Hacker News new | ask | show | jobs
by tux3 695 days ago
Having spent time reverse-engineering Crowdstrike Falcon, a lot of funny things can happen if you feed it bad input.

But I suspect they don't have much motivation to make the sensor resilient to fuzzing, since the thing's a remote shell anyways, so they must think that all inputs are absolutely trusted (i.e. if any malicious packet can reach the sensor, your attackers can just politely ask to run arbitrary commands, so might as well assume the sensor will never see bad data..)
3 comments
weinzierl 695 days ago
"that all inputs are absolutely trusted"

This is something funny to say when the inputs contain malware signatures, which are essentially determined by the malware itself.

I mean, how hard would it be to craft a malware that has the same signature as an important system file? Preferably one that doesn't cause immediate havoc when quarantined, just a BSOD after reboot, so it slips through QA.

Even if the signature is not completely predictable, the bad guys can try as often as they want and there would not even be way to detect these attempts.

link
lmm 695 days ago
> malware signatures, which are essentially determined by the malware itself.

No they're not. The tool vendor decides the signature, they pick something characteristic that the malware has and other things don't, that's the whole point.

> how hard would it be to craft a malware that has the same signature as an important system file?

Completely impossible, unless you mean, like, bribe one of the employees to put the signature of a system file instead of your malware or something.

link
weinzierl 695 days ago
The tool vendor decides the signature

Sure, but they do it following a certain process. It's not that CrowdStrike employees get paid to be extra creative in their job, so you likely could predict what they choose to include in the signature.

In addition to that, you have no pressure to get it right the first time. You can try as often as you want and analyzing the updated signatures you even get some feedback about your attempts.

link
lmm 694 days ago
> Sure, but they do it following a certain process.

Which is going to include checking that it doesn't match any OS files.

> You can try as often as you want and analyzing the updated signatures you even get some feedback about your attempts.

As others said, probably only if you can reverse a hash function.

link
GONE_KLOUT 695 days ago
Please more details. What do you mean with "is a remote shell anyways"? thanks!
link
tux3 695 days ago
Falcon has a feature called "Real Time Response". The sensor is in contact with a server with which it exchanges events serialized in protobuf.

One of the event you can get from the Crowdstrike server runs an arbitrary shell command.

https://www.crowdstrike.com/tech-hub/endpoint-security/the-p...

link
blacklion 695 days ago
How can THIS pass any sane Audit?!

Like, «We require that your employees opens only links on white list, and social networks cannot be put on this list, and we require managed antivirus / firewall solution, but we are Ok that this solution has backdoor directly for 3rd party organization»?

It is crazy. All these PCI DSS and SOC2 looks like a comedy if they allow such things.

link
mdip 695 days ago
At a former employer of about 15K employees, two tools come to mind that allowed us to do this on every Windows host on our network[0].

It's an absolute necessity: you can manage Windows updates and a limited set of other updates via things like WSUS. Back when I was at this employer, Adobe Flash and Java plug-in attacks were our largest source of infection. The only way to reliably get those updates installed was to configure everything to run the installer if an old version was detected, and then find some other ways to get it to run.

To do this, we'd often resort to scripts/custom apps just to detect the installation correctly. Too often a machine would be vulnerable but something would keep it from showing up on various tools that limit checks to "Add/Remove Programs" entries or other mechanisms that might let a browser plug-in slip through, so we'd resort various methods all the way down to "inspecting the drive directory-by-directory" to find offending libraries.

We used a similar capability all the way back in the NIMDA days to deploy an in-house removal tool[1]

[0] Symantec Endpoint Protection and System Center Configuration Manager

[1] I worked at a large telecom at that time -- our IPS devices crashed our monitoring tool when the malware that immediately followed NIMDA landed. The result was a coworker and I dissecting/containing it and providing the findings to Trend Micro (our A/V vendor at the time) maybe 30 minutes before the news started breaking and several hours before they had anything that could detect it on their end.

link
jasonladuke0311 694 days ago
At ring 0 I assume. Not that it would matter, I imagine privesc would be fairly trivial.
link
baq 695 days ago
It's an interface to the ring 0 kernel module. Everything is a remote shell if it can talk to ring 0.
link
morpheuskafka 691 days ago
Hilariously, my last employer was switching to Crowdstrike a few months ago when my contract ended. We previously used Trellis which did not have any remote control features beyond network isolation and pulling filesystem images. During the Crowdstrike onboarding, they definitely showed us a demo of basically a virtual terminal that you could access from the Falcon portal, kind of like the GCP or AWS web console terminals you can use if SSH isn't working.
link
attentive 694 days ago
it's a root-kit with RCE and C&C is CS headquarters.
link
tempaway4575144 695 days ago
That approach only makes sense if trusted inputs are tested
link