Dark Mode
Capec-69 Detail
Target Programs with Elevated Privileges
Standard Software Likelihood: High Typical Severity: Very High
Parents: 233
Threats: T73 T263 T281 T293 T307 T338 T387 T400
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-69 | capec | https://capec.mitre.org/data/definitions/69.html | |
| CWE-250 | cwe | http://cwe.mitre.org/data/definitions/250.html | |
| CWE-15 | cwe | http://cwe.mitre.org/data/definitions/15.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley |
Explore
-
Find programs with elevated priveleges: The adversary probes for programs running with elevated privileges.
-
Find vulnerability in running program: The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program.
| Techniques |
|---|
| Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. |
| Techniques |
|---|
| Look for improper input validation |
| Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone. |
| Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data. |
Exploit
-
Execute arbitrary code: The adversary exploits the vulnerability that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.
- The targeted program runs with elevated OS privileges.
- The targeted program accepts input data from the user or from another program.
- The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker.
- This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target.
Not present
| Low | Medium |
|---|---|
| An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique. | |
| More advanced attack may require knowledge of the protocol spoken by the host service. |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) | Gain Privileges | Gain Privileges | Execute Unauthorized Commands (Run Arbitrary Code) |
| Resource Consumption (Denial of Service) | Gain Privileges |
Not present