Types of Target Exploitation

We have learned some of the well-known vulnerabilities that we can exploit to gain access to a target system, such as Bash Shellshock, EternalBlue, and so on. Based on the communication method of the exploitation, those vulnerabilities are classified as remote exploitation. Below is the detailed explanation.

Image source: https://www.wallarm.com/what/what-is-exploit

 

1. Remote Exploitation

Remote exploitation is a type of exploitation, where the attacker tries to gain access to a system over a network. They do not need to have prior physical access to the vulnerable system. This type of exploitation usually targets services that can be accessed through the network, such as SQL, web services, and so on. Examples:

-        EternalBlue: exploit the vulnerability in Microsoft Windows SMBv1.  

-        Log4Shell: remote code execution vulnerability in Apache Log4j 2.

-        Bash Shellshock: exploitation of vulnerability in the Bash shell.

-        Heartbleed: vulnerability in OpenSSL that allows remote attackers to read memory contents including passwords from the server.

-        Apache Struts RCE: exploitation of a bug in how Struts handled file uploads to execute malicious code.

2. Local Exploitation

Local exploitation is a type of exploitation that is done by the attacker when they already gain prior access or physical access to the vulnerable system, typically as a normal user. Local exploitation is usually done to elevate the privilege of the attacker in the target system. Local exploitation will try to exploit the vulnerabilities and misconfiguration in the system, so that the attacker can access the system as the highest privilege user (root) or some sensitive files that cannot be accessed as a normal user. Examples:

-        Dirty COW: exploit the Linux copy-on-write memory bug to escalate the privilege to root.

-        Baron Samedit: exploit heap-overflow vulnerability in the sudo binary while parsing command line arguments to escalate their privilege to root.

-        Spectre & Meltdown: exploit CPU speculative execution to read sensitive kernel memory.

-        Windows LPE (Win32k): exploit bug in Win32k.sys kernel driver, so that the attacker can escalate to SYSTEM user.

-        Polkit pkexec: exploit memory corruption in pkexec for privilege escalation in Linux.

 

Therefore, when we conduct a penetration testing, we usually do remote execution first if we do not have any access to the server. After we gain access to the server, at least as a normal user, then we need to escalate our privilege to be root using local exploitation, so that we can access sensitive information in the target system.

Hence, when doing vulnerability mapping, we should not only focus on vulnerabilities that allow us to gain access to the system, but also trying to escalate our privilege to be the highest privilege user in the system, so that we can gather more sensitive information from the target.