CVE-2019-0539 Exploitation
Achieving full R\W primitive with CVE-2019-0539
Cybersecurity is complex, but your security stack doesn’t need to be. We’ve combined multiple layers into one platform to provide comprehensive protection against malicious files and URLs, across channels.
First ever hardware-assisted platform (HAP™) combines hardware visibility with software agility to deliver unprecedented prevention of Zero-day and N-day threats.
In advanced attacks, the source of malware are exploits. While there are as many as 72M new malware variants/month, there are currently only ~10 exploit techniques in use*. We target these exploit techniques to deliver an earlier, far more reliable verdict and prevent APT attacks pre-malware release.
*ISTR, Vol. 23 (March 2018)
Scroll to see how early we act upon any sign of intrusion
Any APT attack always starts at the CPU level, so access to this data is critical. How to achieve this in a SaaS solution? We leverage Intel PT (Processor Trace) to record the full execution flow using software. Custom built hypervisor bridges between the CPU and virtual machines to capture the cleanest data possible, enabling the detection of highly-evasive attacks that sandbox and other solutions cannot see.
Cutting-edge detection algorithms (scanners) analyze each recording to detect malicious intent. Advanced scanners include:
Detects memory corruption exploits
Detects advanced exploitation techniques
Detects logical bugs
We are continuously researching the latest exploitation techniques, while they are still in academia, to ensure our detection capabilities are updated to stay ahead of the latest attack campaigns.
We run all layers simultaneously, resulting in close to zero delay for the user, with an average delivery time of under 3 seconds.
See Complete ArchitectureCutting-edge protection against advanced threats. Enhanced protection against every threats.
Spam, phishing, commodity malware
Requires minimal hacking skills
Moderately effective
Partly covered by AVs & Sandbox
Obfuscated exploits leveraging known vulnerabilities in Office, Adobe, browsers, and more
Requires advanced hacking skills
Highly effective against unpatched software
Easily evade AVs & Sandbox
Exploits leveraging new/unknown vulnerabilities in Office, Adobe, browsers, and more
Requires very advanced hacking skills
Highly effective even against well-secured organizations
A complete blindspot to AVs & Sandbox
Researched and developed in universities, there are currently only ~10 known exploit techniques utilized today.
Attacker overwrites the return address in the stack frame of a function and diverts execution to a location of his choice.
Year published: 1996
Attacker overwrites variables in the stack frame of a function in order to affect the flow of the program and divert execution to a location of his choice.
Year published: N/A
Upon overflowing a stack buffer which overwrites the SEH handler, execution is diverted to a gadget (pop; pop; ret) which executes shellcode or ROP.
Year published: 2003
Creates a continuous allocation in memory to which an attacker can reliably divert the execution to.
Year published: 2004
Attacker changes the stack pointer to memory under his control, usually in order to initaite a ROP/COP/JOP sequence.
Year published: N/A
Bypasses NX-bit and chains together “gadgets” by sequencing return addresses on the stack.
Year published: 2007
Bypasses NX-bit and chains together “gadgets” by sequencing JMP commands that use stack arguments.
Year published: 2010
Bypasses NX-bit and chains together “gadgets” by sequencing call instructions.
Year published: 2014
Induces malicious program behavior by only invoking chains of existing C++ virtual functions in a program through corresponding existing call sites.
Year published: 2015
Manipulates data instead of control flow objects in order to gain code execution.
Year published: 2016
Achieving full R\W primitive with CVE-2019-0539
We’ve spotted CVE-2017-8570, a.k.a the “Composite Moniker” in the wild alive and kicking.
Resume files can be dangerous, especially when they are encrypted word documents.
68 Articles