IT and Cybersecurity leaders need the clearest picture of their networks and assets to understand if their organizations are at risk and what to do about it. When it comes to looking ahead at zero day vulnerabilities, it can be helpful for leaders to first look back to understand the collective strengths and weaknesses of the cybersecurity industry and the effects they’ve had on the different risks and threats it’s tasked with analyzing and preventing.

As a helpful tool for 2023 strategic cybersecurity planning, we’re highlighting the most common vulnerability categories found in 2022, across more than 27,000 discovered vulnerabilities by the Synack Red Team. Each of these vulnerabilities have the potential to pose significant threats to large organizations and will continue to be monitored as we move through the year.

Here are the top five vulnerability categories found by Synack in 2022:

#1 Authorization Permission

The most common vulnerability found in 2022 relates to improper authorizations. With authorizations, a user’s right to “access a given resource [is] based on the user’s privileges and any permissions or other access-control specifications that apply to the resource.” In this case, unauthorized users may gain access to resources or initiate unwanted actions that they should not be allowed to perform, potentially leading to data exposures, DoS or arbitrary code execution.

#2 Cross Site Request Forgery

The runner up vulnerability is Cross Site Request Forgery (CSRF), which is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

#3 Information Disclosure

Information Disclosure can occur due to security mistakes which expose sensitive information to an actor that is not explicitly authorized to have access to that information. Information exposures can occur in different ways, resulting from mistakes that occur in behaviors that explicitly manage, store, transfer or cleanse sensitive information. 

#4 SQL Injection

This attack style consists of insertion or injection of a SQL query via the input data from client to application. A successful exploit of this style can read and even modify sensitive data, execute admin functions (including shutting down systems), and in some cases, issue commands to an operating system.

#5 Authentication Session Management

Broken Authentication Session Management vulnerabilities round out the Top 5 found by Synack in 2022. Websites may require users to login using a username and password, MFA or other authentication schemes, which may contain exploitable vulnerabilities. The site will assign and send each logged in visitor a unique session ID that serves as a key to the user’s identity on the server, if the session ID is not properly secured a cybercriminal can impersonate a valid user and access that user’s account.

How to Reduce Your Exposure to a Top 5 Vulnerability

Synack offers an offensive security testing platform allowing enterprise customers to track exploitable vulnerabilities in their environment and to close security gaps before they can be exploited by bad actors. The Synack Platform pairs the Synack Red Team, a community of 1,500 expert and vetted adversarial researchers, with the machine intelligence in our platform. Synack’s security testing missions cover web assets and host assets, as well as mobile, cloud and API security.

If you’re not penetration testing on a continuous basis, you should be. Talk to your Synack rep or your authorized security sales representative to learn more about strategic security testing.

The post Synack’s Top 5 Vulnerabilities Found in 2022 appeared first on Synack.

By Malcolm Stagg

The Microsoft Windows RCE Vulnerability, or CVE-2021-34535, is a Remote Code Execution (RCE) vulnerability in Remote Desktop Client, found by SRT member Malcolm Stagg earlier this year, and patched by Microsoft in August 2021.

Finding the Vulnerability

I found this vulnerability by looking at the disassembly of several Windows dll’s in IDA debugger for potential memory access flaws. Protocol parsing code, especially code involving multimedia decoding, tends to be a common place for flaws since the protocol decoding is often complex. When raw pointers to memory buffers are used directly, it is easy to make a mistake that can lead to a serious memory access vulnerability.

Looking at occurrences of memcpy, the C function that copies data between two memory buffers, I found one occurrence in the TSMF media decoder that showed signs of having a complex access pattern. TSMF is a legacy plug-in for Remote Desktop, in which the Remote Desktop Server transfers a multimedia file to be played by the Remote Desktop Client. 

First, the decoder allocates a heap buffer with the size cbData+63 bytes, where cbData is a field from a packet that attackers can control. Next, cbData+36 bytes of data are copied from the packet into the buffer. The remaining 27 bytes are intended to be filled with data from a separate buffer.

This access pattern looks innocent enough until you look at cases involving an integer overflow. cbData is a 32-bit unsigned integer, so it can represent any number between 0 and approximately 4 billion. By specifying a buffer size just slightly below that upper limit, an integer overflow will occur, causing a very small buffer to be allocated, and a huge amount of attacker-controlled data copied into that buffer. The result is a heap buffer overflow, where structures throughout the program’s memory space are overwritten with attacker-controlled data.

Exploiting the Vulnerability

There are two main scenarios for how an attacker could exploit this vulnerability. One of these is by gaining control of a Remote Desktop Server. An attacker could take control of a victim’s machine when it connects to the malicious Remote Desktop Server, exploiting this vulnerability to run code that escapes from the Remote Desktop Client onto the victim’s machine.

The other scenario, which is perhaps even more interesting, is a Hyper-V Client escape. Unless “Enhanced Session Mode” is explicitly disabled by the user, Hyper-V uses Remote Desktop Client dll’s while accessing a virtual machine. By doing so, features like clipboard sharing and printing are enabled, improving the user experience. If a virtual machine is running malicious software, an attacker could exploit this vulnerability to escape from the Hyper-V Client and gain control over the host machine. Since users often run untrusted software inside a virtual machine to provide better security and isolation, this is an interesting case that could have a serious impact.

Proof of Concept

The vulnerability was fairly difficult to exploit for two reasons: one is that it will always result in a client crash. Approximately 4 GiB of data is copied into an extremely small buffer, so a memory access violation is inevitable. The attacker’s payload must be successfully executed before the client crash occurs.

The other difficulty in exploitation is due to Address Space Layout Randomization (ASLR), a security feature designed to make memory access vulnerabilities more difficult to exploit by providing randomization of memory addresses. Since this vulnerability in itself provides no way of bypassing ASLR, for the purposes of demonstration, it is assumed that the attacker has some other way of bypassing it. A common method would be finding an information disclosure vulnerability where a program’s internal memory pointers are exposed to the attacker.

Ultimately, a proof of concept was developed by finding a target function where Hyper-V Client jumps to a memory address stored within the attack payload. To obtain remote code execution, a couple of “gadget” functions were also found. Gadgets are existing functions within the program which have been repurposed by the attacker to perform a task.

The first gadget causes a memory pointer to jump from its initial, random, location within the attack payload to a specific location known to the attacker. This known location specifies a second gadget function and a program name. The second gadget function causes the program name to be read from the attack payload and executed.

The proof of concept is demonstrated in the following video, showing how executing a program within a virtual machine can result in a Calculator executing on the host machine.

Preventing These Vulnerabilities

This specific vulnerability could have been prevented by the developers performing several additional validation checks:

1. Validate all user-controlled data and buffer sizes
2. Check for integer overflow edge cases
3. Verify a buffer’s length before copying any data

Memory access vulnerabilities are most common when using raw pointers directly, so those should be avoided whenever it’s feasible to do so.

Protecting Yourself

If you’re accessing an untrusted virtual machine in Hyper-V or running an untrusted program on your virtual machine, disable “Enhanced Session Mode” whenever you can to reduce your attack surface. 

Always be cautious when accessing a Remote Desktop Server you don’t explicitly trust. It is best to only access machines with which you are familiar.

Finally, by keeping your computer up-to-date and installing the latest Windows Update patches, your computer will be protected from many new vulnerabilities, including this one!

The post This Microsoft Windows RCE Vulnerability Gives an Attacker Complete Control appeared first on Synack.

If you work in a technology industry such as cybersecurity, you’ve probably noticed the lack of gender diversity. Most offices, companies, and conferences are—let’s face it—Y-chromosome-heavy. 

At Synack, we feel that this lack of diversity isn’t good for society or for infosec. After all, Synack is built on the foundation that a diverse, worldwide community of ethical hackers can outperform any less diverse group of testers. Each Synack Red Team member, our community of about 1,500 skilled hackers, introduces different perspectives. It comes through their tactics, techniques, and procedures (TTP). According to our customers, it works. 

To help support and grow a welcoming and supportive community for all cybersecurity researchers, Synack is now announcing—drumroll please… the Artemis Red Team (ART)! 

The ART is a new sub-community within the Synack Red Team (SRT) exclusively open to security professionals who identify as women, nonbinary, or other gender minorities. We created the program with a specific focus on providing opportunities for engagement, professional support, career development, bug bounty learning and networking. We will seek to provide these values through meetups, guest speakers, exclusive events, and fun activities among our members to enhance the community.

“We need to do better as an industry to ensure we’re inclusive, welcoming, and supportive of everyone working in information security,” said Jay Kaplan, Synack’s CEO. “I’m so proud that we’re launching the Artemis Red Team to help foster diversity and create more pathways for women and gender minorities in the industry. Encouraging this kind of diversity makes us stronger, more secure, and is the only way we’ll actually solve the cybersecurity skills shortage.”

ART members can also earn exclusive swag, linked to the points already earned by hacking via the Synack platform for ethical hackers. 

ART is for SRT members only. All SRT members can refer new members to the SRT who may also be interested in the ART. Your referrals that meet the SRT Referral Program criteria will earn you an extra 250 points on the platform! Please have potential candidates apply with this link. 

If you are already an SRT member and interested in joining ART, please submit a support ticket with a request to be added to the group’s private Slack channel (where members can communicate).

If you thought that was great, check out what some of our current #womenofthehunt have to say about the ART:

“Synack has always stood for and promoted women. The Artemis Red Team is another such initiative to include and empower more women in cybersecurity. I’m super happy about this announcement!! More power to you girls!”
@BattleAngel

“I’m very excited for everyone who will join us with this program. I’m sure that we will help each other and achieve great success together. Wait for us, leaderboard!”
@Busra

“I’m really appreciative of this initiative. I can very well understand, being a woman, how difficult it feels to survive in this industry. And the constant pressure of proving to others, no matter how much useful work one has done. Thank you!”
@SecurityTester

Are you ready to join an awesome team of researchers like you? Use this link to apply!

The post Synack to Boost Cybersecurity Gender Diversity with New Artemis Red Team appeared first on Synack.

The first of an ongoing series of deep-dive videos into newly discovered and critical vulnerabilities. 

In the first installation of Synack’s newly launched Exploits Explained video series, we are digging deep into a zero day Remote Code Execution vulnerability that one of our Red Team researchers recently uncovered during a web application test. 

RCE vulnerabilities are unfortunately fairly common and dangerous as they give attackers the ability to access servers, make changes and tamper with sensitive data and even take over applications running on the same server.

The vulnerability that we’re demonstrating in a live hack of the vulnerable web application, which has been scrubbed of any identifying features, shows how an intruder who discovered the flaw could gain access to the application and carry out an attack.

This exploit makes use of a common technique in proven code execution using a DNS query as a means to see the command output. The technique is useful in many situations where an attacker cannot see the output of commands being executed or if the system being exploited has restricted communications to the internet.

An attacker with authenticated access to the vulnerable web app who discovers the RCE will have user privilege command execution on the server that hosts the site. The criticality of the RCE vulnerability really depends on the sensitivity of the data in the application. But even if an attacker is unable to gain administrative privileges on the server, user level access often provides enough for the attacker to access the full database.

If multiple web applications are hosted on the same server, compromising one app could give an attacker access to other programs running on the same server.

It’s critical that security teams and developers stay vigilant against these types of vulnerabilities. Any features that respond to user supplied inputs should only act on untrusted inputs when absolutely necessary. 

This live hack demonstration makes the case that developers must assume that every input an application receives from an outside source could be untrustworthy — and design systems according to defend against RCE attacks. 

For another deep dive into the hacker mindset, check out Hacker Horizons – Attacker Methodology and Exploitation Demo — a step-by-step look into the seven steps of the kill chain, from Reconnaissance to Actions on Objectives. 

The post Exploits Explained: Zero Day Remote Code Execution in File Upload Feature appeared first on Synack.