CAPEC-30 - Hijacking a Privileged Thread of Execution

Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.

Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • Analysis
  • Modification of Resources
  • API Abuse
  • Purposes 1
  • Exploitation
  • Sec Principles 2
  • Least Privilege
  • Complete Mediation
  • Scopes 2
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality

High level: Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.

The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users

In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread.

This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.

This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.

The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required.

The attacker may attach a debugger to the executing process and observe the spawning and cleanup of threads, as well as the switches in privilege levels

The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution.

Minimize privileged code blocks

Shed any privileges not required to execute at the earliest

Treat the Entire Inherited Process Context as Unvalidated Input

Step 1 -

Attacker determines the underlying system thread that is subject to user-control.


Step 1 -

Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread.


Step 1 -

Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding.


Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary.

The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertent caller who may not have a clue about the innards of the callee.

Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.

Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.