2.3 Memory Injections Flashcards
Finding malware
Malware runs in memory
– Memory forensics can find the malicious code
* Memory contains running processes
– DLLs (Dynamic Link Libraries)
– Threads
– Buffers
– Memory management functions
– And much more
* Malware is hidden somewhere
– Malware runs in its own process
– Malware injects itself into a legitimate process
Memory injection
Add code into the memory of an existing process
– Hide malware inside of the process
* Get access to the data in that process
– And the same rights and permissions
– Perform a privilege escalation
DLL injection
Dynamic-Link Library
– A Windows library containing code and data
– Many applications can use this library
* Attackers inject a path to a malicious DLL
– Runs as part of the target process
* One of the most popular memory injection methods
– Relatively easy to implement
Buffer overflows
Overwriting a buffer of memory
– Spills over into other memory areas
* Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
* Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
* A really useful buffer overflow is repeatable
– Which means that a system can be compromised
Race condition
A programming conundrum
– Sometimes, things happen at the same time
– This can be bad if you’ve not planned for it
* Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check and the use
Race condition example
Two bank accounts with $100
– User 1 and User 2 transfer $50 from Account A to Account B
– Expected outcome:
Account A has $50, Account B has $150 (or A has $0 and B has $200)
* What if you don’t perform proper validation?
– User 1 and User 2 check the account balances ($100 in each account)
– User 1 transfers $50 from Account A (now at $50) to Account B (now at $150)
– At about the same time, user 2 transfers $50 from Account A
(still has $100, right?, so now at $50) to Account B (now at $200)
– Outcome: Account A has $50, Account B has $200
Race conditions can cause big problems
January 2004 - Mars rover “Spirit”
– Reboot when a problem is identified
– Problem is with the file system, so reboot
because of the file system problem
– Reboot loop was the result
* Pwn2Own Vancouver 2023 - Tesla Model 3
– TOCTOU attack against the
– Tesla infotainment using Bluetooth
– Elevated privileges to root
– Earned $100,000 US prize and
they keep the Tesla
Software updates
Always keep your operating system and applications
updated
– Updates often include bug fixes and security patches
* This process has its own security concerns
– Not every update is equally secure
* Follow best practices
– Always have a known-good backup
– Install from trusted sources
– Did I mention the backup?
Downloading and updating
Install updates from a downloaded file
– Always consider your actions
– Every installation could potentially be malicious
* Confirm the source
– A random pop-up during web browsing may not
be legitimate
* Visit the developer’s site directly
– Don’t trust a random update button or random
downloaded file
* Many operating systems will only allow signed apps
– Don’t disable your security controls
Automatic updates
The app updates itself
– Often includes security checks / digital signatures
* Relatively trustworthy
– Comes directly from the developer
* Solarwinds Orion supply chain attack
– Reported in December 2020
– Attackers gained access to the Solarwinds
development system
– Added their own malicious code to the updates
– Gained access to hundreds of government agencies
and companies
Operating systems Vulnerabilities
A foundational computing platform
– Everyone has an operating system
– This makes the OS a very big target
* Remarkably complex
– Millions of lines of code
– More code means more opportunities for a security issue
* The vulnerabilities are already in there
– We’ve just not found them yet
A month of OS updates
A normal month of Windows updates
– Patch Tuesday - 2nd Tuesday of each month
– Other companies have similar schedules
* May 9, 2023 - Nearly 50 security patches
– 8 Elevation of Privilege Vulnerabilities
– 4 Security Feature Bypass Vulnerabilities
– 12 Remote Code Execution Vulnerabilities
– 8 Information Disclosure Vulnerabilities
– 5 Denial of Service Vulnerabilities
– 1 Spoofing Vulnerability
* https://msrc.microsoft.com/
Best practices for OS vulnerabilities
Always update
– Monthly or on-demand updates
– It’s a race between you and the attackers
* May require testing before deployment
– A patch might break something else
* May require a reboot
– Save all data
* Have a fallback plan
– Where’s that backup?
Code injection
Code injection
– Adding your own information into a data stream
* Enabled because of bad programming
– The application should properly handle input
and output
* So many different data types
– HTML, SQL, XML, LDAP, etc.
An example of website code:
– “SELECT * FROM users WHERE name = ‘“ + userName + “’”;
* How this looks to the SQL database:
– “SELECT * FROM users WHERE name = ‘Professor’”;
* Add more information to the query:
– “SELECT * FROM users WHERE name = ‘Professor’ OR ‘1’ = ‘1’”;
* This could be very bad
– View all database information, delete database information, add users, denial of service, etc.
SQL injection
SQL - Structured Query Language
– The most common relational database management
system language
* SQL injection (SQLi)
– Put your own SQL requests into an existing application
– Your application shouldn’t allow this
* Can often be executed in a web browser
– Inject in a form or field
Cross-site scripting
XSS
– Cascading Style Sheets (CSS) are
something else entirely
* Originally called cross-site because of browser
security flaws
– Information from one site could be shared with another
* One of the most common web app vulnerabilities
– Takes advantage of the trust a user has for a site
– Complex and varied
* XSS commonly uses JavaScript
– Do you allow scripts? Me too.
Non-persistent (reflected) XSS attack
Web site allows scripts to run in user input
– Search box is a common source
* Attacker emails a link that takes advantage of
this vulnerability
– Runs a script that sends credentials/
session IDs/cookies to the attacker
* Script embedded in URL executes in the victim’s browser
– As if it came from the server
* Attacker uses credentials/session IDs/cookies to steal
victim’s information without their knowledge
Persistent (stored) XSS attack
Attacker posts a message to a social network
– Includes the malicious payload
* It’s now “persistent”
– Everyone gets the payload
* No specific target
– All viewers to the page
* For social networking, this can spread quickly
– Everyone who views the message can
have it posted to their page
– Where someone else can view it and propagate it
further…
Hacking a Subaru
June 2017, Aaron Guzman
– Security researcher
* When authenticating with Subaru, users get a token
– This token never expires (bad!)
* A valid token allowed any service request
– Even adding your email address to someone else’s
account
– Now you have full access to someone else’s car
* Web front-end included an XSS vulnerability
– A user clicks a malicious link, and you have their token
Protecting against XSS
Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
* Consider disabling JavaScript
– Or control with an extension
– This offers limited protection
* Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities
* Validate input
– Don’t allow users to add their own scripts
to an input field
Hardware vulnerabilities
We are surrounded by hardware devices
– Many do not have an accessible operating system
* These devices are potential security issues
– A perfect entry point for an attack
* Everything is connecting to the network
– Light bulbs, garage doors, refrigerators, door locks
– IoT is everywhere
* The security landscape has grown
– Time to change your approach
Firmware
The software inside of the hardware
– The operating system of the hardware device
* Vendors are the only ones who can fix their hardware
– Assuming they know about the problem
– And care about fixing it
* Trane Comfortlink II thermostats
– Control the temperature from your phone
– Trane notified of three vulnerabilities in April 2014
– Two patched in April 2015, one in January 2016
End-of-life
End of life (EOL)
– Manufacturer stops selling a product
– May continue supporting the product
– Important for security patches and updates
* End of service life (EOSL)
– Manufacturer stops selling a product
– Support is no longer available for the product
– No ongoing security patches or updates
– May have a premium-cost support option
* Technology EOSL is a significant concern
– Security patches are part of normal operation
Legacy platforms
Some devices remain installed for a long time
– Perhaps too long
* Legacy devices
– Older operating systems, applications, middleware
* May be running end-of-life software
– The risk needs to be compared to the return
* May require additional security protections
– Additional firewall rules
– IPS signatures for older operating systems
