TID-305: Program Executes Dangerous System Calls
Threat Description
If the device allows the downloading and execution of native binaries on the device, a threat actor can deploy a malicious program that leverages the environment’s privileges to gain unwanted or excessive access to the device, such as through “dangerous” system calls. These system calls could be used to manipulate the device’s firmware, maintain persistence, execute unwanted logic, or obtain a C2 channel.
Additionally, the device may assume the program comes from a trusted integrated development environment (IDE), and therefore does not restrict the privileges or system calls the program can access. However, if the threat actor compiles the program without the IDE, they can violate this assumption.
NOTE: This differs from TID-304 because this threat has a focus on a malicious program itself being used to perform device actions. TID-304 on the other hand pertains to code being used to manipulate the device runtime environment itself.
Threat Maturity and Evidence
Observed Adversarial Technique
ATT&CK Technique: Exploitation for Privilege Escalation (T0890)
Procedure Example: Triton (S1009)
“Triton leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges.”
ATT&CK Technique: Native API (T0834)
Procedure Example: Stuxnet (S0603)
“Stuxnet calls system function blocks which are part of the operating system running on the PLC. They’re used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly.”
CWE
[CWE-250: Execution with Unnecessary Privileges (Base)]
“The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.”
CVE
CVE-2018-8872
“In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow attacker data to be copied anywhere within memory.”