Online warranty

Warranty policies
Search Products
Product category
Support Online
 

Yahoo

Sale

Yahoo

Sale

Yahoo

Sale

Yahoo

Technology

Nick Skype status

Sale

Nick Skype status

Sale

Nick Skype status

Sale

Nick Skype status

Technology

0901 438 938

0932 153 163

 
Web Link
News
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
  • banner
Loading

The privilege escalation can be understood simply as a method of attack that this way, the User will have lower power attack on a vulnerable point of the system to become an administrator or the User can become with higher powers. How to privilege escalation that we can think of that is accounted for through the crack right of the administrator password, buffer overflow attacks and password-stealing machine. This analysis will provide a common weakness that could be exploited to steal passwords and then escalate privileges. And through all this analysis, we will see the disadvantages of the system from which to appreciate more about privilege escalation attack and the importance of conducting continuous patches to the system.

1. Introduction:
The privilege escalation can be understood simply as a method of attack that this way, the User will have lower power attack on a vulnerable point of the system to become an administrator or the User can become with higher powers. How to privilege escalation that we can think of that is accounted for through the crack right of the administrator password, buffer overflow attacks and password-stealing machine. This analysis will provide a common weakness that could be exploited to steal passwords and then escalate privileges. And through all this analysis, we will see the disadvantages of the system from which to appreciate more about privilege escalation attack and the importance of conducting continuous patches to the system.


2. Weak points to attack:
When the application server and the password is stored encrypted on your hard drive or digital form, we see that in a few cases, the encryption is not applied to the password stored in the memory. The normal access to memory is not limited by the access of the user group. Therefore, the attackers with access to the system memory can be read and the password is not encrypted. The programs use direct access to memory will help the attacker to control the handling of a certain memory and can read the information of this password. The password can be the administrator password of a server, a user's password to the application or a database password. And just found out the password for an application is considered as privilege escalation attack was successful. Therefore any applications that use passwords for authentication is not encrypted can be viewed as a weakness of the system and where privilege escalation attacks are possible .

3. Location of Password in memory:
A display program memory will provide all the code and the data is processed in memory. General data is relatively large and may include encrypted data as well as data in text format. Password can be in memory at the following two locations:
By finding the password in a fixed location in memory. All of the programs installed applications including the password will be set at a fixed location in memory. For example, all servers are accessed by a password stored in 10BD862C position. When this address is determined, the password can be decoded from memory if an attacker can read information in memory. To detect the location of an application's password, the attacker can install a similar application on their system, then find the location of the password in memory, after completion, attacker can use that position to be able to conduct searches on the victim's password.
Another way that the attacker will use the User name and Password sharing the same system. For example, the attacker can create User and Password form on their system, then use the program to display the value of memory, and navigate to the location of the user model, such as "Admin" , "Administrator", "Administrators", ... and so will make the information on these values.

4. Password will be stored in memory when?
Take a look at the following example and you will understand when the password will be stored in memory:
When an application in the server is started, it will read the command line arguments in Java and environment variables and connect to a TCP port. The application will determine which operating system user and workgroup use (authenticate). It also checks a configuration file to retrieve all its configuration information.
During startup, the server loads the administrator's password in plain text format memory. In other cases, the configuration file can provide information to connect to the source database, including password to log into the database. Server also download the password in plain text format memory. Some other options allow password can not be loaded when the server is started, but it still appears in memory as an administrator or a user has been authenticated. Then, the password will still be stored in memory even though the user has logged out.

5. Experiment:
Let's perform an experiment to demonstrate the problem later on. However, you will probably not succeed the first time. You can proceed as follows:

Ø Identify a server, an application server or a webserver.

Server load into memory administrator password when it is launched, the attacker will use their accounts to log into the system and open a chwong the display memory information. With the program displays memory information, they can view the information about the user's password. Once the parameters are known, the attacks escalated privileges will be taken.

Ø In another case, the server does not load at startup password, but it will be loaded into memory when the administrator is authenticated. This pass will then be stored in the server during runtime. Although the administrator's access is via remote access, but the memory of servers still store the password in plain text and can be detected.

Ø And here is the case where the database password of an attack is the attacker. Detecting a server is used to store the database. The connection to the source will include information about the database username and password. When the server is booted it will load the password database into memory when connected to power. Same as above, just use the program memory information display and search password.

To do what was mentioned above, in the example, I use MySQL program, and Winhex.

After installing MySQL, I set the username and password is admin / adminvn.

Perform login as an action of a network administrator.

Then log out, this time, I also played attacker has access to the physical server. I run Winhex. Note This program can be run without installation.

After running the program, at Winhex window, select Tools> RAM Editor> WinMySQLadmin> then find the Admin user (You can see the picture) ... Such success

6. The issue lost password

This is an issue to be talked about in limiting the attacker's attack. By also recalling about that issue, you can pay attention to the following points:

- Change the password frequently to not lose the password.

- The password should be set that includes all the characters of numbers, passwords should not be related to itself as this increases the risk of password being guessed attacker.

- It is not necessary to remove the user if the user does not really need to reduce the risk of privilege escalation attacks.

- Some more notes you can refer to the related topic.


7. The problem of attacking weaknesses:

The best way to limit the maximum level was above problem is:

- Do not allow strangers to learn about the system and the impact on the physical server.

- Set the right not to install the program unknown to the computer user does not trust the server.

Bookmark and Share

Other news:

 
Newsletter
  • Join our MailList system, you will receive the latest information on products, services and solutions, news, promotion and recruitment of companies Hop Thanh Thinh via email.
Cart

You have not ordered

 

Customer support

htktHow to order

htktTechnical Assistance

htktTechnical advice

htkt Pricing

htktDownload Driver

Advertisement

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner

banner