Shulou(Shulou.com)06/01 Report--

As the saying goes, flies don't bite seamless eggs. In view of this phenomenon, it has been explained that eggs can easily go bad after cracks and produce a peculiar smell. For a fly, a smelly egg is its food, so the fly comes uninvited. Everything has a cause and effect, just like the story of flies and eggs. In information security, because there are security loopholes in information systems, large and small, overt or covert, those who have a good sense of smell are all "flies". To prevent it, you need to find your own loopholes and repair them in time in order to avoid being bitten.

Examples of security vulnerabilities

Case 1: Microsoft vulnerability

In the previous article, the Stuxnet incident was introduced, and virus experts in the United States took advantage of several loopholes in the Windows system to achieve the effect of *. The previous article did not expand on the technical details, so this article will expand here for an in-depth understanding of the principle of *.

Vulnerability 1: shortcut file parsing vulnerability (MS10-046)

When displaying a shortcut file, Windows looks for the icon resources it needs based on the information in the file, and presents it to the user as the icon of the file. If the icon resource is in a DLL file, the system loads the DLL file. * users can construct a shortcut file that causes the system to load a specified DLL file, thereby executing malicious code in it. The display of shortcut files is automatically executed by the system without user interaction, so the exploit effect of the vulnerability is very good.

Stuxnet worm searches for removable storage devices in computers

Once found, copy the shortcut file and the DLL file to it.

If the user plugs the device back into a computer in the internal network, a vulnerability will be triggered to achieve the so-called "ferry", which uses mobile storage devices to infiltrate the physically isolated network.

There are two DLL files copied to USB disk: ~ wtr4132.tmp and ~ wtr4141.tmp. The latter Hook the following export functions in kernel32.dll and ntdll.dll:

FindFirstFileW FindNextFileW FindFirstFileExWNtQueryDirectoryFile ZwQueryDirectoryFile realizes the hiding of lnk file and DLL file in U disk. Therefore, Stuxnet uses a total of two measures (kernel-mode driver and user-mode Hook API) to hide USB disk files, making the * * process difficult for users to detect and to some extent avoid the scanning of antivirus software.

Vulnerability 2: RPC remote execution vulnerability (MS08-067) and privilege escalation vulnerability

A system with this vulnerability may allow remote code execution when a specially crafted RPC request is received. Taking advantage of this vulnerability in Windows 2000, Windows XP and Windows Server 2003 systems, * * users can directly initiate * through maliciously constructed network packets, run arbitrary code without authentication, and gain full permissions. Therefore, this vulnerability is often used by worms for large-scale spread and *.

The Stuxnet worm exploits this vulnerability to propagate in the internal local area network. The disassembly code is as follows

In fact, Stuxnet virus uses more than the two loopholes mentioned above. According to expert analysis, there are not less than four. It is conceivable how many loopholes can be exploited in such a large and open operating system as windows. For those who use Stuxnet, it can be described as "inexhaustible".

Case 2: Apple vulnerability

Microsoft can be said to be the representative of the PC era, so Apple is undoubtedly the protagonist in the mobile Internet era. In 2016, Shanghai Telecom issued an "important reminder: attention to iPhone users!" Users are advised to upgrade their iPhone operating system as soon as possible to avoid security problems such as personal privacy disclosure. Operators issue notices to remind users to update the iOS version, which is relatively rare. Operators do so because this time iOS has encountered the biggest system loophole in its history. If users are not updated in a timely manner, personal information may be stolen, calls, social chats and other information may be intercepted, and what is even more frightening is that iPhone phones may also become remote audio and video recorders controlled by lawbreakers.

At the end of August 2016, × × sent an update to iOS 9.3.5, only 20 days after the launch of iOS 9.3.4. The reason why Apple hastily released the new version update this time is that it is an urgent update in order to close important security loopholes.

It is understood that iOS 9.3.5 is mainly aimed at three newly discovered iOS vulnerabilities. Collectively known as Trident, one of these vulnerabilities exists in Safari WebKit (an open source browser engine). Once the target user is targeted, clicking on a web link may cause "the whole device to 'surrender'." Another vulnerability exists in the iOS core, which could lead to information disclosure, and the third problem is kernel memory corruption.

These three high-risk loopholes are called Trident by the researchers. To put it simply, if a user clicks on a link sent by * *, it may result in remote control of the phone and disclosure of chat records and passwords. * can take advantage of these loopholes to gain almost full control of iPhone. Of course, the software is written by people, no one is perfect, and loopholes in the program are inevitable. Objectively speaking, Apple's software update service is still good in the industry, and its upgrade experience is stupid enough. As long as you follow the system prompts to upgrade the system, the general problem will not be too big.

Case 3: hardware vulnerabilities in INTEL CPU

Just a month ago, when time just crossed the threshold of 2018, there was an explosive news in the media that there was a "Meltdown" and "Spectre" loophole in the so-called Intel chip. The Google Project Zero team discovered a number of chip-level vulnerabilities caused by CPU's "predictive execution" (Speculative Execution), all of which are caused by congenital architectural flaws that allow unprivileged users to access system memory and read sensitive information. To make matters worse, Project Zero researchers found that every processor released after 1995 was affected. You should know that in the field of server and desktop computing, Intel is in a monopoly position, its processor has such a serious loophole, the consequences are obviously very serious. In particular, important servers, such as cloud computing service manufacturers, share computing resources through virtualization, and the protection of hardware resources is ineffective, which is undoubtedly fatal. Major service providers Aliyun, Huawei Cloud, Microsoft Cloud, Baidu Cloud, Amazon Cloud and other manufacturers have launched emergency measures to promote vulnerability repair, and mainstream Windows and Linux systems have also released relevant patches to deal with them. So far, all we can do is to reduce the negative impact of vulnerabilities. To thoroughly solve the problem, we still need to upgrade CPU in the future. Of course, from another level, if domestic chip manufacturers can take advantage of these crises, emphasize security, and take the opportunity to promote the application of domestic chips in industry, it may not be a bad thing.

What is the security breach?

Loopholes are also known as vulnerabilities, Feng. When Neumann established the theory of computer system structure, he believed that computer systems also have inherent defects similar to genes, and may also produce unexpected problems in the process of use and development.

Information security vulnerabilities are all the factors that lead to conflicts between security policies and system operations defined by the access control matrix. -- Dennin

An error is a loophole if it can be used by a person to violate a reasonable security policy of the target system. -- MITRE, USA

Vulnerabilities exist in pre-assessment objects and may violate security functional requirements under certain environmental conditions. -- ISO/IEC 15408

It is important to point out that vulnerabilities are sometimes referred to as error, fault, weakness, or failure, and these terms can easily lead to confusion. In many cases, people are used to seeing that mistakes, defects, and weaknesses are simply called vulnerabilities. It should be pointed out that, in a strict sense, errors, defects and weaknesses are not equal to vulnerabilities. Errors, defects and weaknesses are several inducing conditions for loopholes. After being exploited, vulnerabilities will inevitably destroy security attributes, but they may not necessarily cause product or system failures. For example, the embezzlement of online banking accounts will only affect personal capital security and privacy, and will not lead to the failure of the bank trading system.

For the full article, please visit the Information Security Series (5) Security vulnerabilities

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.