| Name |
Hijacking a Privileged Thread of Execution |
|
| Likelyhood of attack |
Typical severity |
| Low |
Very High |
|
| Summary |
Adversaries can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. This can allow the adversary to access functionality the system's designer didn't intend for them to, but they may also go undetected or deny other users essential services in a catastrophic (or insidiously subtle) way. |
| Prerequisites |
The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread.This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
Adversary determines the underlying system thread that is subject to user-control |
|
| 2 |
Experiment |
Adversary then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread |
|
| 3 |
Exploit |
Upon successful hijacking, the adversary enjoys elevated privileges, and can possibly have the hijacked thread do their bidding. |
|
|
| Solutions | Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code. Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-270 |
Privilege Context Switching Error |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-233 |
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1055.003 |
Process Injection:Thread Execution Hijacking |
|