PrepAway - Latest Free Exam Questions & Answers

which of the following processes was MOST likely exploi…

A systems administrator is reviewing the following information from a compromised server:

Given the above information, which of the following processes was MOST likely exploited via a remote buffer overflow attack?

PrepAway - Latest Free Exam Questions & Answers

A.
Apache

B.
LSASS

C.
MySQL

D.
TFTP

Explanation:
ExplanationExplanation/Reference:

7 Comments on “which of the following processes was MOST likely exploi…

  1. Pointer Dereference
    A pointer is an object used in most programming languages that “points to” another
    value in memory. Unlike a variable, a pointer references a memory location. When a
    pointer accesses the stored value, this is known as pointer dereference. If a bad actor can
    get a pointer to point incorrectly, a dereference can cause havoc to the code. For example,
    a null pointer dereference is a common way to try to force a buffer overflow. The impact
    of this vulnerability is the same as previously mentioned.




    0



    0
  2. JayWalkerIT says:

    B and D both have DEP which in theory should prevent a buffer overflow attack from succeeding.

    That leaves Apache and MySQL. MySQL is connected only to the loopback address, and the question specifies it’s a remote attack. Apache is connected to a remote address and I believe this is the correct answer (A).




    19



    0
    1. certifist says:

      the answer is correct, is A. But the DEP in this case is an unuseful info because Data execution prevention is for prevent local execution not something coming from a remote server.




      0



      0
  3. meac says:

    A few things to consider:
    • The TFTP service uses a memory buffer to store data during a file transfer. The default buffer size is 4 KB. It can also suffer from a buffer-overflow attack.
    • Local IP addresses are referring to IP addresses of adapters on the server itself.
    • Remote IP addresses are the source IP address from which the traffic came from.
    • Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs.
    • Now, this attack is “remote”.
    • he Local addresses for the following appear as normal and point to the look-back: LSASS 0.0.0.0, APACHE 0.0.0.0 and MYSQL 127.0.0.1
    • The only one with an odd one out 192.168.1.10. This IP is at times the default IP for some routers
    • It is also an IP used quite frequently by hackers
    So TFTP is using an IP address of 192.168.1.10, which is a default for Routers and frequently used by hacker to perform remote hacks. Put that together and I think it is D- TFTP




    0



    4

Leave a Reply