Endpoint security controls are the most essential tool for protecting computer systems from various malware threats. Most of them usually include several layers of detection modules. Among them is the byte signature detection logic, which is usually treated as the most reliable layer with the lowest false positive rate. What would you say if adversaries can remotely delete critical data from your fully patched servers, over the internet? Moreover, what if this can be done because of your security control byte signature detection logic?
In this talk, we will present a vulnerability (CVE-2023-24860) in a brand-new category that provides unauthenticated remote deletion of critical files such as the entire production database and causes a new level of DOS. The vulnerability exists, in default settings, of three well-known endpoint security products we have tested and it's Fully Un-Detectable. It can be exploited both on Linux and Windows using at least ten different attack vectors and without almost any limitation.
We will explain the root cause and demo seven different attack vectors: remote deletion of entire databases, in most cases, the database service and affected data can't be easily recovered, resulting in critical DOS.
We will demo how it can help adversaries to cover their tracks and disallow full DFIR, including remote deletion of log files of the most prevalent web servers, event logs and cause a domino effect when a SIEM solution collects those infected log files to their databases. Attack vectors are not only limited against servers, but a malicious web server may also remotely trigger any Windows client to delete browser files on the endpoint.
Last but not least we will detail how an unprivileged attacker can delete entire virtual machines on the host by executing code only in guests' machines. We believe that cloud environments might be vulnerable as well.
Tomer Bar is a hands-on security researcher with 20 years of unique experience in cyber security. He leads the SafeBreach Labs as the VP of Security Research. In the past, he ran research groups for the Israeli government and then led the endpoint malware research for Palo Alto Networks. His main interests are Windows vulnerability research, reverse engineering, and APT research. His recent discoveries are the PrintDemon vulnerabilities in the Windows Spooler mechanism which were a candidate in the best privilege escalation Pwnie awards. He presented his research at Black Hat 2020, Defcon 2020, 2021, 2022, SecTor, Recon, HackCon, Security Fest and Confidence conferences.
Shmuel Cohen is an experienced security researcher. After serving in the IDF (Israel Defense Force) for three years, he pursued a Bachelor of Science degree in Computer Science. Since then, he has had the privilege of working at CheckPoint. During his time there he spent 1.5 years developing software and another 1.5 years working as a malware security researcher. As he grew more interested in vulnerability research, he decided to join SafeBreach, where he's been able to focus his energies on exploring vulnerabilities, focusing on the Windows environment.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).
