deactivating endpoint protection software in an
play

Deactivating Endpoint Protection Software in an Unauthorized Manner - PowerPoint PPT Presentation

Sep 26, 2023 •254 likes •653 views

Deactivating Endpoint Protection Software in an Unauthorized Manner November 19, 2015 November 19, 2015 Matthias Deeg | DeepSec 2015 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE especially IT

  1. Deactivating Endpoint Protection Software in an Unauthorized Manner November 19, 2015 November 19, 2015 Matthias Deeg | DeepSec 2015 1

  2. Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE especially IT security – since his early days Ulm, Germany November 19, 2015 Matthias Deeg | DeepSec 2015 2  Interested in information technology –  Studied computer science at the University of  IT Security Consultant since 2007

  3. Agenda 1. Endpoint Protection Software in IT Security 2. Less Regarded Security Issues 3. Use Cases & Attack Scenarios 4. Live Demo 5. Conclusion & Recommendations 6. Q&A November 19, 2015 Matthias Deeg | DeepSec 2015 3

  4. Endpoint Protection Software in IT Security November 19, 2015 Matthias Deeg | DeepSec 2015 4

  5. Endpoint Protection Software in IT Security protect IT systems (e. g. client or server systems) from different threats. November 19, 2015 Matthias Deeg | DeepSec 2015 5  In general, endpoint protection software is a security control to  Typical features of endpoint protection software products are  antivirus and malware detection,  application control,  device control,  or firewall functionality.

  6. Password Protection November 19, 2015 Matthias Deeg | DeepSec 2015 6 on the management of some or all features and settings. changes in the functioning of the endpoint protection software. when it comes to security (principle of least privilege). usually a password is required (password-based authentication).  Many endpoint protection software products allow to set restrictions  This protection reduces the risk of unauthorized or unintended  Restricting administrative access is generally a good idea, especially  In order to access and use protected management functionality,

  7. Password Protection: KES 10 November 19, 2015 Matthias Deeg | DeepSec 2015 7

  8. Less Regarded Security Issues November 19, 2015 Matthias Deeg | DeepSec 2015 8

  9. Less Regarded Security Issues 1. Matthias Deeg | DeepSec 2015 November 19, 2015 World-readable password information (for all installations) Use of symmetric cryptographic ciphers with a single hard-coded key Use of cryptographically weak one-way hash functions without a salt Storing clear-text passwords 9 Insufficient protection of user credentials, for example 2. Offline access to local databases protection software Management of locally installed software products, e. g. endpoint scenarios in non-networked software features, for example Authentication bypass vulnerabilities concerning local attack      

  10. Authentication Bypass Vulnerability November 19, 2015 Matthias Deeg | DeepSec 2015 10 and use functionalities of a system without completing a required authentication step in the intended way. arbitrary password to successfully log in to a system is a classic example of this vulnerability type. vulnerabilities, for instance  An authentication bypass vulnerability allows an attacker to access  Concerning password-based authentications, being able to use an  There are different root causes for authentication bypass • Improper input validation (e. g. SQL injection) • Violation of secure design principles

  11. Low-Privileged Domain (less trustworthy) report privileges, e. g. Perform tasks with low privileges, e. g. Perform tasks with high something do something Authentication Bypass Vulnerability High-Privileged Domain (more trustworthy) What is the problem? 11 Matthias Deeg | DeepSec 2015 November 19, 2015 ProductService.exe ProductUI.exe NT AUTHORITY\SYSTEM DEFAULT_USER  Change configuration  Show status information  Enable features  Handle user interaction  Disable features  Do user authentication

  12. Low-Privileged Domain (less trustworthy) report privileges, e. g. Perform tasks with low privileges, e. g. Perform tasks with high something do something Authentication Bypass Vulnerability High-Privileged Domain (more trustworthy) What is the problem? 12 Matthias Deeg | DeepSec 2015 November 19, 2015 ProductService.exe ProductUI.exe NT AUTHORITY\SYSTEM DEFAULT_USER  Change configuration  Show status information  Enable features  Handle user interaction  Disable features  Do user authentication

  13. Authentication Bypass Vulnerability November 19, 2015 Matthias Deeg | DeepSec 2015 13 run in the context of a low-privileged user, it can be analyzed and manipulated by a low-privileged user. has to patch the corresponding check, so that it always returns true, for example by comparing the correct password with itself or by modifying the program control flow.  If the authentication is done within a process which runs or can be  In order to bypass the authentication mechanism, an attacker only ⇒ Protected features can be used in an unauthorized way

  14. Authentication Bypass Vulnerability: KES 10 November 19, 2015 Matthias Deeg | DeepSec 2015 14

  15. Authentication Bypass Vulnerability: KES 10 November 19, 2015 Matthias Deeg | DeepSec 2015 15 which runs or can be run in the context of the current Windows user, who can also be a standard, limited user.  The password comparison is done within the process avp.exe ,  Two raw, unsalted MD5 password hashes are compared

  16. Authentication Bypass Vulnerability: KES 10 November 19, 2015 Matthias Deeg | DeepSec 2015 16 UTF-16LE without the terminating null byte.  In case of KES 10, the hashed password strings are encoded using $ echo -en "s\x00y\x00s\x00s\x00" | md5sum cfb37e7c04bea837d23005199b1cd62b -

  17. Insufficient Protection of User Credentials November 19, 2015 Matthias Deeg | DeepSec 2015 17 not required to perform her tasks, it is usually a security issue. an insufficient way, it definitely is a security issue. password information was both accessible by low-privileged users and insufficiently protected.  If a low-privileged user has access to password information that are  Furthermore, if the accessible user credentials are only protected in  In case of the tested endpoint protection software products, ⇒ Protected features can be used in an unauthorized way

  18. Insufficient Protection of User Credentials: information as raw, unsalted MD5 hash value in the Windows registry. password guessing attacks using pre-computed dictionaries, for instance salt allows an attacker with access to this data to perform efficient KES 10 rainbow tables. Matthias Deeg | DeepSec 2015 18 November 19, 2015  The tested Kaspersky endpoint protection products store the password  E. g. Kaspersky Endpoint Security 10: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Kaspe rskyLab\protected\KSES10\settings\OPEP  This registry key is by default readable by every user.  The MD5 hash can also be extracted as low-privileged user from the memory of the process avp.exe .  The use of the cryptographic one-way hash function MD5 without using a

  19. Insufficient Protection of User Credentials: KES 10 November 19, 2015 Matthias Deeg | DeepSec 2015 19

  20. Use Cases & Attack Scenarios Attack Scenarios: disables the endpoint protection in order to perform further Malware that is executed in the context of a low privileged user 2. protection software in order to perform malicious actions. A low-privileged user disables security features of the endpoint 1. pentesters or IT security consultants November 19, 2015 Good guys doing bad things with permission for fun and profit, e. g. 2. Bad guys doing bad things for fun and profit 1. Use Cases: 20 Matthias Deeg | DeepSec 2015 malicious tasks without intervention from the security control.

  21. Use Cases & Attack Scenarios November 19, 2015 Matthias Deeg | DeepSec 2015 21 Example: really annoying or even be a show stopper. enough: Successful login but all the favorite tools for extracting or dumping useful data ™ do not work due to the endpoint protection software protection completely or only selectively some of its security features can save precious time.  During security assessments, endpoint protection software can be  Having valid credentials for accessing a system is sometimes not ⇒ The next step/hop cannot be taken  Of course there is AV evasion, but deactivating the endpoint

  22. Use Cases & Attack Scenarios November 19, 2015 Matthias Deeg | DeepSec 2015 22 is also interesting to see whether used passwords are compliant to given password policies. In most cases, the used passwords are noncompliant with the complexity requirements of active password policies, for example within Windows Active Directory environments.  Concerning the password protection of management functionality, it  Observed result:

  23. Affected Endpoint Protection Software 8.1.0.1042, 10.2.1.23, 10.2.2.10535 Panda Internet Security 2015 15.1.0 Panda Gold Protection 2015 15.1.0 Panda Global Protection 2015 15.1.0 Panda Antivirus Pro 2015 15.0.1.415 Kaspersky Total Security (KTS) 13.0.4.233 Kaspersky Small Office Security (KSOS) 15.0.2.361 Kaspersky Internet Security (KIS) Kaspersky Endpoint Security for Windows (KES) Products 6.0.4.1611, 15.0.1.415 Kaspersky Anti-Virus (KAV) 15.0.297 BullGuard Internet Security 15.0.297 BullGuard Premium Protection 15.0.297 BullGuard Antivirus Tested Software Version Product Name 23 Matthias Deeg | DeepSec 2015 November 19, 2015 15.0.1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint Solution t A New Endpoint Environment i i t E E d A N The New Endpoint Reality Increasing Malware Risk 2M malware signatures identified

515 views • 14 slides
Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks Index 1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4.

661 views • 47 slides
Simple and light security solution Content 1. The problem of malware in IT environments 2.

Simple and light security solution Content 1. The problem of malware in IT environments 2.

Simple and light security solution Content 1. The problem of malware in IT environments 2. What is Panda Endpoint Protection Plus? 3. Features and benefits 4. Resources and infrastructure required Panda Endpoint Protection Plus

484 views • 17 slides
Software Protection Evaluation Bjorn De Sutter ISSISP 2017 Paris 1 Software Protection

Software Protection Evaluation Bjorn De Sutter ISSISP 2017 Paris 1 Software Protection

Software Protection Evaluation Bjorn De Sutter ISSISP 2017 Paris 1 Software Protection Evaluation Four criteria (Collberg et al) Potency : confusion, complexity, manual effort Resilience : resistance against (automated) tools

839 views • 68 slides
Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software Architect 1 Agenda Problem Description Fileless Attacks Overview Common Injection Techniques Current Challenges with memory

870 views • 22 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Online Proposers Day TWO DIFFERENT PROJECT IDEA CONTRIBUTIONS SYSTEMIC SW Universal Trusted

Online Proposers Day TWO DIFFERENT PROJECT IDEA CONTRIBUTIONS SYSTEMIC SW Universal Trusted

CELTIC-NEXT Online Proposers Day TWO DIFFERENT PROJECT IDEA CONTRIBUTIONS SYSTEMIC SW Universal Trusted PROTECTION Execution for cloud and endpoint SW for cloud and endpoint SW security enhancement total security SOLIDSHIELD

163 views • 14 slides
Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X

Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X

Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X Demonstration / Feature Walk Through Deployment Options Q & A 2 Endpoint Security has reached a Tipping Point Attacks are from within the

937 views • 29 slides
PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya

PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya

PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya Alowain, Kirill Levchenko, Amogh Dhamdhere, Bradley Huffaker, kc claffy, Mark Allman, Vern Paxson Quick Recap A measurement endpoint interface

480 views • 15 slides
Dataset Dashboard A SPARQL Endpoint Explorer Petr Kemen petr.kremen@fel.cvut.cz Motivation

Dataset Dashboard A SPARQL Endpoint Explorer Petr Kemen petr.kremen@fel.cvut.cz Motivation

Knowledge-based Software Systems Faculty of Electrical Engineering Czech T echnical University in Prague, Czech Republic Dataset Dashboard A SPARQL Endpoint Explorer Petr Kemen petr.kremen@fel.cvut.cz Motivation DCAT metadata inside

252 views • 12 slides
Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to

Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to

Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to appear in J. Funct. Anal. (arXiv:1611.00462) Lukas Schimmer California Institute of Technology 13 February 2017 Schimmer (Caltech) Endpoint resolvent

274 views • 16 slides
Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking SSP 2018, Hildesheim Lukas Ifflnder , Stefan Geissler, Jrgen Walter, Lukas Beierlieb, Samuel Kounev 08.11.2018

677 views • 46 slides
PAGE 2 The Need for New Levels of Protection Business Drivers Greater Increased Higher

PAGE 2 The Need for New Levels of Protection Business Drivers Greater Increased Higher

Kaspersky Endpoint Security 8 Control Technologies PAGE 1 Youre in c ontrol. Youre in the drivers seat. . Applications Devices Web content filtering PAGE 2 The Need for New Levels of Protection Business Drivers Greater Increased

457 views • 20 slides
Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang

Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang

Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang & Laure Devlamynck Sanofi-Aventis February 2007 Rutgers Biostatistics Day 1 Outline The use of composite endpoint The case of two

397 views • 29 slides
Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller

Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller

Powered by Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller Head of Global Security Operations Threat Intelligence Analyst LogRhythm Carbon Black The Endpoint is the new Perimeter The easiest

828 views • 62 slides
The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

Surrogate Endpoint Frameworks Optimal Surrogate Framework Simulation Studies Application to Dengue Trials Discussion The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials Peter Gilbert, Brenda

1.62k views • 119 slides
Computing graphs on an HPC cluster: working with distributed unstructured data in Chapel A LEX R

Computing graphs on an HPC cluster: working with distributed unstructured data in Chapel A LEX R

Intro Rectangular Sparse Associative Opaque Graphs Summary Computing graphs on an HPC cluster: working with distributed unstructured data in Chapel A LEX R AZOUMOV alex.razoumov@westgrid.ca WestGrid webinar - ZIP file with slides and codes

482 views • 27 slides
DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen -

DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen -

DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen - lhansen@ethz.ch Overview Naming and Binding of Network Destinations Terminology Examples Interpretation Development of the Domain Name System

427 views • 30 slides
Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
Services Stephen James Clients vs Servers Clients consume services Servers provide

Services Stephen James Clients vs Servers Clients consume services Servers provide

Services Stephen James Clients vs Servers Clients consume services Servers provide services However, there will typically be services running on both clients and servers What are protocols? Rules that define a common

524 views • 30 slides
A Runtime Environment for Online Processing of Operating System Kernel Events Michael Schbel,

A Runtime Environment for Online Processing of Operating System Kernel Events Michael Schbel,

A Runtime Environment for Online Processing of Operating System Kernel Events Michael Schbel, Andreas Polze 7th Intl. Workshop on Dynamic Analysis (WODA) 20. July 2009 Chicago, IL OS Kernel Event Tracing 2 Dynamic Analysis Usage

889 views • 20 slides
3GPP All IP Network Outline Wireless Technology Evolution GPRS Overview 3GPP All IP

3GPP All IP Network Outline Wireless Technology Evolution GPRS Overview 3GPP All IP

3GPP All IP Network Outline Wireless Technology Evolution GPRS Overview 3GPP All IP Network 3GPP IP Multimedia Subsystem Vision of Comm. System 3G/4G/ Source: DoCoMo Wireless Technology Evolution 1G Analog System

564 views • 54 slides
Beyond LSP Getting Your Language into Theia and VS Code Dr. Jan Khnlein @jankoehnlein The

Beyond LSP Getting Your Language into Theia and VS Code Dr. Jan Khnlein @jankoehnlein The

Beyond LSP Getting Your Language into Theia and VS Code Dr. Jan Khnlein @jankoehnlein The Goal Custom domain-specific language Rich text editor support With diagram support as VS Code Extension! 2 VS Code... Isn't this

625 views • 39 slides
Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman) horms@verge.net.au October 2000 http://verge.net.au/linux/has/ http://ultramonkey.sourceforge.net/ Introduction: In the Begining May 1998:

670 views • 56 slides

More recommend