The first of an ongoing series of deep-dive videos into newly discovered and critical vulnerabilities. 

In the first installation of Synack’s newly launched Exploits Explained video series, we are digging deep into a zero day Remote Code Execution vulnerability that one of our Red Team researchers recently uncovered during a web application test. 

RCE vulnerabilities are unfortunately fairly common and dangerous as they give attackers the ability to access servers, make changes and tamper with sensitive data and even take over applications running on the same server.

The vulnerability that we’re demonstrating in a live hack of the vulnerable web application, which has been scrubbed of any identifying features, shows how an intruder who discovered the flaw could gain access to the application and carry out an attack.

This exploit makes use of a common technique in proven code execution using a DNS query as a means to see the command output. The technique is useful in many situations where an attacker cannot see the output of commands being executed or if the system being exploited has restricted communications to the internet.

An attacker with authenticated access to the vulnerable web app who discovers the RCE will have user privilege command execution on the server that hosts the site. The criticality of the RCE vulnerability really depends on the sensitivity of the data in the application. But even if an attacker is unable to gain administrative privileges on the server, user level access often provides enough for the attacker to access the full database.

If multiple web applications are hosted on the same server, compromising one app could give an attacker access to other programs running on the same server.

It’s critical that security teams and developers stay vigilant against these types of vulnerabilities. Any features that respond to user supplied inputs should only act on untrusted inputs when absolutely necessary. 

This live hack demonstration makes the case that developers must assume that every input an application receives from an outside source could be untrustworthy — and design systems according to defend against RCE attacks. 

For another deep dive into the hacker mindset, check out Hacker Horizons – Attacker Methodology and Exploitation Demo — a step-by-step look into the seven steps of the kill chain, from Reconnaissance to Actions on Objectives. 

Jake Garner, Director of Technical Operations at Synack, got started in computer security in 2008 while serving in the US Navy. Since entering the infosec space, he has served in a diverse set of roles on the defensive and offensive side. Past roles have been focused on Computer Network Defense (CND) including Threat Intelligence, Network Security Events Monitoring and Advanced Persistent Threat Incident Response Investigations as well as Computer Network Exploitation for government and enterprise. In his role at Synack, Jake oversees all vulnerability operations executed by the Synack Red Team.

Posted by Charlie