Threat, Vulnerabilities and Mitigations: Application Vulnerabilities Flashcards
What are some of the flaws and weaknesses in application that a threat actor could exploit?
Memory injections
Race Conditions
Malicious Updates
What is Memory injection?
Memory injections happen when a malicious user executes code within an authorized process. Types include:
Buffer overflow attacks: Target overflows by inserting code that can crash a system or change how code executes. Overflow attacks can target different overflows, including:
The stack: Small part of memory that’s fast and stores things such as function calls and local variables in a last in/first out way.
The heap: Large, dynamic memory area that’s slow and that stores things such as global variables.
Integers: Each integer type can contain a specific number type and size. Unexpected types or sizes can fall outside the allocated memory or overflow the integer value.
How are DLL used in a memory injection attack?
Dynamic link libraries (DLLs): Standard attack copies malicious DLLs to the target system and then copies the directory path of the malicious DLL to the reserved memory space for the target process, thereby ensuring it gets executed. Here’s an example: https://github.com/adamhlt/DLL-Injector. There are also other types of DLL attacks:
CreateRemoteThread(): Function call that’s used to inject a custom DLL into the process’s address space.
Reflective: Doesn’t write a DLL to disk but rather grabs it from elsewhere, such as the internet, or
DLL hijacking: An application might not have a specific DLL but the system continues to scan for it, so a threat actor can “provide” one.
What is Race conditions?
This type of vulnerability occurs when operations that should occur one at a time actually happen at the same time. Hey terminology about race conditions includes: + Time-of-Check (ToC) and Time-of-Use (ToU): Also referred to as TOCTOU, these terms refer to the time a resource was checked and then the time it was used.
Odd behavior may occur due to when each checks and then acts, known as check-then-act. + Target of Evaluation (TOE): The code block that’s causing a race condition. Multiple multiple threads and processes are accessing shared resources and variables concurrently, and the TOE is where this is happening in the code.
What is Malicious updates?
Sometimes called a software supply chain attack, this is where threat actors look for and exploit vulnerabilities in the software vendors’ system and then get into their code base to comprise their software. Examples of these types of attacks include: + Solar Winds + CCleaner + UnrealIRC 3.2.8.1