Transcript Presentation on Security Flaws in Windows XP

SECURITY FLAWS IN
WINDOWS XP
Roshan Newa
Saransh Chauhan
About Windows XPerience
 first consumer oriented OS built on Windows




NT kernel
first released on 25 October 2001
Improved GUI, tight integration of application
such as IE and Windows Media player, firewall
much vaunted most secured Windows OS so
far.
40 Million SLOC (Source lines of code)
UPnP
 protocols that allow devices to connect and
communicate seamlessly
 dynamically join a network, obtain an IP
address, announce its name, convey its
capabilities upon request, and learn about the
presence and capabilities of other devices
 used in XP to detect and integrate with UPNP
aware devices by providing a URL for
automatic configuration
UPnP Flaw in XP
 three separate exploits:
 a remote buffer overflow flaw, which can load
remote code into an XP system;
 Denial of Service (DoS)
 Distributed Denial of Service (DDoS) flaws, which
can let intruders use zombie XP systems to flood
Internet servers with bogus requests
UPnP in XP : Buffer Overflow
 The memory registers EAX and ECX are
overwritten causing them to contain invalid
addresses
 svchost.exe process will access an invalid
memory address at a 'mov' instruction
 The SSDP service also listens on Multicast
and Broadcast addresses
 Gaining system access to an entire network
of XP machines is possible with only one
anonymous UDP SSDP attack session
UPnP in XP: DoS and DDoS
 UPNP device sends out an advertisement
 Attacker:
 sends a ,malicious spoofed UDP packet containing
an SSDP advertisement
 force the XP client to connect back to a specified
IP address and pass on a specified HTTP/HTTPS
request
 specify a CHARGEN (Character Generator) service
on a remote machine causing the XP client to
connect and get caught in a tight read/malloc
loop
UPnP in XP
 Deliberate intention by Microsoft for UPnP
to work that way.
 Microsoft describes the flaw as
"unprecedented" and "serious," and the
company is providing a wide range of fixes
 Microsoft Security Bulletin MS01-054
Escalation of Privilege
(EOP)
 Permission against verification of identity.
 exploiting a bug or design flaw to gain access
to resources
 result : the application performs actions with
more privileges than intended
 Elevation of privilege," then, is not a class of
attack, as much as it is the process of any
attack.
EOP in XP
 EOP: Vertical and Horizontal
 Identity demonstrated by tokens associated
user.
 software program obtain privileges
 Installation/startup script tells your system what the
software needs in order to run
 system tracks privileges associated with each user and
application
 Applications not needing extensive permissions
usually run with privileges of the current request.
 Installing as administrator have access to more
privileges needed
Attacking via EOP in XP
 Run code on the victim's machine borrowing




the privileges of one of his system-level apps.
find process that is running with higher
privileges
Crash it so that you do something that makes
it give its privileges to you
interrupt the program as it executes, and
makes it run additional code supplied by the
attacker
install a set of tools, referred to as a root kit
EOP in XP : Examples
 C:\Documents and Settings\All Users\Start





Menu\Programs\Startup
Flaw in Network Connection Manager (Microsoft
Security Bulletin MS02-042)
Vulnerability in Plug and Play (Microsoft Security
Bulletin MS05-055)
Vulnerability in Windows (Microsoft Security Bulletin
MS06-075)
Vulnerability in Windows Kernel (Microsoft Security
Bulletin MS06-049)
Vulnerability in Internet Information Services
(Microsoft Security Bulletin MS08-005)
XP Recovery Console
 perform a limited range of tasks using a CLI
 enable administrators to recover from
situations where Windows does not boot to
GUI
 Use, copy, rename, or replace files and folders
 Enable or disable service or device startup
 Repair the boot sector or (MBR)
 Create and format partitions on drives
Flaw in XP Recovery Console
 Win2k Boot Disc Can Bypass Windows XP
Passwords
 In Win2k password is mandatory, Under
Windows XP, this technique grants the user
unrestricted access to the computer
 physical access to a PC for a long enough
period of time
 install keystroke logging software to steal
passwords or backdoor programs to grant
themselves unrestricted remote access
Flaw in XP Recovery Console
 problem is unrelated to a registry feature of
XP that allows an Administrator to set up
automatic logon when the Recovery
 BIOS level password
 Encrypted file system
 put the PCs behind a locked door or put a lock
on the PCs themselves
Remote Code Execution
 Feature of network enabled application.
 ability to trigger any arbitrary command on
the target machine or a target process
without physical access to the target system
 worst effect a bug can have because it allows
an attacker to completely take over the
vulnerable process
 commonly exploited by malware to run on a
computer without the owners consent
Remote Code Execution in XP
 Typically triggered by buffer overflow and
holes in applications:
 help and Support center feature:
 remotely execute code on vulnerable systems
because of the way the Help and Support Center
handles HCP URL validation
 triggered by visiting a malicious website or
viewing a malicious email message
 unregister the HCP protocol to block known
attack vectors by deleting from the registry
Remote Code Execution in XP
 IGMPv3
 vulnerability exists in the Internet Group Management
Protocol Version 3 (IGMPv3) for IPv4 and the Multicast
Listener Discovery (MLD) for IPv6
 a remote, unauthenticated attacker, sending specially
crafted packets, could run arbitrary code in the
security context of SYSTEM
 Zipped folders flaw could allow remote code
execution
 Serious AIM flaw allows remote code execution
without user interaction
…change of guard
COMEDY
OF
ERRORS
William
Shakespeare
COMEDY
OF
ERRORS
(XP-SP2)
Bill Gates
Window’s URI Handling
 Windows shell insufficiently handles invalid
URIs
 Attacker could gain the same user rights as
the logged on user
 What if the user is administrator?
Attacker could take complete control of an
affected system
Window’s URI Handling
Modus Operandi
 Create a specially crafted URI
 Provide the URI as input to an application
 The app attempts to access the resource
referred by the URI
 Processing specially crafted URI input could
allow arbitrary code to be executed
Remote Desktop DDoS attacks
 Could let an attacker remotely crash
computers
 Affects the Windows Remote Desktop Service
 Users experience errors ranging from inability
to use certain services to small error
messages
 Nothing much serious, thankfully…
link
Remote Desktop DDoS attacks
 A version of the Win32 API - may allow a local




user to elevate his privileges
Might allow a remote attacker to execute
arbitrary code on this host
Attacker needs to find a way to misuse of
Win32 API
Lure a user into visiting a specially crafted
web page
Execute active content on a web page
Windows Explorer Vulnerability
Remote code execution risk
 Windows Explorer provides a GUI for
accessing file system
 Windows handling of COM objects
Windows Explorer Vulnerability
Modus Operandi
 Get user to click on a link to a malicious
website
 User prompted to perform several actions
needed to connect to a certain file server
 File server causes Windows Explorer to fail
and allow code execution
 Activated with link in email message
and by the way…
 How long do you think you would take to find
a bug in your code?
 What if your code exceeds millions of lines?
Don’t ask Bill Gates; he took seven years…
SMB Remote Code Execution
(2001-2008)
 SMB (Server Message Block)
 Windows Server service - connects different
network resources over a network
 File servers
 Print servers
 Send malicious messages to a Windows
machine using Windows Server - attempt to
take control of the computer
SMB Remote Code Execution
MS blog says: "Public tools, including a
Metasploit module, are available to perform
this attack." Metasploit is an open-source
toolkit used by hackers and security
professionals to build attack code
SMB Remote Code Execution
Modus Operandi
 Victim sent a malicious e-mail message
 Message, when opened, would try to connect
to a server run by the attacker
 Steal network authentication credentials
from the victim, used to gain access to the
victim's machine.
 Attack cannot be made across the firewall,
only the machines in your local LAN can
exploit this flaw
Worms
Blaster - Win32/Msblast
 First reported on August 11, 2003
 Reverse engineered a Microsoft patch
 Launched a DDoS attack on
windowsupdate.com - MS temporarily shut
down the site
Blaster - Win32/Msblast
Modus Operandi
 Exploits a RPC Distributed Component Object
Model (DCOM) vulnerability
 Displays messages that Bill Gates might not
like…
“billy gates why do you make this possible ? Stop
making money and fix your software!!”
And
“I just want to say LOVE YOU SAN!!”
Blaster - Win32/Msblast
• Detects internet connection
and restarts
• Executes a fake batchfile to
restarts the system
• Registry entry, launched every
time Windows starts:
HKEY_LOCAL_MACHINE\SOF
TWARE\Microsoft\Windows\Cu
rrentVersion\Run\windows
auto update = msblast.exe
Image Source : http://en.wikipedia.org/wiki/Image:Windows_XP_Emergency_Shutdown.png
Win32/Sasser
 Started spreading on April 30, 2004
 Exploits a Buffer Overflow in LSASS (Local
Security Authority Subsystem Service)
 Scans IP addresses and connects to victims'
computers primarily through TCP port 445
and 139
Win32/Sasser
 Adds a file file C:\WIN.LOG or C:\WIN2.LOG
on the PCs hard disk
 Shutdown timer appears due to the worm
crashing LSASS.exe
 Can be checked by a firewall
Sasserization
Effects of the Sasser Worm
 News agency Agence France-Presse (AFP)
had all its satellite communications blocked
for hours
 Delta Air Lines having to cancel several transatlantic flights
 The British Coastguard had its electronic
mapping service disabled for a few hours
…and finally…