Attacker ： Hijack File Content or File Path (RQ1)

VicTim：Use it. (RQ2 & RQ3)

FN Analysis for JERRY.

JERRY only missed one vulnerability, which all other baseline tools also missed. After investigation, we found that the missed vulnerability was CVE-2020-26284 [14], which existed in the file parsing module of the Go language standard library. The vulnerability required parsing specific content and invoking the relevant module to trigger it.

FP/FN Analysis for PrivescCheck and JERRY-Crassus.

We also analyzed the false positives/false negatives in PrivescCheck and JERRY-Crussus. For false positives, PrivescCheck reported 14 false positives, which resulted from its method of scanning the parent directory permissions when encountering an executable. In particular, if the parent directory has weak permissions, it will report a potential FHVuln as a result of DLL hijacking. However, it is possible that the executable is not loading any missing DLLs from that directory, which results in false positives. In addition, JERRY-Crassus checked all the recorded paths after running the software, and reported those with weak permissions, which resulted in seven false positives.

For false negatives, excluding the vulnerability (i.e., CVE-2020-26284) mentioned above that none of the three tools could detect, PrivescCheck failed to detect 30 vulnerabilities in total. 20 of these vulnerabilities resulted from its neglect of certain operations that could cause vulnerabilities, such as reading (10), creating (5), deleting (4), and moving (1). Moreover, PrivescCheck missed one vulnerability (i.e., CVE-2020-15145) because it only scanned the permissions in the installation directories listed in the registry. The remaining nine vulnerabilities were overlooked because it only considered the vulnerabilities during the installation phase. Similarly, JERRY-Crassus missed 13 vulnerabilities, with CVE-2020-26284 excluded. Among them, 10 false positives were reported because the tool did not take into account the impact of creating (5), deleting (4), and moving (1) operations. In addition, it only scanned a limited range of openssl.cnf, resulting in missing 3 out of 10 vulnerabilities related to read operations.

FP Analysis for JERRY.

JERRY has reported 21 false positive issues, all of which are related to read operation. For example, we discovered instances where an program reads file content without utilizing it or where the data is rendered useless. For instance, the Azure CLI leverages the “knack” package to load configuration settings, utilizing a bottom-up search policy to locate the “.azure/config” file. This process involves reading the contents of all identified files during initialization. However, the configuration settings used can be controlled by a parameter, making the content of the configuration file useless. It is worth noting that some configuration files

may not be suitable for Windows systems due to the use of Linux file paths, which may lead to hijacking. Additionally, it is important to mention that certain configurations can only be utilized in Linux systems (e.g.,

C:\etc\gcrypt\fips_enabled).

Case Studies.

We present two examples to demonstrate how the user interface exploration and path inference features of JERRY facilitate the detection of critical FHVulns.

CVE-D.

While testing Visual Studio, the UI Explorer of JERRY initially clicks the button labeled as “Git” and opens a menu list. Subsequently, from the menu list, the UI Explorer selects the item labeled as “Open git in cmd”. Visual Studio then searches for git.exe in CWD, which has weak permissions. JERRY detects this file operation and places a malicious git.exe in CWD. Moreover, it confirms that the malicious git.exe is successfully loaded into Visual Studio. JERRY automatically documents the detailed steps of the entire exploit process, as well as the potential security impacts (i.e., arbitrary code execution) for this vulnerability. We reported this FHVuln along with the generated steps to MSRC and received confirmed feedback quickly. Due to its severity, MSRC rewarded us with $30,000.

CVE-E.

Gem [48] is a package manager of Ruby programming language. While starting up, Gem attempts to access a file or directory with the path C:\ProgramData\gemrc. As the path does not exist, Gem stops to access the file or directory and continues executing the rest of the code. During

testing, JERRY detected this behavior and attempted to create a

malicious file with the path C:\ProgramData\gemrc for Gem. Gem was able to access the file and continued executing the rest of the code. As the rest of the code includes a reading operation, the malicious file was successfully loaded by Gem. Since C:\ProgramData\gemrc contains a URL to the central repositories, this FHVuln affects thousands of software packages built with Ruby. In other words, attackers can hijack links that lead to software package downloads. By redirecting these links to repositories under their control, attackers can plant malicious code in the software within the repositories. This nefarious activity has the potential to cause significant damage to the software supply chain.

The bottom-up search strategy, a software tailored search strategy that led to eight new FHVulns in fundamental software like Git and Dotnet SDK that had gone unnoticed for 18 years, has not received extensive research attention.

Unlike built-in search strategies, this new type of strategy is OS-neutral and also results in eight FHVulns in our real-world experiment results. For instance, the vulnerability illustrated in Fig. 1 remained concealed in Git for 18 years, from the initial release of Git. Another similar FHVuln, CVE-F, was found in Dotnet SDK, which is the core functionality required to create Dotnet projects. Dotnet uses its own search strategies to locate the .config directory from the CWD to the root directory. When Dotnet is executed in a directory without a Dotnet project, it will eventually locates C:\.config, which can be hijacked by the attackers as C:\ is world-writable. By controlling the configuration in C:\.config\dotnet−tools.json, attackers can execute arbitrary code by making Dotnet download malicious tools from websites.

Reading operations result in more FHVulns than before (30.4% vs 7.1%), and they are more dangerous than we think.

Among existing FHVulns, only 7.1% of them involved reading operation, with 89.5% (17/19) of these cases attributed to reading the hijacked openssl.cnf file in OpenSSL library. In contrast, for new FHVulns, the percentage of reading operation is as high as 30.4% (103/339), representing a significant increase. Furthermore, the types of FHVulns involving reading operation in new FHVulns are more diverse than those in existing ones. Hijacking files with reading operation can lead to severe consequences, including arbitrary code execution (as illustrated in example case), URL redirection, and sensitive information disclosure. For example, CVE-B identified by JERRY enables attackers to hijack the settings.dat file, which contains a URL that Chrome uses to transmit diagnostic information to its servers. Attackers can replace the URL with their own URL to obtain the diagnostic information. Thus, reading operation poses greater risks than previously considered and requires more attention in the future.