Exploit

from Wikipedia, the free encyclopedia

An exploit ( English to exploit exploit ') is in the electronic data processing to exploit a systematic way, vulnerabilities in developing a program originated. With the help of program codes, security gaps and malfunctions of programs (or entire systems) are exploited, mostly in order to gain access to resources or to break into or impair computer systems .

General

An exploit is often only developed and documented to identify a security gap. This is intended to enable software manufacturers to recognize and close a security gap more quickly. The mere description of an exploit is often referred to as an exploit.

For example, exploits make use of the fact that computers with Von Neumann architecture - almost all home and office computers - do not differentiate between program code and user data. In the event of a buffer overflow , for example, the attacker's code is written to a memory area not intended for this purpose, which can manipulate the execution of the application. Another possibility are format string attacks , in which unfiltered user input is passed to formatting functions such as printf(). An attacker can often execute his own code which, for example, provides him with a shell with the privileges of the exploited application.

classification

Exploits are usually referred to as follows:

  • Local exploits
  • Remote exploits
  • DoS exploits
  • Command execution exploits
  • SQL injection exploits
  • Zero-day exploits

Aspect type of attack

Local exploits

Local exploits can be activated when seemingly completely harmless files (e.g. Office documents ) are opened if the application assigned to the file type has a security gap due to incorrect or improper processing of the file. Most of the time, an exploit (for example in a PDF document or as a macro in a Word or Excel file) first tries to exploit security holes in the program that was used to read the file in order to achieve a higher level of privilege and thus convert malicious code into load and run the operating system. The actual action that the exploit performs is known as the payload . With many exploit frameworks (such as Metasploit ) the payload can be configured separately. However, it can also be firmly anchored in the exploit.

Remote exploits

An active form of exploits are attacks from the Internet using manipulated data packets or special data streams on weak points in network software. Such exploits are sometimes referred to as remote exploits.

Denial of service exploits

Usually the first exploits published for a known security hole are so-called DoS exploits, which overload the application concerned , but do not include the execution of third-party program code and no privilege escalation .

Command execution exploits

Command execution exploits are the characteristic of the attacker-controllable execution of program code on the target system. In order to be able to successfully execute such an exploit, the programmer must be familiar with various peculiarities of the memory allocation of the target application. He obtains this knowledge through open sources of the program code or through mere testing. He has to cleverly place his code in order to be able to execute it. Command execution exploits are usually very dangerous, as the applications concerned usually have considerable rights on the system and the attacker's code is started with precisely these rights.

SQL injection exploits

SQL injection -Exploits are a special kind of exploits and mainly find use in Web applications that a SQL - database use, as they are very easily available on the Internet, but it is possible in principle for any application that accesses a SQL database , being dangerous. In this case, requests are made in a layer architecture in such a way that the incorrectly or improperly working presentation layer returns or writes data that it should not make available for read or write access. For example, entries in a login form can be designed in such a way that the application concerned still successfully logs in an invalid user or data fields can be specifically output from the database in order to B. to output the passwords or e-mail addresses of all registered users. If user inputs in program interfaces are not sufficiently checked for validity (e.g. that they do not contain any SQL commands or parts thereof) and are filtered, an SQL injection gap can arise.

Examples
  • In October 2014, Sony's Playstation network could be accessed via an SQL injection gap in order to read customer data.
  • The popular blog system and content management system WordPress was affected by an SQL injection vulnerability in the Slimstat analytics plug-in, as security expert Marc-Alexandre Montpas discovered in February 2015. This put over a million websites at risk of being hacked .

Aspect time interval

Zero-day exploit

A zero-day exploit is an exploit that is used before a patch is available as a countermeasure. Developers therefore have no time ( "0 days", English zero day ) to improve the software so that the exploit is ineffective to protect users. If a person discovers a security gap and does not report it to the software manufacturer, but instead develops an exploit in order to exploit it, the software vulnerability is often only discovered long after the first attack. From hackers , zero-day exploits are gladly kept secret in order to exploit them for long. Outside the public, zero-day exploits are traded among hackers or manufacturers are offered for large sums of money. Prices have increased by a factor of around 10 since 2012. Since state organs offensive cyberwar prepare scenarios, try legitimate government and private sector, exploits to know in order by publishing patches secure systems - or to harm enemy systems.

As a preventive measure, experts try to detect security gaps in advance and identify software manufacturers. This is sometimes criticized in professional circles because the testers sometimes violate laws or manufacturer guidelines.

Examples

  • Zero-day exploits are becoming more common due to growing software complexity and rising prices. In August 2012, an exploit was released that easily switched off the Java security manager . This allowed any programs to be started.
  • Almost all Windows versions were affected by a zero-day vulnerability in Microsoft Office documents in October 2014 .
  • In November 2014 there were indications that the BND was buying zero-day exploits in order to intercept SSL encryptions. Functional zero-day exploits for widely used programs such as Internet Explorer , Flash , Android or iOS cost up to $ 100,000. It is believed that up to 4.5 million euros were made available for the purchase (under the code name “Swop”) in 2015.
  • The Presidium Working Group “Data Protection and IT Security” of the Gesellschaft für Informatik criticized the fact that the BSI should collect zero-day exploits but not have to publish them. If it were not published, German companies and private individuals would be exposed to IT attacks without protection, and companies could lose billions of euros.
  • Google published documentation of all zero-day exploits known to the public since 2014.

Countermeasures

Memory protection is often mentioned as a countermeasure, but this is not correct, because frozen memories can be read with different programs. Likewise, by means of intrusion detection systems an attack on the basis of existing functionalities or determined by means of intrusion prevention systems are also prevented; such a system, however, also does not protect against the exploitation of a systematic, unknown error in software. The basic problem is often improper programming (e.g. due to the use of hanging pointers ) or, even more difficult to discover, a systematic, usually very complex error in the architecture of the program or an entire system. The only solution for such problems would be to avoid the security gaps caused by processing errors during development, which is practically impossible with today's systems. Managed code offers some protection; this effectively prevents buffer overflows , for example . But this is only a partial solution to the overall problem. Complex systems, which are put together by different manufacturers and sub-suppliers, consist of many layers of hardware and software, which makes it extremely difficult to find weak points during development. Therefore, the search for weak points is usually continued during operation, long after the beta phase. This search is existentially important in extremely critical systems in which human lives are at stake, e.g. B. in cars, trains, airplanes and ships, which all contain software (mostly in the form of firmware ), which in principle can be attacked.

Examples
  • The hacking of a Jeep Cherokee showed that the investigations of the Blackhat Conference on the hackability of cars were not only theoretical . The security experts Charlie Miller and Chris Valasek succeeded in taking control of such a jeep through a weak point in the infotainment system via the Internet. The brakes, acceleration, door locking, air conditioning and windscreen wipers could be controlled remotely. In reverse, it was even possible to control the steering wheel remotely. It should also be possible to determine the exact location of the hacked vehicle without the consent of the vehicle owner. This weak point has now been remedied with an update , which, however , must be installed by the vehicle owner using a USB stick or by a workshop.

See also

Individual evidence

  1. Tatort Internet - PDF with time bomb - Heise Security . Retrieved February 15, 2013.
  2. PDF exploit for Adobe Reader . Anonymous. Archived from the original on January 6, 2014. Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved February 16, 2013. @1@ 2Template: Webachiv / IABot / pastie.org
  3. Total virus analysis of the exploit . Retrieved February 16, 2013.
  4. ^ SQL Injection . PHP.net. Retrieved August 19, 2011.
  5. "Significant Increase in SQL Injection Attacks". In: "Heise Security". Retrieved January 14, 2015 .
  6. ^ "Lethal injection". In: "Heise Security". Retrieved January 14, 2015 .
  7. "Vulnerability allows access to Sony customer data". In: "Golem.de". Retrieved January 14, 2015 .
  8. Björn Greif: "Over a million WordPress sites threatened by SQL injection vulnerabilities". In: "ZDNet". February 25, 2015, accessed November 18, 2015 .
  9. Zero-day exploit. (No longer available online.) In: "Viruslist.com". Archived from the original on February 2, 2012 ; Retrieved November 18, 2011 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.viruslist.com
  10. The legitimate vulnerability market (PDF; 289 kB) Independent Security Evaluators, Charles Miller. Archived from the original on March 24, 2012. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved November 18, 2011. @1@ 2Template: Webachiv / IABot / securityevaluators.com
  11. Patrick Beuth: The perfect iPhone hack costs two million dollars , SPIEGEL online from February 10, 2018
  12. Tom Simonite: Welcome to the Malware-Industrial Complex , MIT Technology Review, February 13, 2013
  13. Metasploit puts out bounties on exploits . Hot. Retrieved November 18, 2011.
  14. Archive link ( Memento of the original from February 17, 2013 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / pastie.org
  15. "Volcanic eruption on Java - Java 0 Day exploit under the microscope". In: "Heise Security". Retrieved January 14, 2015 .
  16. "Java 0day analysis (CVE-2012-4681)." In: "Immunity Products". Retrieved February 7, 2013 .
  17. "Zero-Day Gap in Windows". In: "Heise Security". Retrieved October 24, 2014 .
  18. "Intercepting SSL: Criticism of BND's plans for zero-day exploits". In: "Heise Security". Retrieved November 11, 2014 .
  19. "IT Security Act creates uncertainty". In: "Society for Computer Science". Retrieved November 19, 2014 .
  20. "0day In the Wild". In: Google Project Zero. Retrieved May 15, 2019 .
  21. "Black Hat: Attacks on Planes, Trains and Cars". In: "Kaspersky lab daily". Retrieved November 25, 2014 .
  22. ^ "Hacker attacks on cars - remote control via laptop: These car models are easy to manipulate". In: "Focus". Retrieved December 4, 2014 .
  23. Ronald Eikenberg: "Hackers control Jeep Cherokee remotely". In: "Heise Security". July 22, 2015, accessed November 16, 2015 .
  24. ^ "Andy Greenberg": "Hackers Remotely Kill a Jeep on the Highway - With Me in It". In: "Wired.com". July 21, 2015, accessed November 16, 2015 .