EDR Reloaded: Erase Data Remotely

Endpoint security controls are the most essential tool for protecting computer systems from various malware threats. Most of them usually include several layers of detection modules. Among them is the byte signature detection logic, which is usually treated as the most reliable layer with the lowest false positive rate.

What would you say if adversaries can remotely delete critical data from your fully patched servers, over the internet?
Moreover, what if this can be done because of your security control byte signature detection logic? And finally what if the vendor patch is still exploitable?

In this talk, we will first present the original vulnerability (CVE-2023-24860) in a brand-new category which provides unauthenticated remote deletion of critical files such as the entire production database and causing a new level of DOS.
The vulnerability exists, in default settings, of three well-known endpoint security products we have tested and it's Fully Un-Detectable. it can be exploited both on Linux and Windows using at least ten different attack vectors and without almost any limitation.

We will explain the root cause and demo multiple attack vectors on unpatched machines: For example, remote deletion of entire databases, in most cases, the database service and affected data can't be easily recovered, resulting in critical DOS.

Then we will explain and demo, on fully patched machines, how we were able to bypass Microsoft patch (CVE-2023-36010) and still achieve remote deletion of MYSQL and MariaDB databases, remote Denial of Service of MongoDB and remote affect PostgreSQL as well. We are also still able to cause remote deletion of web server logs, self-cannibalism, where Defender deletes its own detection logs and vmware configuration deletion even after the patch.

By:
Tomer Bar | VP of Security Research, SafeBreach
Shmuel Cohen | Security Researcher, SafeBreach

Full Abstract & Presentation Materials: https://www.blackhat.com/asia-24/brie...