Skip to content

Latest commit

 

History

History

Vulnerabilities_and_Exploits

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 

Vulnerabilities and Exploits

Tools

Keyloggers

  • Rin Logger

Vulnerabilities Glossary

  • LD_PRELOAD: hijacking functions to a shared library: you can set this enviroment variable direct to the linker to load a library of your choice.

Common Vulnerabilities:

  • Authentication: to not require authentication in a situation that warrants it; information isn't trustworthy (authentication in the client side).

  • Authorization: there are several formal designs for access control: discretionary access control, mandatory access control, role-based access control. Vulnerabilities: missing authorization (webpages).

  • Accountability: expectation that a system can identify and log users' activities. Vulnerabilities: system's failure to log operations in sensitive data; system doesn't protect its data.

  • Confidentiality: expectation that only authorized parties can view data. Vulnerabilities: failure/lack in encryption, homemade encryption, storing sensitive data unnecessarily.

  • Integrity: the expectation that only authorized parties are able to modify the data. Vulnerabilities: failure in access control, failure in confidentiality, bail-and-switch attack.

  • Availability: capability to use a resource when expected. Vulnerability: DoS.


Exploits and Attacks Glossary

  • Denial of Service (DoS): occurs when an attacker can make a system unavailable by performing some unanticipated action.

  • Attack surface: the collection of all entry points that provide access to an asset. Operational vulnerabilities occur when the attack surface is exposed unnecessarily. Minimizing the attack surface is referred to host hardening.


Overall Protective Measures:

Development Measures

  • Nonexecutable Stack: nonexecutable protection on memory pages (does not protect against patching a stack variable or return to libc).

  • Stack protection: prevents the exploit to overwrite the instruction pointer by placing a random value, the canary, between stack variables and instruction pointers. When the function returns, the canary is checked. It doesn't protect against stack variable patching. It might presents some issues with code that perform some dynamic stack manipulation.

  • Heap protection: heap are doubly linked lists of memory chunks. A generic heap exploit attempts to overwrite the list pointers so that arbitrary data can be written somewhere in the memory space. The simplest form of protection involves checking that list pointers reference valid cheap chunks before performing any list management.

  • Address Space Layout Randomization (ASLR): randomizes where different program components are loaded at in memory each times the application runs. It is limited by a range of valid address, so it is possible for an attacker to perform a repeated sequence of exploit attempts.

  • Registered Function Pointers: Applications might have long-lived functions pointers at consistent locations in a process's address space. Sometimes these pointers are defined at compile time and never change for a given binary, for example, exception handlers. These proprieties make long-lived function pointers an ideal target for exploiting certain classes of vulnerabilities. Function pointer registration is one attempt at preventing this kind of exploits.

  • Virtual Machines: Java and .NET Common Language Runtime (CLR) are two popular VM environments. Scripting languages such as Perl, Python, and PHP compile first to bytecode that is interpreted by a VM. VMs in general provide sized buffers and strings, preventing most memory management attacks. They might also provide code access security (CAS). VM usually have no additional protections against exploiting vulnerabilities such as race conditions, formatted data manipulation, and script injection.

Host-based Measures

  • Object and File system permissions.

  • Restricted accounts.

  • Chroot jails: UNIX systems use chroot to change the root directory of a newly executed commands. This command has a useful security application: a nonroot process can be ailed to a selected portion of the file system. However, any process running under root privileges can escape the jail by using another system mechanisms such as PTRACE debugging API, setting system variables with sysctl, or other means to allow the system to run a new arbitrary process that is not jailled. Also, chroot jail does not restrict network access beyond normal account permissions, which could still allow enough attack surface for a follow-on attack targeted at daemons listening on the localhost address.

  • System virtualization: it allows multiple isolated operational systems to share a single host computer.

  • Enhanced Kernel protections: applications talk to the OS Kernel via system call gateway. SELinux is a popular module for Linux and BSD, and Core Force, for Windows.

  • Host-based firewalls: allow fine-grained control of network traffic, including per-process and per-user configuration.

  • Antimalware applications: antivirus and antispyware software.

  • File and Object change monitoring: such as configuration files, system binaries, and sensitive registry keys.

  • Host-based IDSs/IPSs: intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) might include features such as firewalls and antimalwares.

Network-based Measures

Network segmentation is a method of enforcing trust boundaries.

  • The OSI Model:

1 - Physical: keep door locks, run cables through conduits. Problems with the advent of wireless.

2 - Data Link: preventing spoofing (impersonating) hosts and sniffing traffic (captured transmitted data). Systems at this layer are identified via MAC (Media Address Control) addresses. The ARP (Address Resolution Protocol) is used to identify MAC addresses associated to their hosts. Switching is used to route traffic to the appropriate host. This can be vulnerable to ARP spoofing attacks. Address filtering can be used to improve security at this layer. Wireless media is a concert of this layer too. WEP is vulnerable to cryptoanalytic attacks. WPA (Wifi protected access) is more robust, however WAP2 retains the essential key-handling improvements with a stronger encryption and digest capabilities.

3 - Network: security and segmentation are handled via IP filtering (IPSec) protocol. It's a component of IPv6 specifications that has been back-ported to IPv4. It provides automatic encryption and authentication for TCP/IP connections. IP filtering is a method of allowing or denying packets based only on the protocols, addresses, and ports: the traffic is segmented by function, not only source/destination. Disadvantage is that IP Filtering maintains no connection state: it can't discriminate based on which side is establishing the connection, or whether the communication is associated with an active connection.

  1. Transport: this layer is low enough to be common to all TCP/IP applications but high enough that you can determine connection state. The addition of state allows a firewall to determine which side is initiating the connection and to define internal and external network. Firewalls are devices that filter traffic at the network and transport layers. The simplest rule is deny all inbound traffic and allow all outbound traffic.

Demilitarized Zone (DMZ): uses a third interface from the firewall containing its own set or rules.

5, 6 - Session and Presentation: platform-specific features such as RPC interfaces and named pipes are generally accepted as session and presentation layers. Security is addressed by the platform's access control. Secure Socket Layer/Transport Layer Security is the protocol in these layers.

7 - Application: application layer gateways add extra network diversity, such as HTTP reverse proxies. Web application gateway have capabilities such as sitewide authentication, exploit detection, and fine-grained rule sets.

  • Network Address Translation (NAT): provides a method of mapping set of internal addresses against a different set of external addresses. A NAT is configured with implicit rules to forward inbound connections, this configuration causes inbound connectivity to be implicitly denied. NAT conceals the internal address space from the external network, ensuring some security against internal network mapping.

  • VPN (Virtual Private Networks): provides a virtual network interface connected to a remote network over an encrypted tunnel. The disavantage is that the client side is outside the network's administraor. VPN must to be monitored closely. Precautions can include: denying VPN clients to access to their local network (split tunneling) and restricting access to certain internal resources.

  • Network IDSs/IPSs: identify malicious network traffice and terminate or deny connectivity based on detected hostile activity.

Windows