CAPEC-40: Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
Last updated
Overview
CAPEC-40 (Manipulating Writeable Terminal Devices) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify attacker-writable terminals] Determine if users TTYs are writable by the attacker.
- Determine the permissions for the TTYs found on the system. Any that allow user write to the TTY may be vulnerable.
- Attempt to write to other user TTYs. This approach could leave a trail or alert a user.
- Step 2Exploit
[Execute malicious commands] Using one or more vulnerable TTY, execute commands to achieve various impacts.
- Commands that allow reading or writing end user files can be executed.
What the attacker needs
Prerequisites
- User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals.