In a recent research by Ruhr University Bochum, a vulnerability in the widely used Secure Shell (SSH) cryptographic network protocol has been brought to light.
Dubbed Terrapin (CVE-2023-48795, CVSS score: 5.9), this exploit marks the emergence of what is termed the “first ever practically exploitable prefix truncation attack.”
Technical Overview of Terrapin Exploit
Terrapin manipulates the SSH protocol during the handshake phase by adjusting sequence numbers, enabling an attacker to selectively remove messages sent at the beginning of the secure channel without detection.
This downgrades the connection’s security integrity, a process facilitated by exploiting the SSH extension negotiation, specifically RFC8308.
Active Adversary in the Middle (AitM) Scenario
The exploit’s effectiveness hinges on an active adversary positioned in the middle of the communication channel, capable of intercepting and modifying traffic at the TCP/IP layer.
The vulnerability manifests during SSH extension negotiation, potentially compromising security features such as client authentication algorithms and countermeasures against timing attacks in OpenSSH 9.5.
Real-World Impact
Successful exploitation of Terrapin exposes sensitive data interception and the potential compromise of critical systems with administrator-level access.
Particularly alarming is the risk for organizations with expansive, interconnected networks granting access to privileged data.
Scope of Vulnerability and Affected Implementations
Terrapin’s reach extends across multiple SSH client and server implementations, including but not limited to OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear.
In response, maintainers of these implementations have promptly released patches to mitigate potential risks.
DLL Search Order Hijacking Technique Threatening Windows Systems
Cybersecurity firm Security Joes has found a variant of the DLL search order hijacking technique, presenting a potential avenue for threat actors to bypass security measures on Windows 10 and Windows 11 systems.
Exploiting Trusted WinSxS Executables for Malicious Ends
This sophisticated approach leverages executables in the trusted WinSxS (Windows side-by-side) folder.
Security Joes discloses that this method exploits the classic DLL search order hijacking technique, allowing adversaries to execute malicious code without needing elevated privileges.
The twist lies in targeting trusted binaries within the WinSxS folder, introducing a subtle and stealthy method of exploitation.
Understanding DLL Search Order Hijacking
DLL search order hijacking involves manipulating the search order used to load DLLs, enabling the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation.
The technique capitalizes on applications not specifying the full path to required libraries, relying on a predefined search order.
Threat actors strategically move legitimate system binaries into non-standard directories, substituting them with malicious DLLs to execute attack code seamlessly.
WinSxS Folder Targeting
Security Joes discovery introduces a nuanced twist by focusing on files in the crucial “C:\Windows\WinSxS” folder. This directory, integral to Windows operations, customizes and updates the OS to ensure compatibility and integrity.
By finding vulnerable binaries in the WinSxS folder and employing DLL search order hijacking methods, threat actors can execute code by placing a custom DLL with the same name as a legitimate DLL into a controlled directory.
Patch It, Or Forget It!
It is crucial to scrutinize processes, mainly focusing on trusted binaries.
Monitoring activities of binaries in the WinSxS folder, including network communications and file operations, is crucial to mitigating the risk posed by this exploitation method.
Installing, updating, and patching your devices for better security is also essential.
Marrium Akhtar
January 10, 2024
4 months ago
