Code Vulnerability

A code vulnerability is exploited by taking advantage of a flaw in underlying instructions that allows for remote manipulation of the system in a way that was unintended by the designers of the code. Exploitation of a code vulnerability often takes lots of work even when the vulnerability has already been discovered. Weaponization of a vulnerability is taking that unintended flaw and leveraging it in a purposeful and controlled way. Utilizing code vulnerabilities can many times lead to unwanted results. Sometimes leveraging a vulnerability may lead to remote access to the system, and sometimes it may result in a crash and power off of the remote system. Such a vulnerability is considered weaponized when it has a reasonable chance of attaining the intended result for triggering the vulnerability and an acceptable chance of unintended consequences.

As an analogy to this type of vulnerability, consider the following. Suppose you found out that if you wrote a destination address on an envelope with a first line that was longer than 20 letters and numbers, the mailman would assume it was incorrect and return it to sender. You also found out that the mailman never checked the return address when picking up your mail. These are two examples of vulnerabilities in the mail system. Figure 3-1 shows an example of a letter that has an acceptable 20 characters in the first line of the address (including spaces). This letter will be processed normally and sent to the correct destination address (1232 A. GOOD ADDRESS).

Weaponizing the vulnerabilities involves combining them reliably for ulterior motives. For malicious reasons a terrorist wants to exploit these vulnerabilities and send someone anthrax through the mail and needs to make sure they don’t get caught. The terrorist puts anthrax in the envelope with a 21 character destination (1232 A. FALSE ADDRESS) and a return address of the target of the anthrax (1337 TARGET ADDRESS) as shown in Figure 3-2.

The sorter at the mail office sees that the address is longer than 20 characters and puts it in a bin to be returned to sender. Since the mail carrier who picked it up didn’t verify the return address was where he picked it up from, it gets sent to the actual target (1337 TARGET ADDRESS) and no one will be able to tell where it actually came from. The lack of a validated return address and the issue with destination addresses allowed for this exploitation.

The quintessential example of a code exploitation vulnerability is the overflow of an unbound buffer, otherwise known as a buffer overflow. The most basic manifestation of this vulnerability is in an unchecked copy of a string of number and/or letters into an unchecked buffer that is kept in system memory. A piece of code is executing, pauses waiting for input, and begins executing again once a string is copied in. Figure 3-3 shows a logical representation of how memory might be laid out to handle this operation.

Let’s say the buffer waiting for the copied text can only hold four characters (ABCD) and that after that buffer is the eight characters that tell the computer the address in memory of what to execute next (54522345). Figure 3-4 shows an example of how this might look in our logical representation of memory for this simply function.

If you copied 8 characters into the buffer during the string copy action, you would blow past the bounds of the buffer and overwrite the part that tells the computer what to do next as shown in Figure 3-5, where instead of copying the 4 characters ABCD, we copied the 12 characters ABCD12313371.

In this example the fact that there is no check to make sure the text entering the buffer is four or less characters is the vulnerability, allowing us to dictate what will execute next by overwriting the existing memory address (54522345) for the next thing the computer will process with our own specific location instead (12313371). If the 5th through 12th characters we copied in were the location of say something malicious we wanted to execute, then we have exploited that vulnerability to get the computer to execute code on our behalf.

Misconfiguration

Exploitation of a misconfigured system is pretty straightforward. The system has a setting or otherwise configurable option which has left it vulnerable. Weaponization of this type of vulnerability involves turning the misconfiguration into an ability to manipulate the target. Unlike code vulnerabilities, misconfigurations sometimes stand by themselves as an essentially weaponizable capability. Imagine a misconfiguration that allowed a remote entity to power off a system that controlled security cameras. In this case there is no further development to turn the misconfiguration into an attack effect like there likely would be if there was a code vulnerability in the same camera controlling system.

As an example of misconfiguration vulnerability exploitation, I’ll use a facial recognition secured gate. After experiencing tons of false negatives where legitimate users were not being let through the gate, the security staff tuned down the sensitivity of the image detection that allowed individuals through after checking their face. This led to no more legitimate users being stopped at the gate, but it also meant that even those not in the facial recognition database were getting let through because the gate was no longer sensitive enough to tell the difference between most people. This is a misconfiguration that is allowing for a lot of false positives which is a dangerous result. A malicious individual could leverage this vulnerability to gain access to a building and sabotage something and the vulnerability itself required no weaponization for reliable exploitation, the individual simply walks up to the gate and is let through due to a false positive.

A relatable cyber system configuration vulnerability exploitation can be seen using the example of a misconfigured firewall. Firewalls are systems which filter incoming network traffic by acting on that traffic as it matches configured rules. Typically, the rules are in list form, and incoming traffic is compared against those rules either starting at the top and going down the list or vice versa. The safest way to configure a firewall is with a “deny all” as the last rule for comparison. This way, if traffic doesn’t match an explicit “allow” rule on the list, it will ultimately be denied. Firewall rules can be unsafely configured for the same reasons as in our facial recognition gate in the previous example. If traffic getting filtered by the firewall is having too many false negatives and the system is not able to function, there is a possibility that the administrators of that firewall will begin to make the rules less strict so that everyday operations in the system are allowed to happen as intended. This also opens up the firewall to more likely have false positives as well, and a malicious actor may communicate through the firewall due to this. In the same way that the misconfiguration of the facial recognition gate did not need weaponization neither would the vulnerability present in the misconfigured firewall. The malicious actor is simply able to pass by the security feature due to its vulnerable configuration.

Human Mistake

To err is human. Exploiting the vulnerability of human nature itself is a technique everyone is familiar with and which translates well into the cyber domain. Weaponizing this type of vulnerability can be unnecessary and impossible when the vulnerability of a human mistake presents itself as a target of opportunity. On the other hand, planned solicitation of human mistakes can be pre-weaponized to take advantage of likely courses of human actions.

An example of an opportunistic human mistake vulnerability is as simple as tailgating behind a person after they badge into a secure area. The vulnerability in this example is that the individual with legitimate access to the secure area didn’t make sure that the person behind them either also badged in or had to open the door themselves. There is not much weaponization potential for these kinds of human mistakes as they enable the attacker by chance. On the other hand, calling the phone number for technical assistance at a company and tricking the person on the other end of the call into divulging sensitive information will require some weaponization. The vulnerability here is the overly trusting human on the other end mistakenly giving up sensitive data. The weaponization of that vulnerability is turning that data into access to the company in some way.

Most are familiar with email phishing even they are not familiar with the term itself. It is the act of sending out emails that somehow trick the recipient into doing something. This example of cyber exploitation using the vulnerability of human mistakes is pre-planned and weaponized by already having some intended action or information to illicit from the recipients of the email. The email may tell the user that their bank password has expired and to visit a web site to reset it. The web site the user is directed to is set up by the attacker to log their credentials. The vulnerability is the human mistakenly thinking they need to reset their password and visiting the site in the email. The weaponization is the pre-built web site which logs the username and password they use so the attack can then access their bank account. An example of a target of opportunity type human mistake vulnerability in the cyber realm would be something like pulling up someone’s email after they leave an internet café and forget to turn off or lock the computer they were using.

Illegitimate Use of Legitimate Credentials

This is the easiest to understand and simplest to leverage of the vulnerability categories, and exploitation of the vulnerability is similarly straightforward. In a non-cyber instance using legitimate credentials illegitimately, think of a house key. You go to your hardware store and they copy your house key for you while you shop. While they make you a copy, they also make themselves on and get your billing address when you pay with your credit card. The pattern on the key is a legitimate credential that will let you open the lock of your home when you get home. It can also be used illegitimately by the hardware store worker the next day when you are away to break into your house and take your belongings. The cyber domain also has keys, and they also can be copied by malicious actors for illegitimate use. This is the same for PINs and passwords as well. In some cases, especially in the software used to run devices like smart devices such as Wi-Fi-capable coffee machines or workout equipment, the passwords for the software is configured at a factory and almost never changed. When these credentials become public, they can be used by malicious actors to gain access to a device and from there target other systems. In all these examples, the vulnerability is clearly that legitimate credentials were obtained somehow and then the exploitation is using those credentials illegitimately to manipulate the behavior of another system.

Valuing Vulnerability Categories

To one degree or another, each of the vulnerability exploitation categories discussed in this chapter is caused by human error. Exploitation of human mistakes and utilizing valid credentials obtained through nefarious means require real-time errors by humans to facilitate remote manipulation of a system. Misconfigurations are human errors in the past which make a system more vulnerable than it could be if the system was correctly configured and code vulnerabilities are present due to a design-level error which becomes widespread through each instance of like systems.

Certainly, the value of a given vulnerability and its successful exploitation will vary from end effect to end effect especially to the warfighter more concerned with the attack portion of cyber activity. Exploitation-specific value however places the onus on a vulnerability’s potential to allow for end effects whether those are Title 10 or Title 50 specific. In this sense human mistakes are the least valuable as the vulnerability presents itself often by chance and is typically no more immediately widespread than the individual who made the mistake. Slightly more exploitable than human mistakes are misconfigurations. This is because once discovered by an attacker, they can be repeatedly used.

Whereas a mistake like the one shown in Figure 3-6 might only lend itself to being leveraged the once, like our malicious email example, a facial recognition gate lets unintended people through can be used until the misconfiguration is identified. Misconfigurations are also likely to be shared among the same type of devices, especially in large networks where install or virtualization processes are likely repeated off a template, and if that template has a misconfiguration, it will be represented on all of the machines that use it.

Valid credentials would be more valuable for exploitation than either human mistakes or misconfigurations as once they were obtained it is likely they can continue to be used and also that they are potentially re-used on other systems from the same target set as shown in Figure 3-7. As an example, consider administrator credentials which are often re-used between systems at the same organization. Specifically, domain administrator credentials, for instance, can be re-used across any device in that domain, allowing one vulnerability to facilitate exploitation across a larger target set.

Most valuable of all are code vulnerabilities. They can be used more than once like valid credentials and misconfigurations until that use is discovered. Where misconfiguration vulnerabilities might be system specific and credentials potentially target set specific, code vulnerabilities apply to any organization using the software or system using that code. This means that once discovered a code vulnerability might allow remote manipulation of systems across the internet and not limited to a particular target set.

We have already discussed that code vulnerabilities are extremely difficult to discover which further increases their value. Thousands of hours can be spent attempting to find a code vulnerability in a particular system without any success. Further, if found and weaponizable, that vulnerability once leveraged is potentially identified by security systems on the target system or by forensic researchers as part of a resulting incident response. Worse yet, other organizations and individuals are also constantly looking for unknown vulnerabilities in code across the spectrum of applications and software. Therefore, even if you found a code exploit that worked against systems you needed to target but you were holding off for an important enough end effect, someone else may have discovered it and leveraged it in some other effort. If someone else using the same or even a related exploit of a vulnerability similar to the one you have been holding on to, the response by the security industry may mean your exploit no longer works or is detected. The same is true for security researchers who are also looking for code vulnerabilities for bounty programs and even just as employment. All this means that good, weaponized code vulnerabilities should be used only after weighing the cost-benefit and careful tradecraft consideration to avoid being caught and the vulnerability discovered when able. It also means that part of this decision should be that there is always the potential that the exploit and vulnerability that has been created for military use could become known to the public and then potentially useless at any time as well. I will also cede the point that exploiting human mistakes or misconfigurations, though potentially limited to a specific system, may lead to the compromise of entire organizations. This focuses on the potential vulnerability those devices themselves pose to the organization if compromised and not the categorical cyber vulnerability that was exploited to gain access to them.