13 common protocol & vulnerabilities

1. ARP

Address Resolution Protocol (ARP) is a network protocol utilized by the Internet Protocol, it is used in mapping IP addresses to the MAC address used by a device. It operates at the Data Link Layer ( hence why it doesn't have a port number) of the OSI Model and is used majorly when IPv4 is used over Ethernet.

It makes it possible for networked devices to Query what host is currently assigned a particular IP address. some times the hosts or devices also announce this information without being requested

Vulnerability

Arp Poisoning

This occurs when a user abuses the weaknesses in ARP to corrupt the MAC address to IP address “resolution” of hosts on the network. Due to the absence of authentication in ARP, an attacker can respond to an ARP request for example, if a computer requests the MAC address of another computer on the network, an attacker can respond and the first computer would accept this response as genuine.

Man-In-The-Middle (MITM)

The attacker sends out forged ARP replies for a certain IP address, which is usually the subnet's default gateway. As a result, victim PCs' ARP caches are filled with the attacker's MAC address rather than the MAC address of the local router. Victim workstations will then send network traffic to the attacker improperly. With tools like Ettercap, an attacker may operate as a proxy, seeing or altering data before transmitting it to its intended destination. Everything may look normal to the victim.

Denial-of-Service (DoS)

This aims to prevent genuine users from accessing network resources. A threat actor sends ARP response packets that intentionally map a high volume of IP addresses to a single MAC address, eventually overloading the victim system. This sort of attack, also known as ARP flooding, can be used to attack switches, potentially affecting the entire network's performance.

Session Hijacking

This attack is similar to MITM attacks in that the hacker does not send packets straight from the victim system to its intended destination but rather the attacker will steal a valid TCP sequence number or web cookie from the victim and use it to impersonate them. If the victim is signed in to their account, this might be used to gain full access.

2. DNS

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers connected to the Internet or other Internet Protocol networks. The DNS's resource records link domain names to other types of data.

Vulnerability

DNS Tunneling

This is a client-server paradigm that employs the use of DNS protocol to tunnel malware files and other data.

A domain, such as badsite.com, is registered by the attacker.

The name server for the domain points to the attacker's server, which contains tunneling malware software.

DNS Flooding

DNS flood attacks include flooding UDP packets via the DNS protocol. Malicious hackers send a high volume of forged DNS request packets from different source IP addresses.

The destination server starts responding to these requests but because of the large volume, it exhausts available resources making it impossible for genuine users to use the service.

DNS Spoofing

Also known as DNS cache poisoning, is a method of redirecting online traffic to a fake site that imitates the intended destination. Users are prompted to log into their accounts once they arrive at the phony site.

They essentially allow the threat actor the ability to collect access credentials as well as any sensitive information placed into the bogus login form once they enter the information. Furthermore, these malicious websites are frequently used to infect end users' computers with viruses or worms, giving the threat actor long-term access to the machine and any data it saves.

3. FTP

This is a standard communication protocol for transferring from one system host to another, it is built on a client-server model.

Vulnerability

Anonymous Authentication

Anonymous authentication is an FTP weakness that allows individuals to log in anonymously or use their FTP username to access files on the FTP server. Credentials, when used are also exposed in plaintext and not encrypted.

CVE-2022-29332

Directory traversal is a vulnerability in the D-LINK DIR-825 AC1200 R2.

An attacker might utilise the FTP server folder's "../../../../" configuration to allow FTP access to the router's root folder.

This allows you to use the FTP server to access the whole router file system.

4. HTTP

HTTP stands for HyperText Transfer Protocol, and it is a standard application-level protocol for sharing files over the Internet, basically presented on web browsers.

Vulnerability

Command Injection

When an attacker uses insecure code to introduce (or inject) their code into a program, this is known as an injection.

Because the injected code couldn’t be distinguished by the web application, an attacker would be able to craft injections that grant access to restricted files on the system.

LDAP injections, command injections, CRLF injections, and SQL injections are all examples of injections.

Broken Access Control

Access controls ensure a user cannot perform operations beyond their permission.

Failure in this aspect results in unauthorized information exposure, alteration, or destruction of Dat including the execution of functions outside the scope of permission intended for the user.

Server-Side Request Forgery

A server-side request forgery (SSRF) issue arises when a web application obtains a remote resource without validating the user-supplied URL.

It allows an attacker to compel the software to submit a forged request to an unexpected destination, even if it is protected by a firewall, VPN, or other network access control methods.

5. IMAP

The Internet Message Access Protocol (IMAP) is an Internet standard protocol for retrieving email messages from a mail server over a TCP/IP connection by email clients.

Vulnerability

CVE-2021-44143

In isync 1.4.0 through 1.4.3, a problem was discovered in mbsync.

A malicious or compromised IMAP server might employ a constructed mail message with no headers (i.e., one that starts with an empty line) to cause a heap overflow, which could be abused for remote code execution due to an unchecked condition.

6. POP3

The Post Office Protocol (POP) is an application-layer Internet standard protocol for retrieving email from a mail server.

POP3 is the most widely used variant, and it is used in conjunction with IMAP to retrieve emails.

Vulnerability

CVE-2021-43503

In h Laravel 5.8.38, an unserialize pop chain in (1) __destruct in RoutingPendingResourceRegistration.php, (2) __cal in QueueCapsuleManager.php, and (3) __invoke in mockerylibraryMockeryClosureWrapper.php leads to a Remote Code Execution (RCE) vulnerability.

Vulnerability

CVE-2021-38084

Before 1.1.5, a bug was detected in the POP3 component of Courier Mail Server.

After the POP3 STLS command, meddler-in-the-middle attackers can pipeline commands, introducing plaintext commands into an encrypted user session.

7. RDP

The Remote Desktop Protocol is a Microsoft-developed proprietary protocol that allows a user from a computer to connect to another computer via a network connection using a graphical interface.

RDP client software is used by the user, while RDP server software is required on the remote machine.

Vulnerability

Port Access

Port access is unrestricted. Port 3389* is generally always used for RDP connections. Attackers can presume this is the port in use and use it to launch on-path attacks and other types of attacks.

Most desktop computers have a password protection system, and users can choose any password they choose.

The issue is that the same password is frequently used for both local and distant RDP logins.

Poor user credentials:

Companies rarely monitor these credentials to ensure their security, leaving remote connections vulnerable to brute-force or credential-stuffing assaults.

CVE-2020-0610

When an unauthenticated attacker connects to the target system using RDP and delivers specially crafted requests, a remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway).

8. SMB

The Server Message Block (SMB) protocol is a network file sharing protocol that enables computer applications to read and write files as well as request services from server programs in a computer network.

Vulnerability

CVE-2020-25719

A weakness in Samba's implementation of Kerberos name-based authentication as an Active Directory Domain Controller.

If the Samba AD DC did not strictly require a Kerberos PAC and always use the SIDs provided within, it could become confused about the user a ticket represents.

The domain may be completely compromised as a result of this.

CVE-2022-29281

Before version 1.9.0-beta.8, clicking on a link would not successfully prevent executable files from being opened.

The file URI scheme is not being validated properly.

An arbitrary program could be executed as a result of a hyperlink to an SMB share (or theft of NTLM credentials via an SMB relay attack because the application resolves UNC paths).

9. SMTP

For electronic mail transmission, the Simple Mail Transfer Protocol is an internet standard communication protocol.

To transmit and receive mail messages, mail servers and other message transfer agents use SMTP.

Vulnerability

CVE-2020-7247

As illustrated via shell metacharacters in a MAIL FROM field, smtp mailaddr in smtp session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a forged SMTP session.

The "uncommented" default setup is affected.

The problem arises as a result of an inaccurate return value when input validation fails.

CVE-2020-2232

The SMTP password is transmitted and displayed in plain text as part of the global Jenkins configuration form in Jenkins Email Extension Plugin 2.72 and 2.73, possibly exposing it.

10. SNMP

The Simple Network Management Protocol (SNMP) is an Internet Standard protocol for gathering and organising information about managed devices on IP networks, as well as changing that information to change device behaviour.

Vulnerability

CVE-2021-42372

In XoruX LPAR2RRD and STOR2RRD before 7.30, a shell command injection in the HW Events SNMP community allows authenticated attackers to execute arbitrary shell commands as the user operating the service.

CVE-2020-15862

Because SNMP WRITE access to the EXTEND MIB enables the potential to perform arbitrary commands as root, Net-SNMP until 5.7.3 has Improper Privilege Management.

11. SSH

A secure shell is a secured alternative to Telnet which makes communication/ connection between remote systems possible.

Vulnerability

CVE-2002-1645

Remote attackers can execute arbitrary code through a lengthy URL due to a buffer overflow in the URL catcher functionality of the SSH Secure Shell for Workstations client 3.1 to 3.2.0.

CVE-2011-0766

Predictable seeds based on the current time are used in the Crypto program before 2.0.2.2 and SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, making it easy for remote attackers to estimate DSA host and SSH session keys.

12. Telnet

Telnet is an application protocol that uses a virtual terminal connection to offer bidirectional interactive text-oriented communication via the Internet or a local area network.

Vulnerability

CVE-2000-1195

When using the -L command line option with the telnetd daemon (telnetd) from the Linux netkit package before netkit-telnet-0.16, remote attackers can bypass authentication.

CVE-2007-0956

Similar to CVE-2007-0882, the telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and obtain system access by using a username that starts with a '-' character.

13. VNC

VNC (virtual network computing) is a kind of remote-control software that allows you to operate another computer through the internet.

Vulnerability

CVE-2004-1750

Remote attackers can cause a denial of service (crash) with a high number of connections to port 5900 in RealVNC 4.0 and before.

CVE-2006-2369

Remote attackers can bypass authentication using RealVNC 4.1.1 and other products that use RealVNC, such as AdderLink IP and Cisco CallManager, by sending a request with an insecure security type, such as "Type 1 - None," which is accepted even if the server does not offer it, as demonstrated previously with a long password.