DeepSec 2019 Talk: 30 CVEs in 30 Days — Eran Shimony *

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using this method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.

Some things never die. In this session, we’ll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or to DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim of finding new vulnerabilities.

Our mindset was — choose software that is prone to be vulnerable: Installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We’re only scratching the surface and we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.

Attendee Takeaways
First, before pursuing a target straight away, detect what could be the weak link in a given product. In our case, the lack of checking for digital signatures along with misconfigured ACLs is very common. After that, when you successfully exploited the software, do things in mass — analyzing software with similar characteristics.