Forwarded from BlackBox (Security) Archiv
Media is too big
VIEW IN TELEGRAM
What is Pastejacking? | Exploiting machine using pastejacking
What is Pastejacking?
Nearly all browsers allow websites to run commands on the usersโ computers. This feature can allow malicious websites to take over your computersโ clipboard. That is, when you copy something and paste it to your clipboard, the website can run one or more commands using your browser. The method can be used to change the Clipboard contents. While it may not be much dangerous if you are just copying to Notepad or Word etc. , it could be a problem for your computer if you paste something directly to the Command Prompt.
https://invidio.us/watch?v=4KNKGLS0nx0&feature=youtu.be&local=true
https://www.thewindowsclub.com/what-is-pastejacking
#pastejacking #exploiting #video
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
What is Pastejacking?
Nearly all browsers allow websites to run commands on the usersโ computers. This feature can allow malicious websites to take over your computersโ clipboard. That is, when you copy something and paste it to your clipboard, the website can run one or more commands using your browser. The method can be used to change the Clipboard contents. While it may not be much dangerous if you are just copying to Notepad or Word etc. , it could be a problem for your computer if you paste something directly to the Command Prompt.
https://invidio.us/watch?v=4KNKGLS0nx0&feature=youtu.be&local=true
https://www.thewindowsclub.com/what-is-pastejacking
#pastejacking #exploiting #video
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
Forwarded from BlackBox (Security) Archiv
Exploiting (Almost) Every Antivirus Software
Summary
Antivirus software is supposed to protect you from malicious threats, but what if that protection could be silently disabled before a threat can even be neutralized? What if that protection could be manipulated to perform certain file operations that would allow the operating system to be compromised or simply rendered unusable by an attacker?
RACK911 Labs has come up with a unique but simple method of using directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools.
Method of Exploitation
Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a โreal time scanโ either instantly or within a couple of minutes. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted.
Given the nature of how antivirus software has to operate, almost all of them run in a privileged state meaning the highest level of authority within the operating system. Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions.
What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.
๐๐ผ Read more:
https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software/
#exploiting #antivirus #RACK911
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
Summary
Antivirus software is supposed to protect you from malicious threats, but what if that protection could be silently disabled before a threat can even be neutralized? What if that protection could be manipulated to perform certain file operations that would allow the operating system to be compromised or simply rendered unusable by an attacker?
RACK911 Labs has come up with a unique but simple method of using directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools.
Method of Exploitation
Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a โreal time scanโ either instantly or within a couple of minutes. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted.
Given the nature of how antivirus software has to operate, almost all of them run in a privileged state meaning the highest level of authority within the operating system. Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions.
What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.
๐๐ผ Read more:
https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software/
#exploiting #antivirus #RACK911
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv