Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The post targets BitDefender, an AntiVirus.

IO Ninja is used for sniffing, protocol analyzing and much more. Additionally, the author claims that it can be used to reverse engineer Inter-Process Communications (IPC) as well. They use this to open a pipe server to interact with the AntiVirus.

The IPC communication is simply outputted into a wireshark-looking packet. It is super neat to see on this works and looks really easy to use. While trying to reverse engineer the protocol, the AV crashed. Why is this?

By sending the header of the packet, just 16 bytes, over IPC, the process would crash. This is the case with almost all of the BitDefender processes. This creates a local denial of service, which is pretty interesting. From triaging, this appeared to be a null pointer dereference.

The AV was writing the crash information to a file. However, the permissions of the file were read/writable by all users. This is very bad because we can use a symbolic link here to overwrite the data of anything. Since the process ran as SYSTEM this really means ANYTHING.

To escalate privileges, we abuse the symbolic link permission writing! In particular, the DACL read/writable permissions could be placed onto a DLL (via a symbolic link) to put new permissions on the DLL. Once the permissions are there, we can modify the DLL ourselves to be loaded by a SYSTEM process to escalate privileges. Neat!

Another vulnerability from the AV was deleting arbitrary files on the system. If you let the prompt for deletion timeout, it would simply perform the deletion anyway.

Overall, a pretty good post! The reversing and testing was quite dynamic in nature, with very few static reversing done. There are many ways and places to find vulnerabilities.