Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/28/2016
01:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Multiple Major Security Products Open To Big Vulns Via 'Hooking Engines'

Black Hat USA talk will show how flawed implementation of hooking techniques are putting security and other software at risk.

The momentum's been growing the last few years for the security community to turn its microscope inward as security researchers start to dig in earnest for serious vulnerabilities within security products. That'll be reflected in several talks at Black Hat USA in Las Vegas next week -- including research from enSilo that takes a thorough look at six different common security issues stemming from faulty implementation of code hooking and injections techniques.

Spread across 15 different products--many of them antivirus and security platforms--the discoveries resonate due to the fact that many security products and other applications use the same vulnerable hooking engines, making for a much broader attack surface area than if these hooking functions were developed on a one-off basis.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Used by a range of products that depend on virtualization, sandboxing, performance management, or otherwise changing the behavior of operating system functions, hooking is an especially important technique for security products that depend on it to monitor for malicious activity on systems.

According to Udi Yavo and Tomer Bitton, co-founders enSilo, when they began the work that eventually blossomed into what would become their talk scheduled for next week, "Captain Hook: Pirating AVs to Bypass Exploit Mitigations," they initially thought they'd only found an isolated flaw in the anti-malware hooking engine of a single security product. But the scope of the problems grew as the pair found that many security platforms and other software are prone to serious vulnerabilities in the way their hooking engines interact with underlying system processes.

"Overall, hooking and injections are an important part of security products, because they have to monitor what’s happening in the system to operate,” Yavo says. “However, they must realize that doing such intrusive operations has implications that affect security. Ironically, the fact that they are in the system and vulnerable bypasses the security controls of the underlying operating system."

Not Just Security Software

Vulnerabilities in hooking engines also go beyond security products, the researchers say. As part of their presentation, they'll also discuss issues in the Microsoft Detours hooking engine, which is due out for a patch in August. However, it was the security product implications that really resonated with the duo; issues in these types of products are particularly insidious because security practitioners tend to view them as inviolate.

For example, if a security product were to report an attack through a vulnerable security product, most security teams would likely mark it as a false positive and move on, Yavo says. Security products are generally trusted, and the overwhelming number of alerts would probably cause most organizations to overlook such a warning, he warns.

Yavo and Britton found a number of exploits that would be effective against some of the security products they examined. Affected vendors included AVG, Kaspersky, McAfee, Symantec, Trend Micro, Bitdefender, Webroot, AVAST and Vera. For example, in one AV, they were able to show that an attacker could exploit improper hooking implementations to bypass ASLR in both 32-bit and 64-bit applications.

 "There was also another vendor which was maybe even a bit worse,” Yavo says. “If you combined all the issues that they had with the injections and the hooking, it allowed the attacker to gain persistency on the system because the injection method was not secure. An attacker could message their injection method to get injected into every process in the system, because the hooking engine was also flawed.”

The presentation is scheduled for Wednesday, August 3, but those interested in the presentation can get a technical teaser of some of the pair's findings in a blog they recently posted about their work.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...