2.3 Memory Injections

Question 1

Finding malware

Answer 1

Malware runs in memory
– Memory forensics can find the malicious code
* Memory contains running processes
– DLLs (Dynamic Link Libraries)
– Threads
– Buffers
– Memory management functions
– And much more
* Malware is hidden somewhere
– Malware runs in its own process
– Malware injects itself into a legitimate process

Question 2

Memory injection

Answer 2

Add code into the memory of an existing process
– Hide malware inside of the process
* Get access to the data in that process
– And the same rights and permissions
– Perform a privilege escalation

Question 3

DLL injection

Answer 3

Dynamic-Link Library
– A Windows library containing code and data
– Many applications can use this library
* Attackers inject a path to a malicious DLL
– Runs as part of the target process
* One of the most popular memory injection methods
– Relatively easy to implement

Question 4

Buffer overflows

Answer 4

Overwriting a buffer of memory
– Spills over into other memory areas
* Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
* Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
* A really useful buffer overflow is repeatable
– Which means that a system can be compromised

Question 5

Race condition

Answer 5

A programming conundrum
– Sometimes, things happen at the same time
– This can be bad if you’ve not planned for it
* Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check and the use

Question 6

Race condition example

Answer 6

Two bank accounts with $100
– User 1 and User 2 transfer $50 from Account A to Account B
– Expected outcome:
Account A has $50, Account B has $150 (or A has $0 and B has $200)
* What if you don’t perform proper validation?
– User 1 and User 2 check the account balances ($100 in each account)
– User 1 transfers $50 from Account A (now at $50) to Account B (now at $150)
– At about the same time, user 2 transfers $50 from Account A
(still has $100, right?, so now at $50) to Account B (now at $200)
– Outcome: Account A has $50, Account B has $200

Question 7

Race conditions can cause big problems

Answer 7

January 2004 - Mars rover “Spirit”
– Reboot when a problem is identified
– Problem is with the file system, so reboot
because of the file system problem
– Reboot loop was the result
* Pwn2Own Vancouver 2023 - Tesla Model 3
– TOCTOU attack against the
– Tesla infotainment using Bluetooth
– Elevated privileges to root
– Earned $100,000 US prize and
they keep the Tesla

Question 8

Software updates

Answer 8

Always keep your operating system and applications
updated
– Updates often include bug fixes and security patches
* This process has its own security concerns
– Not every update is equally secure
* Follow best practices
– Always have a known-good backup
– Install from trusted sources
– Did I mention the backup?

Question 9

Downloading and updating

Answer 9

Install updates from a downloaded file
– Always consider your actions
– Every installation could potentially be malicious
* Confirm the source
– A random pop-up during web browsing may not
be legitimate
* Visit the developer’s site directly
– Don’t trust a random update button or random
downloaded file
* Many operating systems will only allow signed apps
– Don’t disable your security controls

Question 10

Automatic updates

Answer 10

The app updates itself
– Often includes security checks / digital signatures
* Relatively trustworthy
– Comes directly from the developer
* Solarwinds Orion supply chain attack
– Reported in December 2020
– Attackers gained access to the Solarwinds
development system
– Added their own malicious code to the updates
– Gained access to hundreds of government agencies
and companies

Question 11

Operating systems Vulnerabilities

Answer 11

A foundational computing platform
– Everyone has an operating system
– This makes the OS a very big target
* Remarkably complex
– Millions of lines of code
– More code means more opportunities for a security issue
* The vulnerabilities are already in there
– We’ve just not found them yet

Question 12

A month of OS updates

Answer 12

A normal month of Windows updates
– Patch Tuesday - 2nd Tuesday of each month
– Other companies have similar schedules
* May 9, 2023 - Nearly 50 security patches
– 8 Elevation of Privilege Vulnerabilities
– 4 Security Feature Bypass Vulnerabilities
– 12 Remote Code Execution Vulnerabilities
– 8 Information Disclosure Vulnerabilities
– 5 Denial of Service Vulnerabilities
– 1 Spoofing Vulnerability
* https://msrc.microsoft.com/

Question 13

Best practices for OS vulnerabilities

Answer 13

Always update
– Monthly or on-demand updates
– It’s a race between you and the attackers
* May require testing before deployment
– A patch might break something else
* May require a reboot
– Save all data
* Have a fallback plan
– Where’s that backup?

Question 14

Code injection

Answer 14

Code injection
– Adding your own information into a data stream
* Enabled because of bad programming
– The application should properly handle input
and output
* So many different data types
– HTML, SQL, XML, LDAP, etc.

An example of website code:
– “SELECT * FROM users WHERE name = ‘“ + userName + “’”;
* How this looks to the SQL database:
– “SELECT * FROM users WHERE name = ‘Professor’”;
* Add more information to the query:
– “SELECT * FROM users WHERE name = ‘Professor’ OR ‘1’ = ‘1’”;
* This could be very bad
– View all database information, delete database information, add users, denial of service, etc.

Question 15

SQL injection

Answer 15

SQL - Structured Query Language
– The most common relational database management
system language
* SQL injection (SQLi)
– Put your own SQL requests into an existing application
– Your application shouldn’t allow this
* Can often be executed in a web browser
– Inject in a form or field

Question 16

Cross-site scripting

Answer 16

XSS
– Cascading Style Sheets (CSS) are
something else entirely
* Originally called cross-site because of browser
security flaws
– Information from one site could be shared with another
* One of the most common web app vulnerabilities
– Takes advantage of the trust a user has for a site
– Complex and varied
* XSS commonly uses JavaScript
– Do you allow scripts? Me too.

Question 17

Non-persistent (reflected) XSS attack

Answer 17

Web site allows scripts to run in user input
– Search box is a common source
* Attacker emails a link that takes advantage of
this vulnerability
– Runs a script that sends credentials/
session IDs/cookies to the attacker
* Script embedded in URL executes in the victim’s browser
– As if it came from the server
* Attacker uses credentials/session IDs/cookies to steal
victim’s information without their knowledge

Question 18

Persistent (stored) XSS attack

Answer 18

Attacker posts a message to a social network
– Includes the malicious payload
* It’s now “persistent”
– Everyone gets the payload
* No specific target
– All viewers to the page
* For social networking, this can spread quickly
– Everyone who views the message can
have it posted to their page
– Where someone else can view it and propagate it
further…

Question 19

Hacking a Subaru

Answer 19

June 2017, Aaron Guzman
– Security researcher
* When authenticating with Subaru, users get a token
– This token never expires (bad!)
* A valid token allowed any service request
– Even adding your email address to someone else’s
account
– Now you have full access to someone else’s car
* Web front-end included an XSS vulnerability
– A user clicks a malicious link, and you have their token

Question 20

Protecting against XSS

Answer 20

Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
* Consider disabling JavaScript
– Or control with an extension
– This offers limited protection
* Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities
* Validate input
– Don’t allow users to add their own scripts
to an input field

Question 21

Hardware vulnerabilities

Answer 21

We are surrounded by hardware devices
– Many do not have an accessible operating system
* These devices are potential security issues
– A perfect entry point for an attack
* Everything is connecting to the network
– Light bulbs, garage doors, refrigerators, door locks
– IoT is everywhere
* The security landscape has grown
– Time to change your approach

Question 22

Firmware

Answer 22

The software inside of the hardware
– The operating system of the hardware device
* Vendors are the only ones who can fix their hardware
– Assuming they know about the problem
– And care about fixing it
* Trane Comfortlink II thermostats
– Control the temperature from your phone
– Trane notified of three vulnerabilities in April 2014
– Two patched in April 2015, one in January 2016

Question 23

End-of-life

Answer 23

End of life (EOL)
– Manufacturer stops selling a product
– May continue supporting the product
– Important for security patches and updates
* End of service life (EOSL)
– Manufacturer stops selling a product
– Support is no longer available for the product
– No ongoing security patches or updates
– May have a premium-cost support option
* Technology EOSL is a significant concern
– Security patches are part of normal operation

Question 24

Legacy platforms

Answer 24

Some devices remain installed for a long time
– Perhaps too long
* Legacy devices
– Older operating systems, applications, middleware
* May be running end-of-life software
– The risk needs to be compared to the return
* May require additional security protections
– Additional firewall rules
– IPS signatures for older operating systems

Question 25

Virtualization security

Answer 25

Quite different than non-virtual machines
– Can appear anywhere
* Quantity of resources vary between VMs
– CPU, memory, storage
* Many similarities to physical machines
– Complexity adds opportunity for the attackers
* Virtualization vulnerabilities
– Local privilege escalations
– Command injection
– Information disclosure

Question 26

VM escape protection

Answer 26

The virtual machine is self-contained
– There’s no way out
– Or is there?
* Virtual machine escape
– Break out of the VM and interact with the host
operating system or hardware
* Once you escape the VM, you have great control
– Control the host and control other guest VMs
* This would be a huge exploit
– Full control of the virtual world

Question 27

Escaping the VM

Answer 27

March 2017 - Pwn2Own competition
– Hacking contest
– You pwn it, you own it - along with some cash
* JavaScript engine bug in Microsoft Edge
– Code execution in the Edge sandbox
* Windows 10 kernel bug
– Compromise the guest operating system
* Hardware simulation bug in VMware
– Escape to the host
* Patches were released soon afterwards

Question 28

Resource reuse

Answer 28

The hypervisor manages the relationship between
physical and virtual resources
– Available RAM, storage space, CPU availability, etc.
* These resources can be reused between VMs
– Hypervisor host with 4 GB of RAM
– Supports three VMs with 2 GB of RAM each
– RAM is allocated and shared between VMs
* Data can inadvertently be shared between VMs
– Time to update the memory management features
– Security patches can mitigate the risk

Question 29

Security in the cloud

Answer 29

Cloud adoption has been nearly universal
– It’s difficult to find a company NOT using the cloud
* We’ve put sensitive data in the cloud
– The attackers would like this data
* We’re not putting in the right protections
– 76% of organizations aren’t using
– MFA for management console users
* Simple best-practices aren’t being used
– 63% of code in production are unpatched
– Vulnerabilities rated high or critical (CVSS >= 7.0)

Question 30

Attack the service

Answer 30

Denial of Service (DoS)
– A fundamental attack type
* Authentication bypass
– Take advantage of weak or faulty authentication
* Directory traversal
– Faulty configurations put data at risk
* Remote code execution
– Take advantage of unpatched systems
– Attack the application
* Web application attacks have increased
– Log4j and Spring Cloud Function
– Easy to exploit, rewards are extensive
* Cross-site scripting (XSS)
– Take advantage of poor input validation
* Out of bounds write
– Write to unauthorized memory areas
– Data corruption, crashing, or code execution
* SQL injection
– Get direct access to a database

Question 31

Supply chain risk

Answer 31

The chain contains many moving parts
– Raw materials, suppliers, manufacturers,
distributors, customers, consumers
* Attackers can infect any step along the way
– Infect different parts of the chain without suspicion
– People trust their suppliers
* One exploit can infect the entire chain
– There’s a lot at stake

Question 32

Service providers

Answer 32

You can control your own security posture
– You can’t always control a service provider
* Service providers often have access to internal services
– An opportunity for the attacker
* Many different types of providers
– Network, utility, office cleaning, payroll/accounting,
cloud services, system administration, etc.
* Consider ongoing security audits of all providers
– Should be included with the contract

Question 33

Target service provider attack

Answer 33

Target Corp. breach - November 2013
– 40 million credit cards stolen
* Heating and AC firm in Pennsylvania was infected
– Malware delivered in an email
– VPN credentials for HVAC techs was stolen
* HVAC vendor was the supplier
– Attackers used a wide-open Target network to infect
every cash register at 1,800 stores
* Do these technicians look like an IT security issue?

Question 34

Hardware providers

Answer 34

Can you trust your new server/router/switch/firewall/
software?
– Supply chain cyber security
* Use a small supplier base
– Tighter control of vendors
* Strict controls over policies and procedures
– Ensure proper security is in place
* Security should be part of the overall design
– There’s a limit to trust

Question 35

Cisco or not Cisco?

Answer 35

All network traffic flows through switches and routers
– A perfect visibility and pivot point
* July 2022 - DHS arrests reseller CEO
– Sold more than $1 billion of counterfeit Cisco products
– Created over 30 different companies
– Had been selling these since 2013
* Knock-offs made in China
– Sold as authentic Cisco products
– Until they started breaking and catching on fire

Question 36

Software providers

Answer 36

Trust is a foundation of security
– Every software installation questions our trust
* Initial installation
– Digital signature should be confirmed during
installation
* Updates and patches
– Some software updates are automatic
– How secure are the updates?
* Open source is not immune
– Compromising the source code itself

Question 37

Solarwinds supply chain attack

Answer 37

Solarwinds Orion
– Used by 18,000 customers
– Including Fortune 500 and US Federal Government
* Software updates compromised in March and June 2020
– Upgrades to existing installations
– Not detected until December 2020
* Additional breaches took advantage of the exploit
– Microsoft, Cisco, Intel, Deloitte
– Pentagon, Homeland Security, State Department,
Department of Energy, National Nuclear Security
Administration, Treasury

Question 38

Misconfiguration Vulnerabilities
Open permissions

Answer 38

Very easy to leave a door open
– The hackers will always find it
* Increasingly common with cloud storage
– Statistical chance of finding an open permission
* June 2017 - 14 million Verizon records exposed
– Third-party left an Amazon S3 data repository open
– Researcher found the data before anyone else
* Many, many other examples
– Secure your permissions!

Question 39

Unsecured admin accounts

Answer 39

The Linux root account
– The Windows Administrator or superuser account
* Can be a misconfiguration
– Intentionally configuring an easy-to-hack password
– 123456, ninja, football
* Disable direct login to the root account
– Use the su or sudo option
* Protect accounts with root or administrator access
– There should not be a lot of these

Question 40

Insecure protocols

Answer 40

Some protocols aren’t encrypted
– All traffic sent in the clear
– Telnet, FTP, SMTP, IMAP
* Verify with a packet capture
– View everything sent over the network
* Use the encrypted versions - SSH, SFTP, IMAPS, etc.

Question 41

Default settings

Answer 41

Every application and network device has a default login
– Not all of these are ever changed
* Mirai botnet
– Takes advantage of default configurations
– Takes over Internet of Things (IoT) devices
– 60+ default configurations
– Cameras, routers, doorbells, garage door openers, etc.
* Mirai released as open-source software
– There’s a lot more where that came from

Question 42

Open ports and services

Answer 42

Services will open ports
– It’s important to manage access
* Often managed with a firewall
– Manage traffic flows
– Allow or deny based on port number
or application
* Firewall rulesets can be complex
– It’s easy to make a mistake
* Always test and audit
– Double and triple check

Question 43

Mobile device security

Answer 43

Challenging to secure
– Often need additional security policies
and systems
* Relatively small
– Can be almost invisible
* Almost always in motion
– You never know where it might be
* Packed with sensitive data
– Personal and organizational
* Constantly connected to the Internet
– Nothing bad happens on the Internet

Question 44

Jailbreaking/rooting

Answer 44

Mobile devices are purpose-built systems
– You don’t have access to the operating system
* Gaining access
– Android - Rooting
– Apple iOS - Jailbreaking
* Install custom firmware
– Replaces the existing operating system
* Uncontrolled access
– Circumvent security features
– The MDM becomes relatively useless

Question 45

Sideloading

Answer 45

Malicious apps can be a significant security concern
– One Trojan horse can create a data breach
* Manage installation sources
– The global or local app store
* Jailbreaking circumvents security
– Sideloading
– Apps can be installed manually without using an app store
– An MDM becomes relatively useless

Question 46

Vulnerabilities

Answer 46

Many applications have vulnerabilities
– We’ve just not found them yet
* Someone is working hard to find the next big vulnerability
– The good guys share these with developers
* Attackers keep these yet-to-be-discovered holes to themselves
– They want to use these vulnerabilities for personal gain

Question 47

Zero-day attacks

Answer 47

Attackers search for unknown vulnerabilities
– They create exploits against these vulnerabilities
* The vendor has no idea the vulnerability exists
– They don’t have a fix for an unknown problem
* Zero-day attacks
– An attack without a patch or method of mitigation
– A race to exploit the vulnerability or create a patch
– Difficult to defend against the unknown
* Common Vulnerabilities and Exposures (CVE)
– https://cve.mitre.org/

Question 48

Zero-day attacks in the wild

Answer 48

April 2023 - Chrome zero-day
– Memory corruption, sandbox escape
* May 2023 - Microsoft zero-day patch
– Secure boot zero-day vulnerability
– Attacker can run UEFI-level self-signed code
* May 2023 - Apple iOS and iPadOS zero-days
– Three zero-day patches
– Sandbox escape, disclosure of sensitive
information, arbitrary code execution
– Active exploitations