InformationTechnology:Security:Exploits

Contents 1 Navigation 2 Related categories 3 About this page 4 Overview 5 Exploiting Ajax scripting security flaws 6 DNS exploits 7 Network vulnerability auditing 8 Rootkit-based and LKM exploits and counter-measures 9 Remote software version detection 10 Parasites 11 Null session access 12 SQL Injection 13 IP spoofing 14 Inside-out attacks - firewall-piercing 15 Password cracking 16 "Hostile" applets 17 Slow or stealth scanning

Navigation

Related categories

About this page

We apologize for the little information we provide, this page is still under construction. Please stay tuned.

Overview

This page is by no means exhaustive and only tries to cover some less publicized information related to exploits and conter-measures

Exploiting Ajax scripting security flaws

XmlHttpRequest is a Javascript object (intensively used with Ajax) that allows quasi-raw access to the HTTP body of responses and also sending almost raw HTTP requests to the originating host.However, in older versions of IE and Firefox this feature may allow exploits in order to:

• Spoofing the referrer for leeching and client-side man-in-the-middle attacks
• HTTP request smuggling [1]
• HTTP Response Splitting [2]
• Web-scanning and illicite access to contents

These issues have been fixed in newer versions of IE and Firefox. However the potential for exploits based on creative use of the XmlHttpRequest remains. In order to avoid these attacks, web-site owners should, among other measures

• enforce use SSL rather than unencrypted HTTP
• do not rely on referer
• prevent cloning and man-in-the-middle attacks using server-side scripting

References

• Exploiting the XmlHttpRequest object in IE [3]
• Exploiting the XmlHttpRequest object in Firefox [4]
• Cross-Site Request Forgeries [5]
• Cross-site scripting (XSS) [6]
• Cross-site request forgery (CSRF) [7]
• Black-hat Europe '07 presentation [8]
• SANS Top-20 Internet Security Attack Targets [9]

DNS exploits

In the October 2005 proceedings of Internet Measurement Conference it is stated

• 30% of domain names can be hijacked by exploiting known vulnerabilities in just two of the 46 DNS servers
• 10% of domain names are served by only one hardened DNS server
• 33% of domain names depend on same-subnet nameservers
• 43% of domain nameservers are running out-of-date easily exploited software
• 40% of nameservers allow zone transfers by non-authenticated unknown requestors
• 40% of intrazone records do not properly match the domain's zone records
• 75% of nameservers provide recursive name service to all requesters

Attacks taking advantage of these vulnerabilities rely on the principle of Transitive trust in the Domain Bame System. DNS cache poisoning attacks rely on known flaws with the Berkeley Internet Name Domain (BIND) implementation, being still used by a large proportion of Internet Domain Name servers.The vulnerability consists in the ability of an attacker to spoof DNS requests and replies by being able to guess the correct credentials trusted by authoritative servers. At the origin of the problem is the predictive recursive name-resolution mechanism that BIND is using. An attacker needs only to capture and analyze a few hundred DNS packets in order to guess the ID sequence the authoritative server is using and then initiate DNS packet spoofing. A simple counter-measure is to configure any name server exposed to the Internet to act non-recursively for all but trusted networks.

Network vulnerability auditing

Some popular free tools and methods for network scanning and security auditing are

• NMAP, a tool that checks for open TCP and UDP ports [10] which basically]
• NESSUS, a scriptable tools with an up-to-date vulnerabilities database [11]
• Metasploit framework, a platform for developing both hacking and auditing tools [12]
• HPING2,an IP packet costructor and responses analyzer [13]
• Tiger Team penetration testing [14] [15]

Rootkit-based and LKM exploits and counter-measures

Loadable modules are pieces of code that can be loaded and unloaded into the kernel on demand. Loadable modules add extra functionality to the kernel without the need of rebooting the machine. As such LKM support within the kernel facilitates the stealth interception of system calls. Rootkits can be developed using this feature but counter-measures can also be developed. For instance intercepting the sys_open, sys_execve, sys_delete_module, sys_create_module and sys_unlink syscalls allows checking the signatures of requesting programs before allowing the execution of requested operations by the system. This way, if the signature is not of a trusted application, the requests are denied.

There are several ways how a rootkit can subvert the kernel to perform actions on behalf of an intruder

• Loading a kernel module
  • Can override kernel syscalls in order to hide certain files
  • Provides new functions useful for an intruder to give root privileges to certain processes

• Writing to /dev/kmem
  • Can arbitrarily modify the memory region of the running kernel

• Alter the Interrupt Descriptor Table (IDT)
  • Can replace the kernels interrupt handlers, including sys_call by own functions

Here are the possible counter-measures

• Compile a kernel where the interface for loadable kernel modules is disabled
• Patch the kernel to make /dev/kmem non-writeable
• Use the CheckIDT utility to validate the integrity of the IDT
• Use the kern_check utility that compares System.map against kernel's sys_call table
• use samhain [16] to check for kernel and file-system integrity

List of known LKM rootkits

• SucKIT - rootkit is loaded through /dev/kmem with no need for kernel LKM support
  • Provides back-door through a password protected remote access connect-back shell initiated by a spoofed packet
  • Can bypass most of firewall configurations
  • Can hide processes, files and connections
  • Not detected by CheckIDT or kern_check

• Rial [technok@pkcrew.org] - needs LKM support
  • Hides files and connections and no backdoor provided
  • Make some shell commands like less to hang due to buggy hiding
  • Does not hide itself, lsmod or cat /proc/modules can detect it

• heroin [zarq@opaque.org]
  • Hides files and processes and no backdoor is provided
  • Cannot be removed with rmmod
  • Hides itself but can be found by cat /proc/ksyms | grep heroin

• knark [creed@sekure.net]
  • Hides files, processes, services, redirect commands, and can give root privileges
  • Controlled with a set of helper programs, and can execute commands sent from a remote host
  • Hides itself and cannot be removed by rmmod

• itf [dube0866@eurobretagne.fr]
  • Hides files and processes, redirect commands, hides the PROMISC flag (sniffers) and can give root privileges
  • Installs a backdoor, hides itself and cannot be removed by rmmod

• kis [optyx@uberhax0r.net]
  • Client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machine
  • Can hide processes, files, connections, redirect execution, and execute commands
  • Hides itself and can remove security modules already loaded

References

• Defining the rootkit term [17]
• Anatomy of a Linux Kernel hack [18]
• A Report on Kernel Loadable Module [19]
• Linux Kernel Rootkits [20]
• UNIX penetration techniques - rootkits [21]
• Modifying and Spying on running processes under Linux and Solaris [22]
• Storm Worm Process Injection from the Windows Kernel explained

Remote software version detection

Exploiting known vulnerabilities in remote systems exposed to Internet relies on the ability to detect first the versions of the software (operating system and web server components). Different fingerprinting methots are currently being used:

• Telnet/SSH fingerprinting - interpreting the connection banner generated by the telnetd/sshd daemon
• FTP fingerprinting - interpreting the connection banner generated by the ftpd daemon
• HTTP fingerprinting - interpreting error messages generated by a remote web server in response to a HTTP request
• Active TCP Fingerprinting
  • FIN probe - sending a FIN packet to an open port on the remote host and waiting for response.

According to RFC793, the open port should not respond back to the FIN packet. Some of the operating systems respond back with a RST packet,thus an attacker can differentiate the Operating Systems that give a response with RST and that which didn’t give any response.

• • TCP Initial Window - initiating a TCP connection to a remote host and waiting for the SYN handshake.

Some operating systems use a unique window which helps an attacker in identifying the OS from the packets received.

• • Don’t Fragment - some OS set differently the “Don’t Fragment” flag on some of the packets they send in different cases
  • ISN Sampling - each OS running on a remote host sets differently the Initial Sequence Number (ISN) in response to a TCP-SYN
  • BOGUS flag probe - sending a TCP-SYN with an undefined flag make different OS react differrently (e.g. answering TCP-RST)
  • TCP retransmission timeout lengths - using RING to create a half-open connections with a target [23]
  • ACK Value - each OS uses a different method of computing the ISN of the SYN-ACK message
• ICMP Fingerprinting
  • ICMP Error Message Quenching - relies on the fact that some OS limit the rate of ICMP error replies
  • ICMP Message quoting - each OS will quote back a specific amount of an error-generating message in ICMP error replies
  • ICMP error message echoing integrity - some OS use original message headers as scratch-buffers altering them
• Passive TCP/IP stack fingerprinting [24]

References:

• Remote OS Detection via TCP/IP Fingerprinting [25]
• Service and Application Version Detection [26]
• SinFP, an OS remote fingerprinting tool [27]

DNS tools:

• DNS Tools references [28]
• DNS tools [29]
• Various tests [30]
• Resources and links [31]

Articles:

• DNS’ Biggest Threats [32]

DNS cache poisoning:

• Article from DNS Measurement Factory [33]
• Database of DNS poisoners [34]
• DNS cache poisoning and BIND explained [35]

Various resources and information on exploits and security tools:

• Security advisories and vulnerability updates [36]
• The great book of SecuriteInfo (in french) [37]
• Top 100 Network Security Tools [38]

Parasites

Parasites are unwanted programs running on a system, usually trojans, malware, adware or spyware. They mainly affect Windows machines and are mainly installed by taking advantage of security flaws in the Microsoft IE suite

References:

• Computer Parasites Index [39]
• Trojan ports table [40]
• TCP/IP ports table [41]

Null session access

A NULL session connection is an unauthenticated connection to a Windows and is the number one method for hackers to enumerate information about the machine and call APIs using RPC. These techniques provide information on passwords, groups, services, users and even active processes. NULL session access can also even be used for escalating privileges and perform DoS attacks.Here are the ports usually found open on Windows machines oc-srv 135/tcp Location Service (RPC endpoint mapping) loc-srv 135/udp Location Service (RPC endpoint mapping)

• netbios-ns 137/tcp NETBIOS Name Service
• netbios-ns 137/udp NETBIOS Name Service
• netbios-dgm 138/tcp NETBIOS Datagram Service
• netbios-dgm 138/udp NETBIOS Datagram Service
• netbios-ssn 139/tcp NETBIOS Session Service
• netbios-ssn 139/udp NETBIOS Session Service

Once a TCP/IP connection to port 139 is made, the session layer protocols (SMB and NetBIOS) are used to access the hidden share IPC$. From the command line this can be performed with the following: net use \\127.0.0.1\ipc$ "" /user:"" This technique was programmatically written into an old exploit called the Redbutton attack.

SQL Injection

SQL Injection occurs when an attacker is able to insert a series of SQL statements into a 'query' by manipulating data input into an application, forinstance as part of a normal URL string submitted to a WEB server. Especially vulnerable are web applications that use client-supplied data in SQL queries without stripping potentially harmful character sequences first. Despite the simple protection measures, there seem to exist a large number of Internet-exposed production systems that are vulnerable to this type of attack.

References:

• Advanced SQL Injection In SQL Server applications [42] and [43]
• SQL Injection, Are Your Web Applications Vulnerable? [44]

IP spoofing

• A short overview of IP spoofing: PART I [45] and details
• Session hijack script [46]

Inside-out attacks - firewall-piercing

• Compass Security - Inside-Out (tunneling) Attacks [47]
• E&Y - Inside-Out Attacks - an old concept with new threats [48]
• Bypassing Firewall - Firewall Piercing (Inside-Out Attacks) [49]

Password cracking

Password-cracking algorithms based on Rainbow Tables are much more efficient than "brute-force" ones. A rainbow table is a lookup table being used by a inverse-hashing algorithm that recovers a plaintext password from a hash string generated by a cryptographic function. The algorithm is based on Philippe Oechslin's [50] faster time-memory trade-off] technique (pdf). An effective countermeasure against this password-cracking technique is the use of salted password hashing.

• Kevlardisk online MD5 cracker, based on rainbow tables
• Ophcrack 1 - the time-memory-trade-off-cracker
• Ophcrack 2 (more info) - a Windows password cracker based on rainbow tables and using an improved algorithm, taking advantage of vulnerabilities in Windows' LM-hashing
• RainbowCrack - general-purpose password cracker based on Philippe Oechslin's technique (more info)
• LC5 (previously L0phtCrack) produced by the L0pht Heavy Industries hackers group.
• Cain and Abel (more info) - a powerful password-recovery and encryption-hacking tool

"Hostile" applets

These are "white hat" techniques able to overcome the strong JVM "Applet sandboxing" security:

• A growing collection of increasingly hostile applets put together by Mark LaDue
• Jim Buzbee's hostile Mail Applet that will send mail somewhere unknown, from YOUR machine.
• Jim Buzbee's malicious applet that scans YOUR diskdrive for particular files
• A tiny hostile Applet that will crash your browser [51]
• An malicious applet that uses a (now plugged) browser security hole to launch a redirect attack
• Ben Mesander's hostile applet colludes with an evil Website to send an HTTP redirect that apparently works only against MSIE (see C!Net news story)
• The "Crapplet" that can launch a DoS attack
• Ben Mesander's hostile applet that demonstrates two browser security holes

Slow or stealth scanning

There are many security tools allowing the discovery of open ports in an internet-facing network. They generally do their job by so-called port scanning, which also finger-print the OS, firewalls in use and running services. Some examples of such tools:

• Nmap - a network exploration or security auditing tool
• Angry IP Scanner - an IP-address and port scanner
• Unicornscan - a tool that can check if ports are actually open or protected through firewalls
• Last but not least, Netcat, a.k.a. the swiss-army knife of network scanning

Intrusion detection systems would generally be able to catch broad-scanning attacks and block attackers' source IP addresses. However, sophisticated attackers would more sophisticated scanning methods for passing unnoticed under the IDS "radar", by using so-called "stealth scans", all supported by the nmap tool:

• Half-Open or SYN scan, which instead of completing the full TCP three-way-handshake, does not attempt to establish a full connection. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a RST/ACK will be sent which will determined the listening state the system is in. If a RST/ACK packet is received, it is assumed that the port on the system is not active.
• FIN scan, relying on RFC 793 compliance, namely that a system should send back an RST for all TCP ports closed when they receive a FIN packet for a specific port.
• XMAS tree scan, relying on RFC 793 compliance, namely that a system should send back an RST for all TCP ports closed when they receive a FIN/URG/PUSH packet for a specific port.
• NULL scan, relying on RFC 793 compliance, namely that a system should send back an RST for all TCP ports closed when they receive a packet without any specified IP flags for a specific port.

Any of the above scans could be used as a slow scan, when the attacker sends packets at a very slow rate and sometimes using randomly changing IP addresses. Sometimes these scans can be conducted over hours, days, or weeks. The idea is since they are so slow, the victim's IDS woldn't ``notice the scan. In particular netcat has specific options for slow-scanning:

• -i <interval> : use <interval> seconds delay between scans
• -r : randomize port sequence
• -z : minimizes amount of data sent to detect an open port

To defend against stealth- and slow-scanning attacks one would need advanced, expensive correlation tools or manually inspect the firewall logs or traffic captures using such tools as Optiview from Fluke Networks. Some specialized solutions like the Cisco Secure IDS, scanlogd or tcplogd or the Sentry tools from Psionic also exist.