We’ll start our list with the most effortless vulnerabilities inherited upon installing many different operating systems and software services, using the default install script.
Default Installs
It should come as no surprise that operating systems and service applications install themselves with default settings. The reason for this is to make installation a quick and easy process, avoiding potential problems and quirks with the setup process. That said, it should also come as no surprise that default installations can leave a system wide open to many potential vulnerabilities. Although patches may be available from manu- facturers, default install packages usually fail to remind us or, better yet, check to see if they’re available automatically. In regard to these vulnerabilities, operating systems by default could have irrelevant ports and associated services available to a remote attacker; and service applications, such as a Web server, may leave gaping holes in default scripts; leaving a backdoor open to an attack.
If you’ve installed an operating system or service application and kept the default setup or configuration, you’re most likely vulnerable. You can use the discovery tech- niques (i.e., port scan) with the scanners in this book to further substantiate a potential vulnerability.
Weak Passwords
Some systems and applications by default include accounts that either contain no pass- words or require password input without strict regulation or guidelines. When a pass- word is typed in, the computer’s authentication kernel encrypts it, translates it into a
TE AM FL Y
Team-Fly®
string of characters, then checks it against a list, which is basically a password file stored in the computer. If the authentication modules find an identical string of char- acters, it allows access to the system. Attackers, who want to break into a system and gain specific access clearance, typically target this password file. Depending on the configuration, if they have achieved a particular access level, they can take a copy of the file with them, then run a password-cracking program, or those with the scanners in this book, to translate those characters back into the original passwords!
Missing or Poor System Backups
After an ill-fated detrimental system compromise, many times it is necessary to restore the system from the most recent backup. Unfortunately, too many networks and home users fail to adhere to a good backup/restore agenda. According to SANS, an inven- tory of all critical systems must be identified, and the following should be validated:
■■ Are there backup procedures for those systems?
■■ Is the backup interval acceptable?
■■ Are those systems being backed up according to the procedures?
■■ Has the backup media been verified to make sure the data is being backed up accurately?
■■ Is the backup media properly protected in-house and with off-site storage?
■■ Are copies of the operating system and any restoration utilities stored off-site (including necessary license keys)?
■■ Have restoration procedures been validated and tested?
Too Many Open Ports
There are 65,535 ports on a computer. An attacker can use discovery or initial “foot- printing” or information gathering to detect which of these ports are active and listen- ing for requests; this can facilitate a plan that leads to a successful hack attack. Target port scanning is typically the second primary step in this discovery process. Use a port scanner such as Nmap, or one from the CD in the back of this book, to determine which ports are open on your system. Remember to scan both TCP and UDP ports over the entire range: 1–65,535. According to SANS, common vulnerable ports include:
■■ Login services: telnet (23/tcp), SSH (22/tcp), FTP (21/tcp), NetBIOS (139/tcp), rlogin and others (512/tcp through 514/tcp)
■■ RPC and NFS: Portmap/rpcbind (111/tcp and 111/udp), NFS (2049/tcp and 2049/udp), lockd (4045/tcp and 4045/udp)
■■ NetBIOS in Windows NT: 135 (tcp and udp), 137 (udp), 138 (udp), 139 (tcp);
Windows 2000–earlier ports, plus 445 (tcp and udp)
■■ X Windows: 6000/tcp through 6255/tcp
■■ Naming services: DNS (53/udp) to all machines that are not DNS servers; DNS zone transfers (53/tcp), except from external secondaries; LDAP (389/tcp and 389/udp)
124 Part II
■■ Mail: SMTP (25/tcp) to all machines that are not external mail relays, POP (109/tcp and 110/tcp), IMAP (143/tcp)
■■ Web: HTTP (80/tcp) and SSL (443/tcp), except to external Web servers. You should also block common high-order HTTP port choices (8000/tcp, 8080/tcp, 8888/tcp, etc.)
■■ “Small Services”: ports below 20/tcp and 20/udp, time (37/tcp and 37/udp)
■■ Miscellaneous: TFTP (69/udp), finger (79/tcp), NNTP (119/tcp), NTP (123/udp), LPD (515/tcp), syslog (514/udp), SNMP (161/tcp and 161/udp, 162/tcp and 162/udp), BGP (179/tcp), SOCKS (1080/tcp)
■■ ICMP: Block incoming echo request (ping and Windows traceroute); block out- going echo replies, time exceeded, and destination unreachable messages except
“packet too big” messages (type 3, code 4). (This item assumes that you are willing to forgo the legitimate uses of ICMP echo request in order to block some known malicious uses.)
Weak or Absent Packet Filtering
IP spoofing is used to take over the identity of a trusted host, to subvert security, and to attain trusted communications with a target host. After such a compromise, the attacker compiles a backdoor into the system, to enable easier future intrusions and remote control. Similarly, spoofing DNS servers gives the attacker the means to control the domain resolution process, and in some cases, to forward visitors to some location other than an intended Web site or mail server. Use a good program to attempt to send a spoofed packet to your system. Nmap and TigerSuite contain modules to help you send decoy or spoofed packets.
Weak or Absent Logging
Logging is an important function of operating systems, internetworking hardware, and service daemons. Having such information as configuration modifications, opera- tional status, login status, and processing usage can save a great deal of troubleshoot- ing and security investigation time. Too many networks and home users fail to employ strong logging routines. Verify that your operating system logging facilities are active and investigate the logging schemes provided with specific services such as FTP, HTTP, and SMTP, to name a few.
CGI Flaws
Common Gateway Interface (CGI) coding may cause susceptibility to the Web page attack. CGI is a method for transferring information between a Web server and a CGI program. CGI programs are written to accept and return data, and can be programmed in a language such as C, Perl, Java, or Visual Basic. CGI programs are commonly used for dynamic user interaction and/or Web page form usage. One problem with CGI is that each time a CGI script is executed, a new process is started, which can slow down
a Web server. Use the scanners mentioned in this book or a CGI Penetrator (e.g., Tiger- Breach from www.TigerTools.net) and even a TCP Flooder to exploit Web server vulnerabilities with scripts.
Web Server Directory Listing and File Execution
By sending an IIS server a URL that contains an invalid Unicode UTF-8 sequence an attacker can force the server to literally list directories, and sometimes even execute arbitrary scripts. Run hfnetchk — a tool used to verify the patch level on one or several systems — or even try typing the following URL against your IIS Web server: http:
//IPAddress/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\.
ISAPI Buffer Overflow
A idq.dll buffer overflow on systems running IIS can lead to complete system compro- mise. A section of code in idq.dll that handles input URLs (part of the IIS Indexing Service) contains an unchecked buffer, allowing a buffer overflow condition to occur.
This vulnerability affects Windows NT4.0, 2000, 2000 server, 2000 Advanced Server, 2000 DataCenter Server, and Windows XP beta running IIS. The service does not need to be running for a remote attacker to exploit it. Therefore a remote attacker could exploit the vulnerability that exists in idq.dll to cause a buffer overflow, and allow the execution of arbitrary code to occur even though the service is not active. Because idq.dll runs in the system context, the attacker could gain administrative privileges. If other trusts have been established, the attacker may also be able to compromise addi- tional systems.
Microsoft Remote Data Services (RDS) Exploit
An attacker can exploit programming flaws in IIS’s Remote Data Services (RDS) to run remote commands with administrator privileges. This vulnerability affects Windows NT4.0, 2000, 2000 server, 2000 Advanced Server, 2000 DataCenter Server, and Windows XP beta running IIS. The service does not need to be running for a remote attacker to exploit it.
Unprotected NetBIOS Shares
NetBIOS messages are based on the Server Message Block (SMB) format, which is used by DOS and Windows to share files and directories. In *NIX systems, this format is uti- lized by a product called Samba to collaborate with DOS and Windows. While network protocols typically resolve a node or service name to a network address for connection establishment, NetBIOS service names must be resolved to an address before estab- lishing a connection with TCP/IP. This is accomplished with the previously mentioned messages or with a local LMHOSTS file, whereby each PC contains a list of network nodes and their corresponding IP addresses. Running NetBIOS over TCP/IP uses ports 137–139, where Port 137 is NetBIOS name (UDP), Port 138 is NetBIOS datagram
126 Part II
(UDP), and Port 139 is NetBIOS session (TCP). This vulnerability can allow the modi- fication or deletion of files from any exported, mounted file system. Server Messaging Block (SMB) can be compared to Sun’s Network File System (NFS), and it allows for the sharing of file systems over a network using the NetBIOS protocol. This vul- nerability gives a remote intruder privileged access to files on mounted file systems.
Consequently, an attacker could potentially delete or change files. Use ShieldsUP at www.grc.comto receive a real-time appraisal of any system’s SMB exposure. The Microsoft Personal Security Advisor will also report whether you are vulnerable to SMB exploits, and can fix the problem at www.microsoft.com/technet/security /tools/mpsa.asp.
Null Session Information Leakage
According to SANS, a Null Session connection, also known as Anonymous Logon, is a mechanism that allows an anonymous user to retrieve information (such as usernames and shares) over the network, or to connect without authentication. It is used by appli- cations such as explorer.exe to enumerate shares on remote servers. On Windows NT and Windows 2000 systems, many local services run under the SYSTEM account known as LocalSystem. The SYSTEM account is used for various critical system oper- ations. When one machine needs to retrieve system data from another, the SYSTEM account will open a null session to the other machine. The SYSTEM account has virtu- ally unlimited privileges and it has no password, so you can’t log on as SYSTEM. SYS- TEM sometimes needs to access information on other machines, such as available shares, usernames, Network Neighborhood type functionality—and so on. Because it cannot log in to the other systems using a UserID and password, it uses a Null Session to gain access. Unfortunately, attackers can also log in as the Null Session. Try to connect to your system via a Null Session using the following command:
net use \\a.b.c.d\ipc$ “” /user:””
where a.b.c.d is the IP address of the remote system. If you receive a “connection failed”
response, then your system is not vulnerable. If no reply comes back, it means that the command was successful and your system is vulnerable. “Hunt for NT” can also be used; it is a component of the NT Forensic Toolkit from http://packetstormsecurity .ni/NT/audit.
SAM LM Hash
Windows NT stores user information in the Security Accounts Manager (SAM) data- base, specifically, encrypted passwords. Microsoft stores LAN manager password hashes that are vulnerable to eavesdropping and cracking. Use a password-cracking tool like LC3 (l0phtcrack version 3) from www.atstake.com/research/lc3 /download.htmlor one of those mentioned in this book.
Remote Procedure Calls (RPCs) Buffer Overflows
RPCs allow programs on one computer to execute programs on a second computer.
They are widely used to access network services such as NFS file sharing and NIS.
These programs have been reported to be vulnerable to a broad assortment of DoS attacks. Verify whether you are running one of the three RPC services that are most commonly exploited:
rpc.ttdbserverd rpc.cmsd rpc.statd
*NIX Buffer Overflows
Multiple vulnerabilities exist that may be susceptible to the following attacks:
■■ A buffer overflow condition can occur in the BSD line printer daemon.
■■ Buffer overflow conditions can occur in the line printer daemon on AIX.
■■ Sendmail vulnerability can allow root access.
■■ Hostname authentication can be bypassed with spoofed DNS.
■■ A buffer overflow condition can occur in the line printer daemon on HP-UX.
As follows:
■■ A buffer overflow condition can occur in the BSD line printer daemon.If an attacker uses a system that is listed in the /etc/hosts.equiv or /etc/hosts.lpd file of the vulnerable system, he or she could then send a specially crafted print job to the printer and request a display of the print queue, to cause a buffer overflow to occur. The attacker could use the overflow condition to execute arbitrary code with the privileges of the line printer daemon (possibly superuser).
■■ Buffer overflow conditions can occur in the line printer daemon on AIX systems.If an attacker:
Uses a system that is listed in the /etc/hosts.equiv or /etc/hosts.lpd file of the vulnerable system, he or she could use the kill_print() buffer overflow vulnerability to cause a DoS condition to occur to gain the privileges of the line printer daemon (generally root privilege).
Uses a system that is listed in the /etc/hosts.equiv or /etc/hosts.lpd file of the vulnerable system, he or she could use the send_status() buffer overflow vulnerability to cause a DoS condition to occur or to gain the privileges of the line printer daemon (generally root privilege).
128 Part II
Uses a system that is capable of controlling the DNS server, he or she could use the chk_fhost() buffer overflow vulnerability to cause a DoS condition to occur or to gain the privileges of the line printer daemon (generally root privilege).
■■ Sendmail vulnerability can allow root access. Because the line printer daemon allows options to be passed to sendmail, an attacker could use the options to specify a different configuration file. This may allow the attacker to gain root access.
■■ Hostname authentication can be bypassed with spoofed DNS.Generally, the line printer daemon that ships with several systems contains a vulnerability that can grant access when it should not. If an attacker is able to control DNS, the attacker’s IP address could be resolved to the hostname of the print server. In this case, access would be granted even though it should not be.
■■ A buffer overflow condition can occur in the line printer daemon on HP-UX. The rpldaemon provides network printing functionality on HP-UX systems. How- ever, the rpldaemon contains a vulnerability that is susceptible to specially crafted print requests. Such requests could be used to create arbitrary directo- ries and files on the vulnerable system. Because the rpldaemon is enabled by default with superuser privilege, a remote attacker could gain superuser access to the system. Because no existing knowledge of the system is required, and because rpldaemon is enabled by default, these systems are prime targets for an attacker.
BIND Flaws
A domain name is a character-based handle that identifies one or more IP addresses.
This service exists simply because alphabetic domain names are easier for people to remember than IP addresses. The domain name service (DNS), also known as BIND, translates these domain names back into their respective IP addresses. Outdated BIND packages are vulnerable to attacks such as buffer overflows that may allow an attacker to gain unauthorized access to the system. Identify BIND weaknesses with the vulner- ability scanners mentioned in this book.
SNMP Flaws
Multiple vulnerabilities, include but are not limited to, unauthorized access, denial of service (DoS), severe congestion, and system halt/reboot. The Simple Network Man- agement Protocol (SNMP) is used to manage and monitor SNMP-compliant network devices. These devices can include “manageable” routers, switches, file servers, CSU/
DSUs, workstations, storage area network devices (SANs), and many others. Devices running the SNMP protocol send SNAP trap messages to SNMP-enabled monitoring devices. These monitoring devices interpret the traps for the purpose of evaluating, acting on, and reporting on the information obtained. SNMP uses community strings much like using a UserID/password. Generally, there are three types of community
strings: Read-Only, Read-Write, and SNMP trap. These strings not only aid the SNMP devices in determining who (which string) can access them, but what type of access is allowed (Read-Only, Read-Write, or SNMP trap information). Multiple vulnerabilities exist on many manufacturers’ devices that use SNMP, and different vulnerabilities may be present on different devices. Vulnerabilities may cause (but are not limited to) DoS, unauthorized access, system halt/reboot, and configuration control. Some of the vulnerabilities may not require use of the community string. Also, many devices ship with the “public” read-only community string enabled, which, if not changed from the default, can, at a minimum make the devices “visible” to any devices using the “pub- lic” string, including unauthorized users.
Shell Daemon Attacks
Multiple vulnerabilities exist in Secure Shell (SSH) daemons that cause unauthorized root access, denial of service (DoS), execution of arbitrary code and full system com- promise. Many SSH vulnerabilities have already been reported, and this advisory is issued primarily to ensure that system administrators are aware that vulnerabilities exist. Two are discussed here:
■■ A remote integer overflow vulnerability exists in several SSH1 protocol imple- mentations. The detect_attack function stores connection information in a dynamic hash table. This table is reviewed to aid in detecting and responding to CRC32 attacks. An attacker can send a packet that causes SSH to create a hash table with a size of zero. When the detect_attack function tries to store information into the hash table, the return address of the function call can be modified. This allows the execution of arbitrary code with SSH privileges (generally root).
■■ The second vulnerability is the Compensation Attack Detector vulnerability.
Using a brute-force attack, an attacker could gain full access to the affected machine. Reports show that there may be many messages in the system log similar to the following:
hostname sshd[xxx]: Disconnecting: Corrupted check bytes on input.
hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected
hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected
Once the system has been compromised, reports identify installation(s) of Trojans, network scanning devices designed to look for other vulnerable systems, and other items designed to hide the actions of the intruder and allow future access.
rsync Flaw
Remote Sync vulnerabilities can allow an attacker to execute arbitrary code or halt sys- tem operation. Remote Sync allows directory structures to be replicated on other machines (locally or remotely). Signed and unsigned numbers exist within rsync that