An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
Description
Attack Execution Flow
3
1
Step 1
Explore[Determine File/Directory Configuration] The adversary looks for misconfigured files or directories on a system that might give executable access to an overly broad group of users.
Through shell access to a system, use the command 'ls -l' to view permissions for files and directories.
AI Translation
[Determine File/Directory Configuration] L'attaccante cerca file o directory configurati in modo errato su un sistema che potrebbero concedere accesso eseguibile a un gruppo di utenti troppo ampio.
Attraverso l'accesso shell a un sistema, utilizza il comando "ls -l" per visualizzare le autorizzazioni di file e directory.
Attack Techniques
-
Through shell access to a system, use the command "ls -l" to view permissions for files and directories.
2
Step 2
Experiment[Upload Malicious Files] If the adversary discovers a directory that has executable permissions, they will attempt to upload a malicious file to execute.
Upload a malicious file through a misconfigured FTP server.
AI Translation
[Carica file dannosi] Se l'attaccante scopre una directory con permessi di esecuzione, tenterà di caricare un file dannoso da eseguire.
Carica un file dannoso tramite un server FTP mal configurato.
Attack Techniques
-
Upload a malicious file through a misconfigured FTP server.
3
Step 3
Exploit[Execute Malicious File] The adversary either executes the uploaded malicious file, or executes an existing file that has been misconfigured to allow executable access to the adversary.
AI Translation
[Esecuzione di File Malicious] L'avversario esegue il file malicious caricato oppure esegue un file esistente che è stato configurato in modo errato per consentire l'accesso eseguibile all'avversario.
Mitigations
3
Design: Enforce Principle Of Least Privilege
Design: Run Server Interfaces With A Non-Root Account And/Or Utilize Chroot Jails Or Other Configuration Techniques To Constrain Privileges Even If Attacker Gains Some Limited Access To Commands.
Implementation: Perform Testing Such As Pen-Testing And Vulnerability Scanning To Identify Directories, Programs, And Interfaces That Grant Direct Access To Executables.
Consequences
Security Scopes Affected
Access Control
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Gain Privileges
Modify Data
Read Data
Relationships
Parent CAPECs
Related ATT&CK Techniques
2
T1574.005
Executable Installer File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute …
T1574.010
Services File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the …
Resources Required
1
Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.