Name |
Leverage Executable Code in Non-Executable Files |
|
Likelyhood of attack |
Typical severity |
High |
Very High |
|
Summary |
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. |
Prerequisites |
The attacker must have the ability to modify non-executable files consumed by the target software. |
Solutions | Design: Enforce principle of least privilege Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files. Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-59 |
Improper Link Resolution Before File Access ('Link Following') |
CWE-94 |
Improper Control of Generation of Code ('Code Injection') |
CWE-95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
CWE-96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
CWE-97 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
CWE-264 |
Permissions, Privileges, and Access Controls |
CWE-270 |
Privilege Context Switching Error |
CWE-272 |
Least Privilege Violation |
CWE-275 |
Permission Issues |
CWE-282 |
Improper Ownership Management |
CWE-714 |
OWASP Top Ten 2007 Category A3 - Malicious File Execution |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-23 |
An attack of this type exploits the host's trust in executing remote content, including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the adversary and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus. |
CAPEC-75 |
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users. |
CAPEC-636 |
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover. |
|