Application & OS Vulnerabilities

Memory-Based Vulnerabilities

Buffer Overflow

Writing more data to a buffer than it can hold — overwrites adjacent memory.

// Vulnerable: no bounds checking
char buf[64];
strcpy(buf, user_input);  // input > 64 bytes → overflow

// Fix: use safe functions
strncpy(buf, user_input, sizeof(buf) - 1);

Mitigations: ASLR, DEP/NX, stack canaries, safe C functions

Integer Overflow / Underflow

When a value exceeds the maximum/minimum of its type → wraps around.
Example: uint8 max = 255; 255 + 1 = 0
Impact: security checks bypass, allocation size 0, memory corruption

Code Injection Vulnerabilities

DLL Injection

Forcing a process to load a malicious DLL into its address space.

Methods:
- DLL Hijacking: Placing malicious DLL in path searched before legit one
- Reflective DLL injection: Loading DLL directly from memory (no disk write)
- CreateRemoteThread: Injecting DLL via Windows API

Detection:
- Monitor LoadLibrary calls from unexpected processes
- Check DLL load paths (SysInternals Process Monitor)

Process Injection

Executing code within another process’s memory space.

Techniques:
- shellcode injection via WriteProcessMemory + CreateRemoteThread
- Process hollowing: spawn legit process, replace code in memory
- Atom bombing: abuse Windows atom table to inject code

Race Conditions

Time-of-Check to Time-of-Use (TOCTOU)

Gap between when a condition is checked and when it is used — attacker changes state in between.

Example:
1. App checks: does file /tmp/data exist? → No
2. Attacker creates symlink /tmp/data → /etc/passwd
3. App opens /tmp/data for writing → overwrites /etc/passwd

Fix: Use atomic operations, file locking, or open file before checking

Operating System Vulnerabilities

EternalBlue (CVE-2017-0144)

• Exploits SMBv1 vulnerability in Windows
• Used in WannaCry and NotPetya ransomware
• Allows remote code execution without authentication

# Patch status check
nmap -p 445 --script smb-vuln-ms17-010 <target>

Fix: Apply MS17-010 patch, disable SMBv1
net stop server; sc config lanmanserver start=disabled

Shellshock (CVE-2014-6271)

• Bash vulnerability — attacker appends commands to environment variables
• Exploited via CGI scripts on web servers

# Test for Shellshock
curl -H 'User-Agent: () { :; }; /bin/cat /etc/passwd' http://target/cgi-bin/test.cgi

Fix: Update bash, disable CGI if not needed

Dirty COW (CVE-2016-5195)

• Linux kernel race condition in copy-on-write memory
• Allows local privilege escalation to root

# Check kernel version
uname -r

Fix: Patch kernel ≥ 4.8.3 / 4.7.9 / 4.4.26

Zero-Day Vulnerabilities

A vulnerability that is unknown to the vendor — no patch exists.

Timeline:
Day 0: Vulnerability discovered (by researcher or attacker)
Day 0+: Actively exploited (zero-day exploit in the wild)
Day N: Vendor notified / discovers
Day N+patch: Patch released and deployed

Window of exposure = time between discovery and patch deployment

Zero-day brokers: Zerodium, Crowdfense — buy/sell exploits.

Defenses (no patch exists):

- Virtual patching via WAF / IPS rules
- Network segmentation (limit blast radius)
- Behavioral EDR (detect anomalous behavior, not signatures)
- Threat intel feeds (early warning)
- Principle of least privilege (limit what can be exploited)

Other Application Vulnerabilities