Beruflich Dokumente
Kultur Dokumente
Security
Eugene Schultz, Global Integrity Corporation (an SAIC
Company) and Purdue University
Black Hat Conference
Las Vegas, Nevada
July 8, 1999
Copyright 1999, Global Integrity Corporation - All Rights Reserved
Copying these materials without the explicit, written permission of
Global Integrity Corporation is prohibited.
Agenda
Introduction
Vulnerabilities
Solutions
Conclusion
Surprise,
25 June 1999:surprise?
Federal Computers Vulnerable
According to federal officials, federal websites and
computer systems are particularly vulnerable to
outside attacks because they lack two important
elements: adherence to security plans and qualified
personnel to maintain security measures.
http://www.newspage.com/cgi-bin/NA.GetStory?story=h0624132.500
&date=19990625&level1=46510&level2=46515&level3=821
(client side)
Editor (client side)
Server
Server Extensions (for managing and referencing HTML
pages)
IIS Web
authentication*
Basic authentication---to
determine
Second--challenge-response authentication
MSV1_0
authentication
4. Retrieval of
entries from
SAM
database
1. Authentication request
5. Encryption
of nonce
2. 8-byte
nonce
SERVER
6. Comparison
of encrypted
nonces
3. Encrypted
nonce
CLIENT
Copyright 1999, Global Integrity Corporation
600
seconds
Cancel
Apply
Help
8
10
11
of service
Ability to modify Web page content
Ability to read and/or alter files that are not part of the Web
server
12
Exampl
e 1 condition in the ISAPI
A potential buffer overflow
extension ISM.DLL (a filter used to process .HTR
files) allows
Someone
13
Exampl
eto2use a default .asp page to
A bug allows anyone
view and also to modify source code by requesting
a file from a virtual directory (simply enter ../)
Problem: normal processing of the file is
circumvented
Several variants of this bug exist
Found in IIS 3.0 and 4.0
Patch is available (but best solution may be to
remove all default .asp pages)
14
Exampl
3 that require
A bug allows CGIe
scripts
authentication to be run without any
authentication
Version affected: IIS 3.0
Is really more of a limitation in an intended
security feature than a vulnerability
Upgrade to IIS 4.0
15
Exampl
e 4 the path to a virtual
Someone can discover
directory
Requires only connecting to the msdownload
directory at a site, then pressing
Refresh/Reload
Can facilitate an attackers efforts to locate
resources to attack
All versions are affected
No patch available yet
Copyright 1999, Global Integrity Corporation
16
Exampl
5 can crash IIS,
A malformed GETe
request
causing data corruption
Requires that more than one virtual server run
on one machine
Problem: quitting inetinfo.exe by one server
fails to produce a file handle for TEMP files that
the other needs for data writes
Problem is robust across different releases
Hot fix (see Q192296) available
Copyright 1999, Global Integrity Corporation
17
Exampl
e can
6 create an ISAPI
An unprivileged user
extension to load rogue CGIs that run as SYSTEM
GetExtensionVersion()
Default()
18
Exampl
e 7can use NetBIOS
An anonymous user
mechanisms to remotely reach \%systemroot
%\system32\inetsrv\iisadmpwd (virtual
directory /IISADMPWD) to start up HTR files
Passwords
/IISADMPWD?
Filter traffic bound for TCP port 139?
19
Exampl
e can
8 access cached files
An unauthorized user
without being authenticated
Requires that
More
20
Exampl
e 9 HTTP requests
IIS may fail to log successful
Requests include
File
name
Default.asp
Request method (the attacker must make this very
long---at least 10140 bytes)
21
Example
10 calling one or more
Under certain conditions,
ASPs may cause 100% CPU utilization
\exair\root\search\advsearch.asp
\exair\root\search\query.asp
\exair\root\search\search.asp
22
23
24
25
ROUTER
DMZ
FIREWALL
INTERNAL NETWORK
SECURITY PERIMETER
Copyright 1999, Global Integrity Corporation
26
TFT
Trivial File TransferP
27
TFT
Trivial File TransferP
28
Conclusion
We havent even looked into security-related
vulnerabilities in
Browsers
IIS FTP
Conclusion
The number of reported bugs has
increased dramatically over the last year
The problem is only going to get worse in
the next version
Fronting server
Cache box
(continued from previous slide)
32
SERVERS
THAT ARE NOT
PART OF AN
NT DOMAIN
ROUTER
NT
EXTERNAL
WEB
SERVER
NT FIREWALL
INTERNAL NETWORK
Continued
SECURITY PERIMETER
Copyright 1999, Global Integrity Corporation
33
Sniffer
Attacks
34
Password Transmission
in
Heterogeneous
Environments
Windows NT
Unix
Cleartext
password
35
PPTP-Protected
Transmissions
Host
Host
PPTP
RAS Server
RAS Server
36
Password
Cracking
The Windows NT security model attempts to provide strong
protection against password cracking
Strong
37
Password
Cracking
Solutions
PPTP
Exceptionally
strong passwords
Third-party authentication
38
Exploitation of
SMB
SMB servers have weak authorization
requirements for file transfers
SMB has numerous back-door mechanisms
Concerns:
It
39
Considerations for
Access to
Platforms
Windows Other
NT does not recognize permissions from
any operating system other than NTFS
Most NT-compatibility programs require that
A
40
41
So Whats The
Problem?
Gaps in the Windows NT security model
Faulty implementations that result in
security exposures
Security weaknesses in logic of design of
network service programs
Backdoors in protocols
Immaturity of Windows NT as an
operating system
Copyright 1999, Global Integrity Corporation
42
43
Conclusi
Windows NT has many security-related bells and
on
whistles that really are not so important
NT domains in many respects constitute steel
doors in grass huts
NT-based TCP/IP services will increasingly
constitute the greatest threat to security
Most critical tools
Third-party
authentication tools
Firewalls
Packet
scanners
Vulnerabilities scanners
Network monitoring tools
Copyright 1999, Global Integrity Corporation
44
Conclusi
on with Windows NT
The problem of dealing
network vulnerabilities is exacerbated by
The
45