Week 4 - Software Vulnerabilities and Common Exploits
There are two main components to hacking, finding "bugs" in the software that allows the user to interact with a program in an unintended way and configuration vulnerabilities (an example of a configuration vulnerability is a weak password). Hacking used to primarily focus on a company's perimeter systems (parts of the system that are exposed to the internet), but as defense against those types of attacks have been improved hackers are now targeting the internal systems aka the system's users.
Memory corruption is a key area that attackers can examine to try and gain access to the system. The definition used by the lecturer this week is: "Accessing (reading/writing) memory (stack/heap) in an invalid (originally unintended) way which results in an undefined behavior (what we are looking to control)." There are four common categories of memory corruption: lifetime control, uninitiated memory, array index calculations, and buffer length calculations.
A standard attack involves the stack overflow vulnerability. This isn't in reference to the website, this occurs when a program tries to use more memory than what was allocated to it. By overwriting memory that was not intended to be written to, the attacker can gain control of the computer that is executing the code. For example if the return address is overwritten the attacker could redirect the execution of the program and have a new process that they wrote take control from that point.
Another common attacks involves the heap rather than the stack. This attack is called the "use after free" vulnerability. There are only a few steps taken to take advantage of this vulnerability in a piece of code. First the object is freed, then the object is replaced with the attacker's. The attacker then positions some shell code where it will be executed, and then the object is used once again. This is frequently done using Javascript and a browser.
Definitions introduced this week:
exploitation - taking advantage of a vulnerability
exploit - a piece of code/input/data (usually input) that is provided to the program to cause a condition
vulnerability trigger - the series of steps taken to invoke the software bug that allows the attacker to gain control of the system
payload - the action to be performed when control is gained, this is usually some shell code
low fragmentation heap - beginning in Windows 7 buckets are created after a specific size after the eighteen allocation of that size. The memory blocks are not resized down the road.
Tools introduced this week:
Metasploit - an open-source tool that is used to evaluate how secure a network is
Windbg - a tool that can be used to view the disassembly of a program, set breakpoints, view registry contents, and view memory contents (the stack and the heap). Here is a lovely Windbg cheat sheet:
sourced from Wikileaks, https://wikileaks.org/ciav7p1/cms/page_13762778.html
Memory corruption is a key area that attackers can examine to try and gain access to the system. The definition used by the lecturer this week is: "Accessing (reading/writing) memory (stack/heap) in an invalid (originally unintended) way which results in an undefined behavior (what we are looking to control)." There are four common categories of memory corruption: lifetime control, uninitiated memory, array index calculations, and buffer length calculations.
A standard attack involves the stack overflow vulnerability. This isn't in reference to the website, this occurs when a program tries to use more memory than what was allocated to it. By overwriting memory that was not intended to be written to, the attacker can gain control of the computer that is executing the code. For example if the return address is overwritten the attacker could redirect the execution of the program and have a new process that they wrote take control from that point.
Another common attacks involves the heap rather than the stack. This attack is called the "use after free" vulnerability. There are only a few steps taken to take advantage of this vulnerability in a piece of code. First the object is freed, then the object is replaced with the attacker's. The attacker then positions some shell code where it will be executed, and then the object is used once again. This is frequently done using Javascript and a browser.
Definitions introduced this week:
exploitation - taking advantage of a vulnerability
exploit - a piece of code/input/data (usually input) that is provided to the program to cause a condition
vulnerability trigger - the series of steps taken to invoke the software bug that allows the attacker to gain control of the system
payload - the action to be performed when control is gained, this is usually some shell code
low fragmentation heap - beginning in Windows 7 buckets are created after a specific size after the eighteen allocation of that size. The memory blocks are not resized down the road.
Tools introduced this week:
Metasploit - an open-source tool that is used to evaluate how secure a network is
Windbg - a tool that can be used to view the disassembly of a program, set breakpoints, view registry contents, and view memory contents (the stack and the heap). Here is a lovely Windbg cheat sheet:
sourced from Wikileaks, https://wikileaks.org/ciav7p1/cms/page_13762778.html
Comments
Post a Comment