DOCSLIB.ORG

Introduction to Memory Exploitation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Introduction to Memory Exploitation TurtleSec Turtle @pati_gallardo Sec TurtleSec “Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.” https://www.schneier.com/blog/archives/2014/04/heartbleed.html @pati_gallardo 2 TurtleSec Heartbleed @pati_gallardo 3 TurtleSec What was the bug? - Buffer over-read - Attacker controlled buffer size @pati_gallardo 4 TurtleSec What made it bad? - Remote attack - High value memory - Wide deploy @pati_gallardo 5 CVE-2014-0160 Description TurtleSec “The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” @pati_gallardo 6 TurtleSec Heartbleed is a prime example of an Information Leak @pati_gallardo 7 TurtleSec Heartbleed is famous for how devastating it was But it also became the poster child for fuzzing @pati_gallardo 8 TurtleSec Introduction to Memory Exploitation CppEurope 2021 Turtle @pati_gallardo Patricia Aas Sec Patricia Aas - Trainer & Consultant TurtleSec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle @pati_gallardo Sec TurtleSec Fuzzing @pati_gallardo 11 Corpus Valid Inputs TurtleSec Crash Crashing Inputs Instrumented Fuzzer Target Coverage Feedback @pati_gallardo 12 TurtleSec Now that’s is all nice and good But most memory errors don’t cause us to crash At least not right away @pati_gallardo 13 TurtleSec Sanitizers @pati_gallardo 14 Address Sanitizer TurtleSec VS compiler instrumentation run-time library GCC terminal $ clang++ -fsanitize=address overflow.cpp $ ./a.out Clang ERROR: AddressSanitizer: stack-buffer-overflow @pati_gallardo 15 TurtleSec Address Sanitizer provokes crash-like behavior for many memory bugs Supercharges fuzzing Makes it possible to find “hidden” bugs @pati_gallardo 16 TurtleSec Sanitizers Fuzzer Debugger Make application Provoke weird Analyze crashy behavior @pati_gallardo 17 TurtleSec So you found a bug. @pati_gallardo What now? 18 TurtleSec Exploitation @pati_gallardo 19 The Programmers Mental State Machine TurtleSec Weird “globalthermonuclearwar” Terminate State “David” Access Operation Secret: Denied complete “Joshua” Access Launching Granted missiles @pati_gallardo 20 Programming the Weird Machine TurtleSec Vulnerability Weird State Weird State @sergeybratus The Target @halvarflake The Shellcode @pati_gallardo 21 Shellcode TurtleSec Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system. @pati_gallardo 22 The Anatomy of an Exploit TurtleSec Write Planting of Shellcode Memory Information Leaks Running of Shellcode Read Memory Exploit Execute Code @pati_gallardo 23 Code Execution TurtleSec To run your shellcode you need the instruction pointer to jump to your shellcode. The instruction pointer jumps in many different scenarios - goal here is to control where it jumps to, examples: return from a function virtual function call function pointer @pati_gallardo 24 “Primitives” TurtleSec A vulnerability or a capability in the application that can be used as a part of a wider exploit is often referred to as a “primitive”- examples: Arbitrary Read Primitive Write-What-Where Primitive Read-Where Primitive @pati_gallardo 25 TurtleSec Mitigations @pati_gallardo 26 Platform and Compiler Mitigations TurtleSec Write Address Space Layout Memory Randomization (ASLR) ASLR Non executable memory Limit interesting info? Stack Canaries Read Memory Exploit Execute Code @pati_gallardo 27 TurtleSec Cleaning Memory? @pati_gallardo 28 TurtleSec Dead Store Elimination The compiler is allowed to optimize away stores that cannot be detected Meaning memset’ing of memory that is never read can be removed The Case Of The Disappearing Memset @pati_gallardo 29 TurtleSec @pati_gallardo The Heap 30 TurtleSec Allocators @pati_gallardo 31 TurtleSec Simple Pool Allocator @pati_gallardo 32 TurtleSec Empty Pool @pati_gallardo 33 TurtleSec Initial allocations @pati_gallardo 34 TurtleSec Initial allocations @pati_gallardo 35 TurtleSec Initial allocations @pati_gallardo 36 TurtleSec Initial allocations @pati_gallardo 37 TurtleSec An allocation is freed - what now? @pati_gallardo 38 TurtleSec Free An allocation is freed - what now? @pati_gallardo 39 TurtleSec Free Another allocation is freed - what now? @pati_gallardo 40 TurtleSec Free Another allocation is freed - what now? @pati_gallardo 41 TurtleSec Free Another allocation is freed - what now? @pati_gallardo 42 TurtleSec Free link? coalesce? @pati_gallardo 43 TurtleSec So… how can we exploit this behavior? We can allocate! @pati_gallardo 44 TurtleSec Heap Spraying @pati_gallardo 45 Heap Spraying TurtleSec Fill memory with a certain byte sequence possibly shellcode so that a “random” jump might hit it @pati_gallardo 46 Heap Spraying TurtleSec Normal Allocation Initial state @pati_gallardo 47 Heap Spraying TurtleSec Normal Allocation Fill memory with shellcode Shellcode @pati_gallardo 48 TurtleSec This is a bit scattershot Can we have more control? @pati_gallardo 49 TurtleSec Heap Grooming (Heap Feng Shui) @pati_gallardo 50 TurtleSec Create predictable memory patterns Trick the allocator to allocate a specific chunk A chunk you can control Let’s see it in action @pati_gallardo 51 TurtleSec Putting it all together @pati_gallardo 52 “The Shadow Brokers” TurtleSec Hacking group behind a leak in 2016-17 The leaked exploits and tools are believed to be NSAs The Shadow Brokers are suspected to be Russian The leak was done in several batches Most famous is the Eternal Blue exploit @pati_gallardo 53 Very Light Background: Windows SMBv1 TurtleSec SMB messages Request Client Server Response Aside: This is the diagram of all things computer @pati_gallardo 54 TurtleSec Eternal Exploits EternalBlue @pati_gallardo 55 TurtleSec EternalBlue EternalChampion DoublePulsar EternalSynergy EternalRomance @pati_gallardo 56 Write-What-Where Primitive and Remote Code ExecutionTurtleSec EternalBlue Linear Buffer Overrun, Heap Spray / Heap Grooming @pati_gallardo 57 Main bug TurtleSec “When updating the length of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated.” Microsoft Defender Security Research Team @pati_gallardo 58 Heap Grooming and Spray TurtleSec - Primes the heap - Fills with blocks ready for shellcode - Makes room for buffer that will overrun - Overrun will prepare code execution - Hopes to overrun into one of the prepared blocks @pati_gallardo 59 Heap Grooming TurtleSec Initial state @pati_gallardo 60 Heap Grooming TurtleSec Grooming Packet Filling gaps to make allocations predictable @pati_gallardo 61 Heap Grooming TurtleSec Grooming Packet Grooming Packet Prefill before making pattern @pati_gallardo 62 Heap Grooming TurtleSec Grooming Packet Grooming Packet Make room for your objects Free up holes @pati_gallardo 63 Heap Grooming TurtleSec Grooming Packet Grooming Packet Pattern: Fish in a barrel Overflow Packet @pati_gallardo 64 Heap Grooming TurtleSec Grooming Packet Grooming Packet Ready for Execution Pattern: Fish in a barrel Overflow Packet @pati_gallardo 65 Heap Grooming TurtleSec Grooming Packet Grooming Packet Ready for Execution shellcode @pati_gallardo 66 Code Execution TurtleSec When connection is closed the shellcode is executed in the block(s) that have been overrun Installs the DoublePulsar backdoor implant @pati_gallardo 67 TurtleSec How does that affect me? @pati_gallardo 68 TurtleSec There is no magic here These are bugs you can find The tools they use are tools you can use Basically: Fix Bugs @pati_gallardo 69 TurtleSec Turtle @pati_gallardo Sec.
Load more

Recommended publications
  • Systematization of Vulnerability Discovery Knowledge: Review
    Systematization of Vulnerability Discovery Knowledge Review Protocol Nuthan Munaiah and Andrew Meneely Department of Software Engineering Rochester Institute of Technology Rochester, NY 14623 {nm6061,axmvse}@rit.edu February 12, 2019 1 Introduction As more aspects of our daily lives depend on technology, the software that supports this technology must be secure. We, as users, almost subconsciously assume the software we use to always be available to serve our requests while preserving the confidentiality and integrity of our information. Unfortunately, incidents involving catastrophic software vulnerabilities such as Heartbleed (in OpenSSL), Stagefright (in Android), and EternalBlue (in Windows) have made abundantly clear that software, like other engineered creations, is prone to mistakes. Over the years, Software Engineering, as a discipline, has recognized the potential for engineers to make mistakes and has incorporated processes to prevent such mistakes from becoming exploitable vulnerabilities. Developers leverage a plethora of processes, techniques, and tools such as threat modeling, static and dynamic analyses, unit/integration/fuzz/penetration testing, and code reviews to engineer secure software. These practices, while effective at identifying vulnerabilities in software, are limited in their ability to describe the engineering failures that may have led to the introduction of vulnerabilities. Fortunately, as researchers propose empirically-validated metrics to characterize historical vulnerabilities, the factors that may have led to the introduction of vulnerabilities emerge. Developers must be made aware of these factors to help them proactively consider security implications of the code that they contribute. In other words, we want developers to think like an attacker (i.e. inculcate an attacker mindset) to proactively discover vulnerabilities.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • The Dark Reality of Open Source Spotlight Report
    SPOTLIGHT The Dark Reality of Open Source Through the Lens of Threat and Vulnerability Management RiskSense Spotlight Report • May 2020 Executive Summary Open sourCe software (OSS) has quiCkly transformed both And while Heartbleed and the Apache Struts how modern applications are built and the underlying code vulnerabilities are the household names of open source they rely on. Access to high-quality and powerful open vulnerabilities, they are far from the only examples. Open source software projects has allowed developers to quickly source software is increasingly being targeted by integrate new capabilities into their applications without cryptominers, ransomware, and leveraged in DDoS having to reinvent the wheel. As a result, it is now estimated attacks. Unfortunately, OSS vulnerabilities are often a that between 80% and 90% of the code in most modern blind spot for many enterprises, who may not always be applications is made up of open source components. aware of all the open source projects and dependencies Likewise, many of the very tools that have enabled the that are used in their applications. growth of DevOps and CI/CD such as Jenkins, Kubernetes, and Docker are themselves open source projects. With this in mind, we have focused this version of the RiskSense Spotlight report on vulnerabilities in some of OSS also allows organizations to reduce their software today’s most popular open source software, including costs, and is often key to digital transformation efforts more than 50 OSS projects and over 2,600 vulnerabilities. and the transition of services to the cloud. It is no We then used this dataset to provide a risk-based surprise then that a 2020 report from Red Hat found that analysis of open source software to reveal the following: 95% of organizations view open source software as strategically important to their business.
    [Show full text]
  • Combat Top Security Vulnerabilities: HPE Tippingpoint Intrusion
    Business white paper Combat top security vulnerabilities HPE TippingPoint intrusion prevention system Business white paper Page 2 The year 2014 marked a new pinnacle for hackers. Vulnerabilities were uncovered in some of the most widely deployed software in the world—some of it in systems actually intended to make you more secure. HPE TippingPoint next-generation intrusion prevention system (IPS) and next-generation firewall (NGFW) customers rely on us to keep their networks safe. And when it comes to cyber threats, every second matters. So how did HPE TippingPoint do? This brief highlights the top security vulnerabilities of 2014—the ones that sent corporate security executives scrambling to protect their businesses. And it describes how HPE TippingPoint responded to keep our customers safe. Heartbleed—HPE TippingPoint intrusion prevention system stops blood flow early Any vulnerability is concerning, but when a vulnerability is discovered in software designed to assure security, it leaves businesses exposed and vulnerable. That was the case with the Heartbleed vulnerability disclosed by the OpenSSL project on April 7, 2014. They found the vulnerability in versions of OpenSSL—the open-source cryptographic library widely used to encrypt Internet traffic. Heartbleed grew from a coding error that allowed remote attackers to read information from process memory by sending heartbeat packets that trigger a buffer over-read. As a demonstration of the vulnerability, the OpenSSL Project created a sample exploit that successfully stole private cryptography keys, user names and passwords, instant messages, emails, and business-critical documents and communications. We responded within hours to protect TippingPoint customers. On April 8, we released a custom filter package to defend against the vulnerability.
    [Show full text]
  • Digitaalisen Kybermaailman Ilmiöitä Ja Määrittelyjä
    DIGITAALISEN KYBERMAAILMAN ILMIÖITÄ JA MÄÄRITTELYJÄ PROF. MARTTI LEHTO V 15.0 6.4.2021 JYVÄSKYLÄN YLIOPISTO INFORMAATIOTEKNOLOGIAN TIEDEKUNTA 2021 ALKUSANAT Euroopan komissio analysoi pohdinta-asiakirjassaan kesällä 2017 tulevaisuuden uhka- maailmaa. Sen mukaan teknologian kehitys muuttaa merkittävästi niin turvallisuuden kuin puolustuksen luonnetta. Big data, pilviteknologia, miehittämättömät ajoneuvot ja tekoäly muokkaavat yhteiskunnan eri rakenteita aina turvallisuuteen ja puolustukseen saakka. Tämän verrattain helposti saatavilla olevan teknologian käyttö mahdollistaa epätavanomaisten, valtioiden rajat ylittävien ja epäsymmetristen uhkien nopean kas- vun. Näitä ovat muun muassa hybridi- ja kyberuhat, terrorismi sekä kemialliset, biologi- set ja radiologiset iskut. Internetin käyttäjien määrän nopean kasvun myötä kyberrikol- lisuus ja terroristien internetin käyttö ovat 2000-luvulla muokanneet merkittävästi digi- taalista toimintaympäristöä.1 Digitaaliteknologia muuttaa ihmisten elämää. EU:n digitaalistrategian tavoitteena on valjastaa digitalisaatio palvelemaan ihmisiä ja yrityksiä sekä tukemaan tavoitetta tehdä Euroopasta ilmastoneutraali vuoteen 2050 mennessä. Komissio on päättänyt tehdä ku- luvasta vuosikymmenestä Euroopan "digitaalisen vuosikymmenen". Euroopan on nyt lu- jitettava digitaalista suvereniteettiaan ja asetettava standardeja sen sijaan, että se kul- kisi muiden jäljissä. Painopisteinä ovat data, teknologia ja infrastruktuuri.2 Euroopan komissio ja unionin ulkoasioiden ja turvallisuuspolitiikan korkea edustaja esit-
    [Show full text]
  • Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries
    Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries Ruian Duan:, Ashish Bijlani:, Yang Ji:, Omar Alrawi:, Yiyuan Xiong˚, Moses Ike:, Brendan Saltaformaggio,: and Wenke Lee: fruian, ashish.bijlani, yang.ji, alrawi, [email protected], [email protected] [email protected], [email protected] : Georgia Institute of Technology, ˚ Peking University Abstract—Mobile application developers rely heavily on open- while ensuring backward compatibility, and test for unin- source software (OSS) to offload common functionalities such tended side-effects. For the Android platform, Google has as the implementation of protocols and media format playback. initiated the App Security Improvement Program (ASIP) [21] Over the past years, several vulnerabilities have been found in to notify developers of vulnerable third-party libraries in popular open-source libraries like OpenSSL and FFmpeg. Mobile use. Unfortunately, many developers, as OSSPolice [15] and applications that include such libraries inherit these flaws, which LibScout [4] show, do not update or patch their application, make them vulnerable. Fortunately, the open-source community is responsive and patches are made available within days. However, which leaves end-users exposed. Android developers mainly mobile application developers are often left unaware of these use Java and C/C++ [1] libraries. While Derr et al. [14] flaws. The App Security Improvement Program (ASIP) isa show that vulnerable Java libraries can be fixed by library- commendable effort by Google to notify application developers level update, their C/C++ counterparts, which contain many of these flaws, but recent work has shown that many developers more documented security bugs in the National Vulnerability do not act on this information.
    [Show full text]
  • Cyberwar: the ISIL Threat & Resiliency in Operational Technology
    Cyberwar: The ISIL Threat & Resiliency in Operational Technology Thesis Presented to the Faculty of the Department of Information and Logistics Technology University of Houston In Partial Fulfillment of the Requirements for the Degree Master’s of Information Systems Security By Gregory S. Anderson May 2017 Cyberwar: The ISIL Threat & Resiliency in Operational Technology ____________________________________ Gregory S. Anderson Approved: Committee Chair: ____________________________________ Wm. Arthur Conklin, PhD Computer Information Systems and Information System Security Committee Member: ____________________________________ Chris Bronk, PhD Computer Information Systems and Information System Security Committee Member: ____________________________________ Paula deWitte, PhD Computer Information Systems and Information System Security ____________________________________ ____________________________________ Rupa Iyer, PhD Dan Cassler Associate Dean for Research and Graduate Interim Chair for Department of Information Studies, College of Technology and Logistics Technology THIS PAGE INTENTIONALLY LEFT BLANK Acknowledgments First, I would like to thank Dr. Chris Bronk and Dr. Art Conklin for their support and guidance throughout my time at the University of Houston. Their dedication to students is unparalleled for any other professor I have come across during my education. I would also like to thank my family for their ongoing encouragement and love. The fostering environment to peruse knowledge and “never settle for less” has been a constant inspiration throughout my life. Lastly, to my partner of 7 years, Lorelei. None of my achievements these past few years would have come to fruition without her continuous love, support, and willingness to sacrifice for the greater good is deeply appreciated. Thank you for being the most patient and steadfast person I have ever known, I love you.
    [Show full text]
  • Factor Authentication
    THIS COMPUTER HAS BEEN…. WHAT DO I DO NOW? Paul Seldes, FPEM, CEM, FMI ntb group, LLC Director of Operations I DON’T HAVE TO BE HERE RANSOMWARE DEFINED Ransomware is a type of malicious software used by cybercriminals that is designed to extort money from their victims, either by • Encrypting data on the disk or OR • By blocking access to the system CAN IT HAPPEN TO ME? 56% increase in ransomware attacks 2018-2019 (DHS- CISA) $84,000 typical cost of recovery $6 TRILLION cybercrime global costs by 2021 HOW IT WORKS RANSOMWARE IS A GROWTH INDUSTRY Cost of ransomware to the US in 2019 was $7.5 billion Ransomware attacks are also known as BGH 2020: $10 billion ? 2021: $15 billion? 2022: $20 billion? CRYPTOLOCKER – FIRST GLOBAL RANSOMWARE CAMPAIGN 500,000 victims Between $3 and $27 million in payments June 2014 CRYPTOLOCKER – FIRST GLOBAL RANSOMWARE CAMPAIGN There is a $3 million reward for information leading to his arrest (FBI) June 2014 AND SO IT GOES Over 100 variants between 2014 and 2019. WANNACRY – MAY 2017 WORLDWIDE ATTACK In order to spread like a worm, utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017 The patch for the vulnerability was available for 59 days prior to the attack Hit critical infrastructure in some countries such as Germany and Russia. In the U.K., the health care sector received a hard hit: hospitals had to turn away patients, reroute ambulances, paralyze emergency services, and reschedule surgeries and appointments WANNACRY – MAY 2017 WORLDWIDE ATTACK In order to spread like a worm, utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017 The patch for the vulnerability was available for 59 days prior to the attack Hit critical infrastructure in some countries such as Germany and Russia.
    [Show full text]
  • Extra Credit Homework CS 642: Information Security
    Extra Credit Homework CS 642: Information Security December 10, 2014 This homework assignment is for extra credit. It can only make your grade go up, and you can turn in as much as you finish and still get bonus points (assuming the finished portions are correct). You may not work with a partner. It is due Dec 18, 2014 by midnight local time. 1 ShellShock Shellshock, also known as Bashdoor, is a Unix Bash vulnerability that was made public in September 2014. The bug affected a large number of Internet services since it allowed attackers to remotely execute arbitrary commands in vulnerable versions of Bash. In this problem, you need to finish the following tasks: • (Description) You should read materials about the Shellshock bug and what the error was in the source code of BASH. Provide a brief description (at most a few paragraphs) explaining the vulnerability and describe how to fix the bug. • (Impact) Security experts said that exploits against ShellShock were used to generate Botnets and trigger DDoS attacks. Provide a brief description of how that might work, given your knowledge of the vulnerability. • (Tester) You should write a script that tests whether a BASH environment is vulnerable. Provide the script and explain the details of your code (in a separate text file). 2 Heartbleed The Heartbleed bug, an OpenSSL encryption flaw, was made public in April 2014. The bug had huge consequences, as the vulnerable software was used widely among website servers. Millions of servers were in danger of information leaks. Heartbleed allows hackers to remotely retrieve swathes of process memory from the openssl process.
    [Show full text]
  • Legacy of Heartbleed: MITM and Revoked Certificates
    Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin [email protected] NeoBIT Notable Private Key Leaks • 2010 – DigiCert Sdn Bhd. issued certificates with 512-bit keys • 2012 – Trustwave issued CA certificate for one of its customers DLP system • 2013 – DigiNotar CA was totally compromised • 2014 – Heartbleed bug caused certificate revocation storm. 500000+ certs to be revoked • 2015 – RSA-CRT private key leaks • 2017 – Cloudbleed bug in Cloudflare reverse proxies 2 Checking Certificate Revocation Status: Certificate Revocation Lists (CRL) • CAs publish CRLs – lists of revoked certificate serial numbers • Normally certificate contains URL of the corresponding CRL Why it’s not OK? CRLs are not appropriate for online checks: • Excess size (up to 1 MB) • Vulnerable to replay attacks 3 Checking Certificate Revocation Status: Online Certificate Status Protocol (OCSP) • CAs maintain OCSP responders answering with certificate revocation status • Normally certificate contains URL of the OCSP responder • OCSP provides optional replay attack protection Why it’s not OK? • Slows down connection establishment • Browsing history leaks to CA • OCSP responder is DDoS target 4 Checking Certificate Revocation Status: OCSP Stapling • No browsing history leaks • Choose one: o Replay attack protection o TLS server side OCSP response caching: Minimal impact on connection establishment time Reduced load on OCSP responder Why it’s not OK? • Stapled OCSP responses are optional and may be stripped by MITM • OCSP responder is DDoS target (if replay
    [Show full text]
  • Bluekeep Update 12/05/2019
    BlueKeep Update 12/05/2019 Report #: 201912051000 Agenda • What is BlueKeep • Timeline of BlueKeep • BlueKeep Today • Initial Attempts to Exploit BlueKeep • Why Initial Attempts Failed • BlueKeep Tomorrow • Mitigations • Indicators of Compromise (IOCs) • HC3 Contact Information • References Slides Key: Non-Technical: managerial, strategic and high-level (general audience) Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT) TLP: WHITE, ID# 201912051000 2 What is BlueKeep • BlueKeep (CVE-2019-0708) • Vulnerability in Microsoft’s (MS) Remote Desktop Protocol • Grants hackers full remote access and code execution on unpatched machines • No user interaction required • Essential owns the machine, malicious actor can do as they please • Affects: Windows XP, 7, Server 2003, Server 2008, and Server 2008 R2 • Deja Blue(Related BlueKeep Vulnerabilities) affects: Windows 8, 10, and all older windows versions • EternalBlue affects: Server Message Block version 1 (SMBv1) • “Wormable” meaning it has the ability to self propagate (think WannaCry level of damage) • MS, NSA, DHS, many other security vendors released advisories and warning on this exploit TLP: WHITE, ID# 201912051000 3 BlueKeep Timeline Metasploit Team Microsoft Released Patch: DHS Tested a Working BlueKeep Scanner Significant Uptick in Releases BlueKeep Coin Miner Exploit CVE-2019-0708 Exploit Against W2000 Discovered in Malicious RDP Activity Exploit Module BlueKeep Vulnerability Watchdog Malware 34 Days (Private Exploit) 70 Days (Semi-Public Exploit) 115 Days (Public
    [Show full text]
  • Protecting Enterprise an Examination of Bugs, Major Vulnerabilities and Exploits
    ESET Research White Papers // April 2018 Protecting Enterprise An examination of bugs, major vulnerabilities and exploits Author Tony Anscombe Contributing researchers Anton Cherepanov Aryeh Goretsky Ondrej Kubovič Robert Lipovský Miguel Ángel Mendoza Diego Perez Protecting Enterprise: An examination of bugs, major vulnerabilities and exploits CONTENTS Executive summary 2 Bugs, vulnerabilities & exploits 2 The vulnerability trend 4 Major security vulnerabilities & attacks 5 EternalBlue 6 WannaCryptor 7 CoinMiner 9 Diskcoder (aka Petya) 10 Meltdown & Spectre 12 The risk to infrastructure 13 Protecting the enterprise 15 Updating (aka Patching) 16 Protection layers 16 2 Protecting Enterprise: An examination of bugs, major vulnerabilities and exploits EXECUTIVE SUMMARY This white paper focuses on the dramatic but whose updates have not been installed across growth in the number and severity of whole organizations. Both WannaCryptor and software vulnerabilities, and discusses how Diskcoder affected organizations worldwide multilayered endpoint security is needed despite operating system updates being to mitigate the threats they pose. available. ESET detected and blocked malware taking advantage of the EternalBlue exploit. Exploits of critical vulnerabilities such as EternalBlue have been utilized to devastating The purpose of this white paper is to help users effect. In 2017, EternalBlue alone spawned understand why no single technology or mix of WannaCryptor, CoinMiner and Diskcoder (aka technologies will guarantee that a network will Petya). In 2018, the security community has not be compromised and why the cybersecurity come to realize the extent of CPU architecture industry, including ESET, constantly refines vulnerabilities. Also, there is a growing products both reactively and proactively, acceptance that most older infrastructure adding layers to ensure effective security.
    [Show full text]