Buffer Overflow and Kernel Exploits

by | Aug 9, 2022 | VAPT | 0 comments

Introduction

This article discusses buffer overflows and kernel exploits and illustrates numerous exploitations and attacks. It also covers strategies for elevating privileges such as Eternal Blue and Dirty Cow. We also have an essay on buffer overflow that explains how to exploit services while demonstrating how to leverage the Metasploit framework specifically.

What is Buffer Overflow?

Buffer overflow happens when more data than intended is written to memory.

When data cannot be stored in its current location, it will be transferred to another location and either damage or replace existing data. This causes a program to execute incorrect code and eventually crash. Attackers can use overflowed data to inject malicious code. Stack overflow and heap overflow are the two most common types of buffer overflow.

Stack & Heap

Programming languages commonly associated with buffer overflow include C and C++.

Stack: A stack is defined before a program segment is run. If a user’s input is defined incorrectly, it is possible to use the memory to run a malicious code.

A stack is considered a restricted structure since only a limited number of operations are allowed.

Heap: A heap is a portion of the overall memory in which dynamically allocated memory resides. Data is written to a heap during the execution of instructions by programs. If a user’s input is defined incorrectly, it is possible to use the memory to run malicious code.

Stack Overflow

The stack is generally used to store data for immediate or future usage. And we are transferring data across program sections.

Two commands can be used to modify the stack:

Push-inserts data into the stack.

Pop-extracts the top data from the stack.

A stack overflow happens when an excessive level of information is written.

Eternal Blue

What is EternalBlue?

EternalBlue is a cyberattack exploit created by the US National Security Agency. It takes advantage of Microsoft’s SMB protocol prior to Windows 10.

The SMB protocol runs with high-level privileges, which means NT-authority privileges can be exploited. Versions prior to Windows 8 enable null sessions, which allow sending commands to the server.

Many organizations worldwide use Windows 7 and systems other than Windows 10. Those systems are vulnerable to EternalBlue.

eternal blue exploit

Defend EternalBlue

It exploits the three errors mentioned earlier and results in a small buffer that enables writing arbitrary code that the kernel runs. This opens the possibility of gaining RCE and NT-Authority and System privileges.

To protect an organization from EternalBlue, an up-to-date antivirus needs to be present, including a Microsoft patch regarding the vulnerability, and user account privileges must be managed correctly.

The patch fixes the way the SMBv1 protocol contends with malicious packets. More than 1 million machines are still vulnerable to the EternalBlue exploit.

BlueKeep

Execution

BlueKeep employs buffer overflow on the RDP protocol, which Microsoft utilizes on Windows OS. The vulnerability allows hackers to attack the RDP protocol on a computer’s operating system and propagate a cyber threat across the organization’s network.

Using Metasploit, All the victim’s necessary details are inserted and scanned. RDP runs with high privilege; therefore, granting an NT-Authority shell is possible.

bluekeep exploit

Kernel Exploits

Kernel

A kernel is computer software at the heart of an operating system. It handles input/output requests, data-processing instruction translation, and memory management.

Kernel exploits are flaws in different programs and processes that run at the kernel level. It uses flaws in programs that run at the kernel level.

Exploit Suggester

The Exploit-Suggester is one of the most effective tools for identifying exploits on both Windows and Linux. It is open-source software that examines the operating system and displays available exploits.

There are numerous versions of Exploit-Suggester available. Some are more productive than others.

exploit suggester

Race Conditions

A race condition occurs in software applications when the output depends on the timing or sequence of other uncontrollable events.

Race conditions often lead to bugs, as these events happen in a manner that is unintended by the system or the programmer. Programs run several threads, and if they are processed in the right order, a race condition can occur.

Race condition types

Mitigating race conditions can be performed by mutual exclusion. Only one process handles a shared resource while the other processes wait.

Critical race: This condition occurs when the sequence in which internal variables change determines the final state of the machine.

Non-Critical: This condition occurs when the sequence in which internal variables change doesn’t impact the machine’s final state.

Dirty Cow

It is a vulnerability in the Linux kernel that allows processes to write into read-only files. It exploits a race condition in kernel functions that handle the copy-on-write (COW) feature, which then enables an increase in privileges to root. The Common Vulnerabilities and Exposures database lists Dirty Cow as CVE-2016-5195.

Copy on write; if a resource is duplicated but not modified, it can be shared by the copy and the original. Modifications must still create a copy.

Execution

The exploit creates a private copy of a file and writes to it. Since it’s the first time writing to the private copy, the COW feature is triggered.

The exploit orders the kernel to throw away the private copy that is created using madvise.

This results in writing to the original read-only file, which allows an elevation of privileges.

dirty cow exploit

Mitigations

When a kernel exploit is discovered, developers start to work on new security updates to make the system secure again. Keep your system up-to-date. Be careful and pay attention to the files downloaded from the internet. Keeping the system up to date is the key to protection against known exploits.