DeepSec 2019 Talk: 30 CVEs in 30 Days – Eran Shimony

Sanna/ November 12, 2019/ Conference

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using this method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.

Some things never die. In this session, we’ll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or to DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim of finding new vulnerabilities.

Our mindset was – choose software that is prone to be vulnerable: Installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We’re only scratching the surface and we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.

We asked Eran a few more questions about his talk.

Please tell us the top 5 facts about your talk.

It is an innovative look into vulnerability searching.
Almost anyone with some Windows internals knowledge can do it.
Exploit code is straightforward to develop.
A lot more than 30 vulnerabilities where discovered, more like 60.
There is a blog series in https://www.cyberark.com/threat-research-blog/ that showcases the research.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Logical bugs were always an interest of me. So after discovering several vulnerabilities in products with a similar nature, I tried to generalize the issue by creating an automated system.

Why do you think this is an important topic?

Having privilege escalation vulnerabilities often means an attacker can abuse the domain environment\personal computer as much as he wants since security products are very permissive regarding privileged users.

All the vulnerabilities that were discovered in the research are about escalating your privileges on the Windows platform using security holes in drivers, services, and installers.

Is there something you want everybody to know – some good advice for our readers maybe?

Think before doing every privileged file operation on Windows. There might be a chance it would allow an attacker to escalate her/his privileges. Sometimes getting CVEs and bounty rewards are not that difficult 🙂

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I believe many vulnerabilities similar in nature will pop up soon, hoping it will cause vendors to improve their security standards.

Eran Shimony is a security researcher at CyberArk
Eran has an extensive background in security research, that includes years of experience in malware analysis and vulnerability research on multiple platforms. With a growing interest in logical vulnerabilities he has made lots of disclosures across multiple vendors.