe.mitre.org/data/definitions/732.html | |
| CWE-285 | cwe | http://cwe.mitre.org/data/definitions/285.html | |
| CWE-272 | cwe | http://cwe.mitre.org/data/definitions/272.html | |
| CWE-59 | cwe | http://cwe.mitre.org/data/definitions/59.html | |
| CWE-282 | cwe | http://cwe.mitre.org/data/definitions/282.html | |
| CWE-270 | cwe | http://cwe.mitre.org/data/definitions/270.html | |
| CWE-693 | cwe | http://cwe.mitre.org/data/definitions/693.html | |
| T1574.005 | ATTACK | https://attack.mitre.org/wiki/Technique/T1574/005 | Hijack Execution Flow: Executable Installer File Permissions Weakness |
| T1574.010 | ATTACK | https://attack.mitre.org/wiki/Technique/T1574/010 | Hijack Execution Flow: Services File Permissions Weakness |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley |
Explore
-
Determine File/Directory Configuration: The adversary looks for misconfigured files or directories on a system that might give executable access to an overly broad group of users.
| Techniques |
|---|
| Through shell access to a system, use the command "ls -l" to view permissions for files and directories. |
Experiment
-
Upload Malicious Files: If the adversary discovers a directory that has executable permissions, they will attempt to upload a malicious file to execute.
| Techniques |
|---|
| Upload a malicious file through a misconfigured FTP server. |
Exploit
-
Execute Malicious File: The adversary either executes the uploaded malicious file, or executes an existing file that has been misconfigured to allow executable access to the adversary.
- System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment.
- Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
| Low |
|---|
| To identify and execute against an over-privileged system interface |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) | Gain Privileges | Gain Privileges | Execute Unauthorized Commands (Run Arbitrary Code) |
| Modify Data | Read Data | |||
| Gain Privileges |
- Consider a directory on a web server with the following permissions drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.