Using a heuristic system to detect an anomaly in a computer’s baseline, a system administrator was able
to detect an attack even though the company signature based IDS and antivirus did not detect it. Further
analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB
port, and executed it to trigger a privilege escalation flaw.
Which of the following attacks has MOST likely occurred?
A.
Cookie stealing
B.
Zero-day
C.
Directory traversal
D.
XML injection
Explanation:
The vulnerability was unknown in that the IDS and antivirus did not detect it. This is zero day vulnerability.
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is
then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a
zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwantedaccess to user information. The term “zero day” refers to the unknown nature of the hole to those
outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins
for the developer, who must protect users.
Incorrect Answers:
A: In computer science, session hijacking, sometimes also known as cookie hijacking or cookie stealing is
the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized
access to information or services in a computer system. In particular, it is used to refer to the theft of a
magic cookie used to authenticate a user to a remote server. It has particular relevance to web
developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an
attacker using an intermediary computer or with access to the saved cookies on the victim’s computer.
This is not what is described in this question.
C: Directory traversal is a form of HTTP exploit in which a hacker uses the software on a Web server to
access data in a directory other than the server’s root directory. If the attempt is successful, the hacker
can view restricted files or even execute commands on the server.
Although some educated guesswork is involved in finding paths to restricted files on a Web server, a
skilled hacker can easily carry out this type of attack on an inadequately protected server by searching
through the directory tree. The risk of such attacks can be minimized by careful Web server
programming, the installation of software updates and patches, filtering of input from browsers, and the
use of vulnerability scanners. This is not what is described in this question.
D: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is
known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath)
with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a
similar manner to SQL, except that it does not have the same levels of access control, and taking
advantage of weaknesses within can return entire documents. The best way to prevent XML injection
attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return
more data than it should. This is not what is described in this question.http://www.pctools.com/security-news/zero-day-vulnerability/
http://en.wikipedia.org/wiki/Session_hijackinghttp://searchsecurity.techtarget.com/definition/directory-traversal
http://searchsecurity.techtarget.com/definition/directory-traversal
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 337