Advanced Windows 2000 Security (II)

Download Report

Transcript Advanced Windows 2000 Security (II) 

Advanced Windows NT/2000
Security (II)
Beyond The User Command Shell…
Into The Trusted Computing Base!
Nishad Herath <[email protected]>
COVERT Labs of PGP Security
Copyright (C) 2000, Network
Associates Technology Inc.
The Playing Field
Windows NT/2000 systems, with security vulnerabilities that
could lead to arbitrary code execution at elevated privileges,
either directly or indirectly. For example;

Direct arbitrary code execution - buffer overflow conditions in
privileged network services.

Indirect arbitrary code execution - inadequate permissions on
registry keys that belong to privileged applications or privileged
operating system components.
Copyright (C) 2000, Network
Associates Technology Inc.
The Game
Rules…

Understand the nature of security vulnerabilities that could
allow arbitrary code execution at elevated privileges.

Understand the array of technologies that can be utilized in
exploiting these vulnerabilities.

Explore the world of possibilities these technologies offer to
potential exploits.

Understand, acknowledge and appreciate the wide ranging
implications of such exploits, on Windows NT/2000 systems.
Goal…

To take necessary measures to minimize, detect and respond
to the security implications of such exploits.
Copyright (C) 2000, Network
Associates Technology Inc.
An example: Win32 Buffer Overflows
Buffer overflow vulnerabilities are one of the most direct methods in
which, arbitrary code can be executed at elevated privileges.






Aleph1’s article on stack overflows, “Smashing The Stack For Fun And
Profit” published in Phrack 49.
Solar Designer’s early work on exploiting Win32 buffer overflows.
Dildog’s cDc text, “The Tao of Windows Buffer Overflow”.
Barnaby Jack’s comprehensive and inspirational paper, “Win32 Buffer
Overflows” published in Phrack 55.
Greg Hoglund’s excellent series of talks on Win32 buffer overflows at
BlackHat Briefings.
“Advanced Windows NT/2000 Security” talk at BlackHat Briefings,
Singapore 2000.
Copyright (C) 2000, Network
Associates Technology Inc.
Win32 Payload: Old School
Initially, we saw simple payload. But progress was rapid…





Upload a Trojan executable into a directory within an IIS website with
executable permissions and execute it via an HTTP request.
Enable the “Guest” user account, change the password and add it to
the “Administrators” group.
Download a Trojan executable from a remote site via HTTP/FTP and
execute it.
Download NetCat from a remote site via HTTP/FTP and execute it, such
that it will bind a command shell (“CMD.EXE”) to a specific TCP port
and listen for inbound connections.
Directly bind a command shell (“CMD.EXE”) to a specific TCP port and
listen for inbound connections.
Copyright (C) 2000, Network
Associates Technology Inc.
Win32 Payload: Reverse Command Shell

Code, that connects to a specific TCP port listening on a specific
remote machine and binds a command shell (“CMD.EXE”) to it.
Advantageous in situations where router/firewall based access
restrictions are imposed on incoming traffic to hosts.
 In most situations, host based or network based intrusion detection
systems are configured to monitor only incoming traffic to hosts.
 Attacks are possible where the origin of the attack can be
independent of the location(s) from which the subsequent
exploitations are conducted.

Copyright (C) 2000, Network
Associates Technology Inc.
Win32 Payload: Double Payload

“Double-Payload” code, that;





Allocates an execution environment within the exploited process
address space or a separate process address space;
Tweak the execution environment for the secondary payload code.
Connects to a specific TCP port listening on a specific remote
machine;
Fetches the larger, sophisticated secondary payload code from the
remote machine and relocates it in the allocated execution
environment;
Executes the secondary payload code in the allocated execution
environment.
Copyright (C) 2000, Network
Associates Technology Inc.
Win32 Payload: Double Payload




Sole purpose of the primary payload code is the successful
retrieval and the execution of the secondary payload code.
Advantageous in situations where payload limitations exist,
such as the payload size and content restrictions.
Reliance of existing operating system components, such as
“CMD.EXE” in the case of most remote shell exploits, can be
avoided by the powerful secondary payload code, that is self
sufficient in functionality.
Potential for a more flexible and versatile mechanism for
exploitation by decoupling the initial exploitation from the
secondary payload.
Copyright (C) 2000, Network
Associates Technology Inc.
Win32 Payload: Recycling Payload

Payload that re-use an existing network connection for further
exploitation, for example a TCP connection that is already
established, which was used for the initial exploitation.
Can be successfully utilized in environments where tightest
router/firewall based access controls are imposed, on incoming as
well as outgoing traffic.
 Combined with “Double-Payload” code, this can result in very
powerful exploits.

Copyright (C) 2000, Network
Associates Technology Inc.
Beyond The Command Shell…
On compromised systems, malicious activities performed
through user-mode Win32 application code can be detected
with relative ease using modern system integrity and security
tools.



Intrusion detection systems such as CyberCop Monitor
(http://www.pgp.com) which has powerful detection features
against a range of malicious activity within a system.
Products such as Tripwire, which can detect changes to the file
system or changes and inconsistencies in other system
parameters (http://www.tripwire.com).
J.D Glaser’s papers, tools (http://www.ntobjectives.com) and his
series of talks at BlackHat Briefings on computer forensics.
Copyright (C) 2000, Network
Associates Technology Inc.
Into The Trusted Computing Base!
Why violate the TCB (Trusted Computing Base) of a Windows
NT/2000 system?




For advanced stealth capabilities, beyond detection by intrusion
detection and protection agents that trust the integrity and rely
upon the functionality of the core operating system (TCB).
To achieve advanced, system-wide spying capabilities, with the
ability to intercept virtually all important information.
To introduce subtle and complex changes to the core operating
system functionality, in order to fulfill malicious purposes.
To implement stealth and complex covert communication
channels over normal network communications.
Copyright (C) 2000, Network
Associates Technology Inc.
Violating The Trust: Old School
A KMD (Kernel Mode Driver) is used to introduce malicious code
into the TCB, code which violates the integrity of the kernel and
other trusted components of the core operating system.



Greg Hoglund’s excellent paper, “A Real NT Rootkit” published in
Phrack 55, which demonstrates patching SeAccessCheck routine
of the kernel SRM (Security Reference Monitor) to bypass access
control checks.
The Rootkit Project, (http://www.rootkit.com).
Advanced variations, such as a KMDs that patch already loaded
kernel-mode drivers (ex: NULL.SYS) to host it’s malicious code,
then unloads itself from the system address space.
Copyright (C) 2000, Network
Associates Technology Inc.