Tim Morgan

Tim Morgan

Founder and Chief Technology Officer at DeepSurface Security

Tim Morgan is the founder and CTO of DeepSurface Security, where he designed an innovative risk-based vulnerability management product that helps security teams gain a much deeper understanding of the complex relationships present in their digital infrastructures. After beginning his career as a software developer, he transitioned to application security and vulnerability research and, over the last 24 years has worked as a penetration tester, digital forensics researcher and application security expert.

In addition to his day-to-day work, Tim has presented his independent research on Windows registry forensics, XML external entities attacks, web application timing attacks, and practical application cryptanalysis at conferences such as DFRWS, OWASP’s AppSec USA, BSidesPDX, and BlackHat USA.

Presentation Abstract

How Automating CVE Analysis Led to Dozens of New DLL Hijacking Flaws

As any seasoned security professional knows, many published security vulnerabilities and attacks are over-hyped. What makes something newsworthy is not always that it poses a significant risk to most organizations. One type of attack technique that often fails to receive enough attention is DLL sideloading (or DLL hijacking). Due to their widespread nature and the ease of exploit development, these flaws are unappreciated gems for digital adversaries.

The DeepSurface research team regularly performs analysis of thousands of CVEs to help understand how these impact customer environments. In order to save ourselves time analyzing a certain class of flaw, we developed a tool to automatically identify Windows services that are vulnerable to DLL sideloading. What we were surprised to find was that a shocking number of Windows services are vulnerable to these attacks in real-world deployments.

In this talk, we provide an overview of DLL sideloading, the variety of ways it can be exploited, and just how big of a problem it is, based on our analysis of several customer environments. We conclude with a discussion of how to detect and defend against these issues.