Network code injection happens when the code/data originated by the attacker is passed through the KVM and/or its peripherals to the computer residing on the secret network.
Attack process:
- The remote attacker gains full/limited access to one (1) connected computer (first computer).
- Through that computer, the remote attacker finds a vulnerable connected KVM.
- Through KVM, the remote attacker finds a vulnerable connected peripheral device having a mailbox.
- Through other methods, the remote attacker injects a malicious code into the secret network connected to the same KVM through another computer.
- The attacker then sends a code or data to the first computer where a malicious code transfers that data through the KVM and its connected peripheral device having a mailbox.
- When the KVM is switched to the second (secret) computer, it downloads the stored assets from the peripheral device.
- Items 5 and 6 are repeated at any KVM switching cycle.
- The second (secret) computer's malicious code uses that data/code to attack the secret network or to distribute attacker payloads.
Rationale:
- T.INFECTED - At least one (1) computer must be infected to initiate this attack.
- T.INVALIDPER - The use of invalid peripheral devices such as mass storage devices may support this attack by providing large mailbox.
- T.DIRTRANSFER - The primary mode of attack is direct transfer of data through mailbox in peripherals.
- T.VALIDPER - All qualified peripheral tested had mailbox vulnerabilities.
Related Articles:
What is network data leakage
What is audio leakage
