Schwere Nivida Schwachstelle im Treiber gefunden : Node-Server im Nvidia-Treiber ermöglicht Malware-Ausführung
Der Nvidia-Grafiktreiber für Windows enthält offenbar einen Node.js-Server. Das ermöglicht es, Whitelisting oder Signatur-Methoden ziemlich trivial zu umgehen, um beliebigen Code auf einem Rechner auszuführen.
blog.sec-consult.com :
Application whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a whitelist of allowed applications and after that only allow the execution of applications which can be found in that whitelist. This prevents the execution of dropped malware and increases therefore the overall security of the system and network.
A very commonly used solution for application whitelisting is Microsoft AppLocker. Another concept is to enforce code and script integrity via signatures. This can be achieved on Microsoft Windows 10 or Server 2016 with Microsoft Device Guard.
SEC Consult Vulnerability Lab is doing research in this area since several years, bypass techniques were already presented in 2015 and 2016 at conferences such as CanSecWest, DeepSec, Hacktivity, BSides Vienna and IT-SeCX, see [1].
Knowing these bypass techniques is really important for administrators who maintain such protected environments because special rules must be applied to prevent these attacks.
Other good and recommended sources of known bypass techniques and hardening guides are blog posts from Casey Smith (subtee) [2], Matt Nelson (enigma0x3) [3] and Matt Graeber (mattifestation) [4].
Quelle :
Original : SEC Consult: Abusing NVIDIA's node.js to bypass application whitelisting
Golem : Whitelist umgehen: Node-Server im Nvidia-Treiber ermoglicht Malware-Ausfuhrung - Golem.de
Der Nvidia-Grafiktreiber für Windows enthält offenbar einen Node.js-Server. Das ermöglicht es, Whitelisting oder Signatur-Methoden ziemlich trivial zu umgehen, um beliebigen Code auf einem Rechner auszuführen.
blog.sec-consult.com :
Application whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a whitelist of allowed applications and after that only allow the execution of applications which can be found in that whitelist. This prevents the execution of dropped malware and increases therefore the overall security of the system and network.
A very commonly used solution for application whitelisting is Microsoft AppLocker. Another concept is to enforce code and script integrity via signatures. This can be achieved on Microsoft Windows 10 or Server 2016 with Microsoft Device Guard.
SEC Consult Vulnerability Lab is doing research in this area since several years, bypass techniques were already presented in 2015 and 2016 at conferences such as CanSecWest, DeepSec, Hacktivity, BSides Vienna and IT-SeCX, see [1].
Knowing these bypass techniques is really important for administrators who maintain such protected environments because special rules must be applied to prevent these attacks.
Other good and recommended sources of known bypass techniques and hardening guides are blog posts from Casey Smith (subtee) [2], Matt Nelson (enigma0x3) [3] and Matt Graeber (mattifestation) [4].
Quelle :
Original : SEC Consult: Abusing NVIDIA's node.js to bypass application whitelisting
Golem : Whitelist umgehen: Node-Server im Nvidia-Treiber ermoglicht Malware-Ausfuhrung - Golem.de
