1 00:00:00,950 --> 00:00:03,470 Software vulnerabilities and exploits. 2 00:00:03,470 --> 00:00:04,980 Now that we've covered how software 3 00:00:04,980 --> 00:00:06,430 should be securely coded, 4 00:00:06,430 --> 00:00:08,210 let's cover a few of the exploits 5 00:00:08,210 --> 00:00:11,150 that are used against improperly-coded programs. 6 00:00:11,150 --> 00:00:13,480 First, we have backdoors. 7 00:00:13,480 --> 00:00:15,330 Backdoors consist of software code 8 00:00:15,330 --> 00:00:17,180 that's been placed in computer programs 9 00:00:17,180 --> 00:00:19,330 to bypass our normal authentication 10 00:00:19,330 --> 00:00:21,100 and other security mechanisms. 11 00:00:21,100 --> 00:00:23,170 These are often created by developers themselves 12 00:00:23,170 --> 00:00:25,020 in order to make it easier for them to update 13 00:00:25,020 --> 00:00:26,840 custom programs in the future. 14 00:00:26,840 --> 00:00:30,290 But, this is a horrible practice in terms of security. 15 00:00:30,290 --> 00:00:32,600 All secure coding and program methodologies 16 00:00:32,600 --> 00:00:35,150 consider backdoors a poor coding practice 17 00:00:35,150 --> 00:00:36,800 and they state that it should never 18 00:00:36,800 --> 00:00:38,790 be utilized by programmers. 19 00:00:38,790 --> 00:00:40,570 Because of this, most developers 20 00:00:40,570 --> 00:00:42,460 have phased out the use of backdoors. 21 00:00:42,460 --> 00:00:44,180 But some backdoors can be created 22 00:00:44,180 --> 00:00:46,430 in our systems by attackers, too. 23 00:00:46,430 --> 00:00:48,500 For example, if a system is infected 24 00:00:48,500 --> 00:00:50,170 with a remote access Trojan, 25 00:00:50,170 --> 00:00:53,500 this is also considered a backdoor into that system. 26 00:00:53,500 --> 00:00:54,940 The next type of exploit that we have 27 00:00:54,940 --> 00:00:57,030 is what's called a directory traversal, 28 00:00:57,030 --> 00:00:58,780 which is going to exploit insecurely-coded 29 00:00:58,780 --> 00:01:00,780 web applications and servers. 30 00:01:00,780 --> 00:01:02,350 A directory traversal is a method 31 00:01:02,350 --> 00:01:04,220 of accessing unauthorized directories 32 00:01:04,220 --> 00:01:05,880 by moving through the directory structure 33 00:01:05,880 --> 00:01:07,380 on a remote server. 34 00:01:07,380 --> 00:01:09,190 Let's pretend, for example, that my website 35 00:01:09,190 --> 00:01:11,400 Diontraining.com was poorly coded 36 00:01:11,400 --> 00:01:13,550 and was subject to this type of an exploit. 37 00:01:13,550 --> 00:01:15,520 Of course, we've gone ahead and secured our website 38 00:01:15,520 --> 00:01:16,980 against this type of vulnerability, 39 00:01:16,980 --> 00:01:18,980 so this is just going to be a theoretical discussion 40 00:01:18,980 --> 00:01:21,680 to explain the context of a directory traversal. 41 00:01:21,680 --> 00:01:23,780 Normally, you could access our website by going 42 00:01:23,780 --> 00:01:26,620 to www.diontraining.com. 43 00:01:26,620 --> 00:01:29,880 Or, you might access it by going to a dynamic sub-page 44 00:01:29,880 --> 00:01:32,050 like diontraining.com/menus, 45 00:01:32,050 --> 00:01:33,170 or something like that. 46 00:01:33,170 --> 00:01:35,460 If you wanted to attempt a directory traversal, 47 00:01:35,460 --> 00:01:37,880 you're going to have to add something to the directory path 48 00:01:37,880 --> 00:01:40,230 that has an input variable inside the URL. 49 00:01:40,230 --> 00:01:43,320 Something like menu=../../../../etc/password. 50 00:01:49,310 --> 00:01:51,090 This attempts to move up four levels 51 00:01:51,090 --> 00:01:52,390 through the directory structure 52 00:01:52,390 --> 00:01:55,580 from the web server's public folder into its root folder 53 00:01:55,580 --> 00:01:58,280 and then back down into the etc folder 54 00:01:58,280 --> 00:02:01,020 and then attempts to access the password file. 55 00:02:01,020 --> 00:02:03,940 If this was successful, the text-based password file 56 00:02:03,940 --> 00:02:06,400 would be displayed inside your web browser. 57 00:02:06,400 --> 00:02:07,470 For the Security+ exam, 58 00:02:07,470 --> 00:02:11,310 anytime you see that there's a series of ../ in them, 59 00:02:11,310 --> 00:02:14,000 you know that this is most likely a directory traversal 60 00:02:14,000 --> 00:02:16,200 and it's being used as part of an exploit. 61 00:02:16,200 --> 00:02:18,780 Often, a directory traversal is used as a way to access 62 00:02:18,780 --> 00:02:19,940 a file on a web server 63 00:02:19,940 --> 00:02:22,120 and sometimes you can even use it to conduct 64 00:02:22,120 --> 00:02:24,980 an arbitrary code execution on that server. 65 00:02:24,980 --> 00:02:27,610 Arbitrary code execution occurs when an attacker 66 00:02:27,610 --> 00:02:30,820 is able to execute or run commands on a victim computer. 67 00:02:30,820 --> 00:02:33,470 This might occur if someone walks by your desk at work, 68 00:02:33,470 --> 00:02:35,050 sees you're logged into the computer, 69 00:02:35,050 --> 00:02:36,500 but you're away from your desk. 70 00:02:36,500 --> 00:02:38,450 They start running a program on your computer. 71 00:02:38,450 --> 00:02:41,740 This would be classified as an arbitrary code execution. 72 00:02:41,740 --> 00:02:44,090 This is pretty bad for security, as you can imagine. 73 00:02:44,090 --> 00:02:46,360 But, what's even worst, is a specialized type 74 00:02:46,360 --> 00:02:49,530 of arbitrary code execution called an RCE 75 00:02:49,530 --> 00:02:51,840 or remote code execution. 76 00:02:51,840 --> 00:02:54,390 A remote code execution occurs when the attacker 77 00:02:54,390 --> 00:02:57,750 is able to execute or run commands on a remote computer. 78 00:02:57,750 --> 00:03:00,330 Notice the key difference here between an arbitrary 79 00:03:00,330 --> 00:03:02,270 and a remote code execution. 80 00:03:02,270 --> 00:03:03,910 With a remote code execution, 81 00:03:03,910 --> 00:03:06,020 the attacker can run the commands remotely, 82 00:03:06,020 --> 00:03:08,040 such as through an interactive shell session 83 00:03:08,040 --> 00:03:09,890 or some other kind of attack. 84 00:03:09,890 --> 00:03:12,270 This is considered one of the worst type of exploits 85 00:03:12,270 --> 00:03:13,500 in the security world, 86 00:03:13,500 --> 00:03:15,760 and a vulnerability that allows this to occur 87 00:03:15,760 --> 00:03:17,350 is classified as critical 88 00:03:17,350 --> 00:03:19,600 under the Common Vulnerability Scoring System 89 00:03:19,600 --> 00:03:22,730 whenever there's a remote code execution that's possible. 90 00:03:22,730 --> 00:03:25,500 The final type of exploit we need to cover in this lesson 91 00:03:25,500 --> 00:03:27,910 is what's known as a zero-day exploit. 92 00:03:27,910 --> 00:03:29,740 This is an attack against a vulnerability 93 00:03:29,740 --> 00:03:33,000 that is unknown to the original developer or manufacturer. 94 00:03:33,000 --> 00:03:34,950 Because of this, zero-day vulnerabilities 95 00:03:34,950 --> 00:03:36,650 have become a big business, 96 00:03:36,650 --> 00:03:38,730 with some companies paying thousands of dollars 97 00:03:38,730 --> 00:03:40,500 to penetration testers who can help 98 00:03:40,500 --> 00:03:42,840 to identify these vulnerabilities and report them 99 00:03:42,840 --> 00:03:45,507 under their bug bounty programs.