Visit our
BLOG
for more posts
In a web-based environment the most attacked applications are those having direct or indirect relation to internet.
The list of such applications mostly comprised from PDF readers, digital document processors, media
players and web browsers, while in case of web-browsers in addition to its internal vulnerabilities, web-
browsers may also suffer from vulnerabilities found in installed plug-ins (like ActiveX or Firefox add-ons).
Here are some examples of known vulnerabilities (as named in
CVE)
and their possible exploitation:
| Description |
Vulnerability CVE identifier |
|
Heap-based buffer overflow in the custom heap management system in Adobe Reader
and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows
remote attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted PDF document, aka FG-VD-10-005.
|
CVE-2010-1241 |
|
Adobe Reader 9.3.1 on Windows does not restrict the contents of one text field in the
Launch File warning dialog, which makes it easier for remote attackers to trick users into
executing an arbitrary local program that was specified in a PDF document, as
demonstrated by a text field that claims that the Open button will enable the user to
read an encrypted message.
|
CVE-2003-0533 |
|
SQL injection vulnerability in the HD FLV Player (com_hdflvplayer) component 1.3 for
Joomla! allows remote attackers to execute arbitrary SQL commands via the id
parameter to index.php.
|
CVE-2010-0884 |
|
Microsoft Windows Media Player 11 does not properly perform color space conversion,
which allows remote attackers to cause a denial of service (memory corruption) or
possibly execute arbitrary code via a crafted .AVI file. NOTE: the provenance of this
information is unknown; the details are obtained solely from third party information.
|
CVE-2010-1042 |
|
The USB service in VMware Workstation 7.0 before 7.0.1 build 227600 and VMware
Player 3.0 before 3.0.1 build 227600 on Windows might allow host OS users to gain
privileges by placing a Trojan horse program at an unspecified location on the host OS
disk.
|
CVE-2010-1140 |
Few recent examples show that when it comes to a web browsers and web applications vulnerabilities then
even banking structures may become victims of the attackers. Like it happened in 2010 when
the front
page of the NorthWesternBank web site was injected with the iFrame leading to the client-side exploits and
with the Bank of India back in 2007 when the same attack vector was used making its site serving the
malware purposes.
Top
Software vulnerability is basically an incorrect or invalid handling of input
parameters passed to a vulnerable program or simply software bug. A specially
crafted input exploiting such vulnerability is called software vulnerability
exploit or simply exploit.
If the software vulnerability is unknown to the others or undisclosed to the
software manufacturer then the actual code that uses it often called a zero-day
exploit or a zero day attack.
A common lifecycle of the zero day exploit is as follows:
1. The software manufacturer releases product containing the vulnerability,
usually an unknown one.
2. The attacker finds the vulnerability before software developer does or
before he was informed by the users.
3. The attacker creates and distributes an exploit.
4. The manufacturer finds the vulnerability and starting writing the fix.
Since the attackers won’t announce, for an understandable reason, that they have
found a vulnerability it might take several months to find out about the existence
of such an exploit. In some cases it might take even years like in
case with
Microsoft IE when it confirmed the existence of vulnerability in IE 7 which affected
previous versions as well and due to this fact the zero day exploits are considered
the most dangerous and undetectable.
Every exploit contains a part called a shell-code. An initial purpose of the
shell-code is to start an operating shell program that provides a communication
interface between user and operating system and to establish a connection with
remote control server (for example attacker's computer) for further instructions.
Once the shell-code is injected and the control of the compromised machine is
gained, the malware or botnet agent will be downloaded and installed, the new
station will be attacked or any other scenario may occur.
The following image shows the structure of exploit and shell-code.
| FILE BODY |
NOP SLED |
SHELL-CODE BODY |
FILE BODY |
Picture 1 - exploit structure
The NOP SLED is used to catch instruction pointer register
of CPU and transfer it to body of the shell-code. NOP sled is comprised of a
meaningless sequence of single or multi-byte instructions which have only one
purpose, to start execution of a shell-code from a correct position.
Polymorphic shell-codes
Plain exploits may be easily detected by anti-virus engines simply by using
recognition patterns of NOP-sleds, exploit (shell-code) content or body.
To avoid this, malware writers develop a polymorphic shell-code that mutates
from generation to generation (from execution to execution) while keeping original
execution algorithm. As in case of virus mutation, where different packers are
used to hide its real code, shell-code mutation is based on different encryption
engines which modify exploit's body keeping the original shell-code algorithm.
The following image shows structure of exploit and polymorphic shell-code.
| FILE BODY |
NOP SLED |
DECRIPTION PROCEDURE |
SHELL-CODE BODY |
FILE BODY |
Picture 2 - encrypted exploit structure
As it could be seen from Picture 2, the encrypted exploit
as well as plain exploit starts with NOP sled which transfer instruction pointer
register to next exploit's section. Unlike the regular exploit the NOP sled of
the encrypted exploit is followed by decryption procedure that is used to decode
the encoded shell-code.
Top
The exploit packs are very successful for an attack since antivirus software are not designed to detect them,
in most of the cases antivirus vendors will detect a part of an exploit pack and the undetected part of the
exploit pack distribute a new malware for a victim.
Needless to say that exploit packs have been around for a while. Most of the exploit packs are sold at
underground forums that dedicated for hackers, crackers and black SEO. The exploit packs are coming with
an UI which give a tremendous opportunity to the attacker to gain
real time statistic about victims such as
which browsers and browser versions are most successfully compromised as well as which browsers
exploits are working best.
The exploit packs designed to investigate a location and range of a victim and of course the main purpose is
to infect and serve a new malware to victims. The exploits packs include vulnerability exploits and
shellcodes known and unknown one.
Examples of exploit packs could be found at
Malware Intelligence site.
Top
Visit our
BLOG
for more posts