What are some examples of known scenarios of network attacks?

Question

For example, it is possible that someone could spread malware with insecure wifi access point, but I don't realize how sending a bunch of network packets can result into a compromised computer if the transferred malicious code can't be explicitly(i.e. allowed by user) executed.

Can you refer to the description on how this normally happens in reality? I consider only cases when computer user doesn't realize there is something wrong going inside it, and those which are related to code execution.

Answer 1

A bunch of network packets does not usually reside in code execution. It can though result in code execution if the software dealing with these packets (i.e. the OS kernel, a specific driver or some application which gets fed the payload) improperly handles the data. Improperly means typically having specific expectations about the data but not ensuring that these expectations are actually met.

Some examples for such attacks at various levels of the software stack:

• Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
  Buffer overflow in the Cisco iOS operating system caused by crafted (i.e. unexpected) UDP packets.
• BroadPWN: remotely compromising android and ios via a bug in broadcom’s wi-fi chipsets
  Buffer overflow in Wifi driver allows kernel level code execution using crafted packets.
• MS14-066: Vulnerability in SChannel could allow remote code execution
  Again, crafted data inside the TLS handshake which were improperly handled by the Microsoft SSL stack.
• Shellshock
  Data from the HTTP request header where propagated into environment variables of CGI script running in the web server. Due to a bug in the bash shell (used to execute code in some CGI scripts) the attacker could achieve code execution with a simple (again, crafted) HTTP request.

Answer 2

If it's really a bunch of network packets, the target computer has to be somehow vulnerable: there has to be something that interprets these packets in a way it's not supposed. The requirements for such vulnerabilities would be:

• Vulnerability Type: Execute arbitrary code on vulnerable system.
• Access Vector: Network (Remote).
• Authentication: Not required.

We can combine these requirements into a CVE Vulnerability Search to see what kind of monsters they are. The vulnerable piece can be your operating system, the network adapter drivers, any program that listens for connections... The attacks are most likely opportunistic and automated.

Another way to inject malware on insecure (WiFi) networks is a man-in-the-middle attack (MITM). That's not sending a bunch of network packets, but replying to something you requested: the access vector is not the network – it's you.

• If you are downloading a file on an unencrypted connection someone can replace it with their malware. They can also try to downgrade your connection e.g. by using SSLstrip methods.
• It's not necessarily you who starts the download: some automatic update can be poorly designed etc.
• The modified content could be targeted against a browser vulnerability: no need to run an executable.