March 2001

CRACKER EXPLOITS

BATTLE PLANS

15 cracker exploits every security professional should know about--and how to defend against.

BY KEN BRANDT, STU GREEN & ENRIQUE ZÚÑIGA

It's no understatement to suggest that for every line of code ever written there's a potential vulnerability waiting for exploitation. While hackers and crackers are constantly looking for new vulnerabilities, the tools and techniques they employ are almost always variations of previous attacks. Just as the campaigns of Hannibal against the Romans were inspiration for Gen. Norman Schwarzkopf's Persian Gulf War battle plan, infosec professionals must draw from the experience of past cyberattacks to guard against future digital assaults.

With that in mind, in this article we'll outline a few of the common exploits that all infosec professionals should know and will likely encounter in their careers. No list of vulnerabilities and attacks is ever complete-just as the recently updated SANS Top 10 list of Internet threats (www.sans.org/topten.htm) only notes the most critical risks. By no means is this article intended to tackle the breadth of exploits-known and probable, social or technical. It's simply the things often overlooked by those who need security, but don't fully understand the threats. For some readers, this article may seem a little too basic. But it's not a bad idea for every infosec professional-from the lowly private to the commanding general-to review the basics from time to time.

1. IP Spoofing

Also known as source address spoofing, IP spoofing is when an attacker compromises the routing packets to redirect a file or transmission to a different destination. The routing packets of most Internet file transfers are transmitted in the clear, making it easy for an attacker to modify source data or change the destination of information. The technique is also effective in disguising an attacker's identity, preventing victims from identifying the culprits who breach their systems.

The protocols that deal with inter-computer communication are most susceptible to spoofing. Internet Control Message Protocol (ICMP) is vulnerable because it passes information and error messages between two points on a network. The Internet Group Message Protocol (IGMP) is exploitable because it reports error conditions at the user datagram level, and contains routing and network information. The User Datagram Protocol (UDP) can also have its identification query function compromised.

The solution to preventing IP spoofing is securing transmission packets and establishing screening policies. Point-to-point encryption will prevent unauthorized users from reading the packets. Authentication can prove that a legitimate source, and not a spoofed middleman, sent the contents of the packet. In either case, any attempt to tamper with the packets would leave some telltale sign to warn system admins.

Anti-spoofing rules, which basically tell the server to reject any external packets that appear to come from an internal IP address, will cut down on most spoof attacks. Non-predictable sequence numbering, or making the SYN/ACK dialogue more difficult to predict, will also reduce the chances of a session being intercepted and hijacked.

2. File Transfer Protocol (FTP) Attacks

One of the most common FTP attacks is a buffer overflow caused by a malformed command. A successful attack could either drop the attacker in a command shell or cause a denial of service.

While a denial of service would deny legitimate users access to network resources, the successful co-opting of the command shell would grant an attacker access to the server's systems and data files. An attacker could then create an anonymous root-access account that would grant him near unrestricted network privileges.

Failure to apply the frequently released system upgrades and patches is the most common cause of FTP vulnerabilities. The popular Unix wu-ftp server, for instance, was upgraded twice in one day to repair a condition that permitted easily induced buffer overflows.

FTP exploits are also useful in password guessing (which we'll discuss later), FTP bounce attacks (using someone's FTP server to launch an attack while disguising the attacker's identity), and mining information (such as the machine's registry).

3. Unix Finger Exploits

In the early days of the Internet, the Unix OS finger utility was used as an efficient way to share user information. Because much of the information revealed by a finger information request is fairly innocuous, most system admins leave the utility running with minimal security, if any. To an attacker, however, the utility can yield valuable footprinting information, including user names, logons and contact information. It also provides a pretty good indication of users' activities, the times they are logged on and how much they are paying attention to their systems.

Information gleaned through a finger information request has little technical value for cracking into a system. However, the personal information it reveals can provide an attacker with enough of a framework to launch a social engineering effort-the use of social skills to trick legitimate users into revealing passwords and access codes (see discussion under E-mail Exploits).

4. Flooding and Broadcasting

An attacker can significantly reduce the processing capacity of a network and its subordinate workstations by inundating it with more information requests than it can handle-a classic denial of service. Sending an overwhelming amount of requests to a single port is flooding, sometimes called spraying. When the flood of requests is sent to all network stations, it's called broadcasting. The result of both is the same: the tying up of network resources that prevents the processing of legitimate queries.

Flood attacks rely on two factors: size and/or volume. An attacker can cause a denial of service by throwing a large number of huge files or a huge volume of small packets at a system. In either approach, a network server faces the same bottleneck situation: too much information flowing in and not enough power to push it through. Obviously, large packets consume a lot of processing capacity, but the abnormally small packets in large volumes will consume just as many resources.

Attackers will often use flood attacks to gain access to a system for use against other networks in distributed denial-of-service (DDoS) campaigns. These attacks are called Smurfs if they are sent on the ICMP level and Fraggles when they're sent on the UDP level.

Sites that amplify broadcast traffic--commonly called Smurf amplifiers--are effective tools in launching a flood attack. By spoofing himself as the target network, an attacker can send a single request to the Smurf amplifier. The amplifying network will respond from every one of its subsystems, meaning that a single request will result in scores of responses to the target network. The result is a denial of service that leaves no trace of the initiator. Rejecting directed broadcast at a border router will stop a site from being used as a Smurf amplifier.

TCP-level flooding--mostly SYN attacks--was used in the February 2000 DDoS attacks against Yahoo!, eBay, E*Trade and others. Networks that do not use stateful firewalls (firewalls that check the state of TCP packets) are especially susceptible to TCP-level flooding.

Some firewall filtering functions will keep an attack launched from a single IP address from reaching flood stage, but DDoS attacks are much harder to stop because they come from multiple IP addresses simultaneously. Currently, the only way of stopping a DDoS attack is tracing the packets back to their source and shutting down the transmitting networks-usually hijacked systems.

5. Fragmented Packet Attacks

Internet messages transmitted via TCP/IP can be divided into packets in such a way that only the first packet contains the TCP segment header information. Some firewalls will allow the processing of subsequent packets that do not contain the same source address information as the first packet, which can cause any type of system to crash. For example, NT servers used to crash if enough fragmented packets overwrote the first packet's protocol information.

Fragmented packets can also create a flood-like situation. Because fragmented packets are stored until they can be reassembled into complete messages, servers will store them in the kernel memory. The server will crash if the kernel memory absorbs too many fragmented packets.

By thoroughly enumerating the topography of a targeted network, an attacker could selectively crash packet content-examining firewalls, load balancers or content-based routers. By removing these defensive systems, the network is far more vulnerable to disruption and penetration.

Since they are not logged until assembled by the IP stack, fragmented packets once gave hackers a way of probing a network without being detected. IDSes and firewall filters have corrected this problem, but many systems remain susceptible to this exploit.

6. E-mail Exploits

E-mail exploits come in five forms: mail floods, command manipulations, transport-level attacks, malicious code insertion and social engineering. E-mail attacks can crash a target system, open overwrite and execute privileges to key files and applications, or provide access to command functions.

Mail-flood attacks occur when so much mail is sent to a target that the transfer agent is overwhelmed, causing other communication programs to destabilize and crash the system. Flooding a system with e-mail is a crude, but effective, means for bringing down a mail server.

One of the more interesting ways of inducing a mail-flood attack is exploiting the auto-responder function of many e-mail applications. Once an attacker finds active auto-responders on two different systems, he can direct one to e-mail the other. Because both are set to respond automatically to every message, they create a feedback loop that generates more mail than either system can handle.

Command-manipulation attacks (e.g., EXPN or VRFY) can cause a system to crash by subverting the mail transfer agent with a buffer overflow caused by entering a malformed command. The difference between mail flood and command manipulation is that the latter exploits Send-mail's privileges by allowing an attacker unauthorized access to information under the guise of a network admin making routine modifications. Enabling these commands may give an attacker access to key configuration files, the ability to overwrite files or plant Trojan horses on a mail server.

Transport-level attacks exploit the Simple Mail Transfer Protocol (SMTP)--the means of routing e-mail across the Internet. An attacker can cause a temporary error condition in the target system by overloading an SMTP buffer with more data than it can handle. This can cause the attacker's session to drop out of the Sendmail program and into a shell with admin privileges and, possibly, root-level access. Some of the more common attacks (e.g., Sendmail, POP and IMAP buffer overflows) exploit this network weakness.

While SMTP vulnerabilities are more difficult to exploit, attackers may resort to a transport-level attack if unsuccessful with a command manipulation or mail flood. This attack is used more for harassment than penetration. An attacker will usually use this to flood an Exchange server and disrupt e-mail traffic. It can also be used to tarnish an organization's reputation by disguising spam or offensive e-mails under a legitimate source address.

Mail relaying, the process of disguising an e-mail's source by routing it through a duped machine, is another type of transport-level attack. This technique is particularly useful in broadcasting spam anonymously.

Malicious content is often propagated through e-mail systems. Some viruses and worms (see section on Selective Program Insertion) will be carried into a system appearing as a legitimate attachment, such as the recent Melissa variant that appeared as a Mac MS Word macro, or the LoveLetter worm that infected systems and then mailed itself to users listed in Outlook's address book. Many antivirus scanners will catch the known malware attachments, but new scripts and variants can still sneak through.

Social engineering e-mails are just as the name implies: an attacker's attempt to trick a legitimate user into revealing sensitive information or executing a task. Sometimes an attacker will send an e-mail posing as a network admin who requests a user to send him a password for system upgrades.

7. DNS AND BIND Vulnerabilities

The recent revelations of serious vulnerabilities in various versions of the Berkeley Internet Name Domain (BIND) application illustrate the fragility of the Domain Name System (DNS), which is critical to directing basic Internet operations.

BIND flaws are nothing new. Since its inception, the standard has been a favorite target of the cracker community because of its numerous vulnerabilities. The four new buffer overflow vulnerabilities revealed in January are only the latest in a series of potential exploits that would grant a cracker system access and command execution privileges.

BIND vulnerabilities are a serious problem since more than 80 percent of the DNSes deployed on the Internet use BIND. Without DNS in the modern Internet environment, there's no transmission of e-mail, navigation to Web sites or transference of data.

BIND vulnerabilities aren't the only threat to DNS. The number-address translator system is subject to numerous exploits, including information-level attacks, denial-of-service attacks, privilege escalation and hijacking.

Information-level attacks attempt to make a server answer with something other than the correct answer. One way of doing this is through cache poisoning, which tricks a remote name server into caching the answer for a third-party domain by providing malicious information for the domain's authoritative servers. All DNS implementations are susceptible to some level of poisoning if an answer to a specific question can be spoofed.

DoS, or rendering a server inoperable, can be an in-band attack against a DNS itself or an out-of-band traffic-flooding attack, such as a "Smurf" ICMP flood. If a company places all of its authoritative name servers on a single segment, behind a single link or in a single physical area, it creates a potential single point of failure for a DoS attack.

Crackers will try to penetrate a system through a DNS by causing a buffer overflow, one potential exploit of the the recent BIND vulnerabilities. Such intrusion exploits are due to poor coding that enables attackers to stuff executable code into information gathering fields. Some operating systems have patches available for non-executable stacks, as well as compiler patches that protected the stack from overflows. These protection mechanisms make intrusion exploits more difficult, but don't provide complete protection.

Obviously, regularly updating systems and applying patches is critical to maintain effective security. If your vendor's DNS version isn't patched regularly, you may want to think about changing your software.

On Unix systems, BIND must run as root to bind to a low-numbered port. If the software can be fooled into executing untrusted code, or opening root-owned files, a local user may be able to escalate his privileges. This is included simply for completeness, since it's unusual for critical infrastructure machines to house untrusted local user accounts.

Organizations changing authoritative servers also should be aware that changing all of their servers at the same time might allow their domain to be hijacked through cache poisoning. Replacing servers should be treated as a transitional process. Preventing domain hijacking requires network admins to add new servers to their infrastructure before removing the old equipment.

-Paul Robertson

8. Password Attacks

Compromised passwords are among the most common vulnerabilities. Users are careless with their PINs, password policies are difficult to enforce and attackers have plenty of tools for defeating password protections-both technical and social. Once an attacker has a user's password, he has all of the rightful user's privileges (assuming he already has access to the system). While training employees will guard against social engineering and help minimize policy violations, organizations must also take technical steps to mitigate password attacks. The most common password attacks are guessing, brute force, cracking and sniffing.

Password guessing involves entering common passwords either manually or through programmed scripts. Many users choose simple passwords--such as birthdays, anniversaries and spouse's names--and don't follow prescribed policies for mixed alphanumeric sequences. It doesn't take long for an attacker to run through all of the possible numeric sequences of a six-digit birthday PIN. Other users and admins make guessing easy by not changing the software's default password or setting root/administrator password set to null.

Although tried and true, password guessing is usually ineffective because it's a laborious process. In the time it takes to guess a password, network admins can easily detect an attack and lock down an account.

Brute-force logon attacks follow the same basic logic as password guessing, but are faster and more powerful. An attacker will launch a script, usually one of the many freeware cracking programs, that quickly tests a large number of common passwords. The aim is to quickly find a working PIN before a network admin realizes that someone is attempting to penetrate the system.

Although brute-force attacks are more efficient than password guessing, both techniques are basically the same. Attackers are rarely successful with either method. Moreover, both techniques are easily defeated with blacklisting features, which lock out an account if someone enters too many invalid passwords. For example, the default blacklist on Unix systems is three invalid attempts.

The downside to blacklist protections is that they can also be turned against the system by an attacker. For instance, if an attacker can identify the network admin, he can target and lock out the admin's account. While the admin is trying to regain access, the attacker is able to ping away at the system.

Password cracking is a method for defeating the protection of encrypted passwords stored in a system's admin files. Assuming an attacker already has significant access, he can attempt to elevate his privileges by systematically trying to find a match to the stored encrypted passwords. An attacker will usually launch a brute-force dictionary attack, encrypting common words used in passwords and comparing them to the stored encrypted passwords.

The success of this attack varies with the speed of the attacker's processor and the application employed. While the first cracking scripts were only marginally effective, current versions can quickly circulate through numerous alphanumeric combinations. Because an attacker needs a significant level of access to launch this kind of attack, the best defense is restricting and monitoring access privileges.

By eavesdropping on Telnet (port 23) or HTTPD (port 80) traffic, an attacker can lift the passwords used for Internet access and remote connections through a process called password sniffing. This is often an easy process since passwords used to log on to Telnet sessions or transmitted over HTTPD are not always encrypted. FTP, e-mail POP and IMAP protocols are also susceptible to this type of exploit.

9.Proxy Server Attacks

Proxy servers speed up system response time by spreading processing across multiple hosts in a trusted network. In most cases, each host has the same read/write privileges as its counterparts-meaning what I can do on my system I can also do on yours, and vice versa. Proxy server relationships can also elevate a network's profile, making it a tempting target to attackers seeking a dupe for illicit activities.

If a trusted network's firewalls are not configured properly, particularly for blocking outside access, and strong authentication and encryption is not in use, an attacker can penetrate a proxy server and gain the same access privileges as any of the trusted members. Once inside, an attacker has unobstructed access to an organization's intranet with the ability to read, write and delete files. An attacker also could employ a compromised trusted network for anonymous Internet access to launch a DDoS attack or crack other systems.

Unsecured routers with similar functions to proxy servers represent the same vulnerability in many of today's network environments.

10. Remote Command Processing Attacks

Trusted relationships between two or more hosts facilitate information exchange and resource sharing. Similar to the interaction between proxy servers, trusted relationships give all members of the network the same access privileges to each other's systems. Such arrangements are particularly important in B2B applications, such as the collaboration between companies who require access to each other's data and computing resources.

Remote command processing through trusted hosts often provides an attacker with an opportunity for accessing a system by convincing the target server that his machine is one of its trusted systems. Once access is granted, an attacker has the ability to execute the same commands and access any data that was available to the authentic user.

11. Remote File System Attacks

File transfer protocols--the backbone of the Internet--is the TCP-level mechanism for read/write privileges between a network and remote locations. Attackers can easily glean valuable footprint information from this mechanism for attacking systems or gaining access to file directories.

Depending on the OS, attackers can extract information on network resources and sharing privileges, the names and location of users and groups, and specifications on applications and banners. Systems that are poorly configured or secured will bleed this information through various firewall ports. On Unix systems, the information is carried by the Network File System (NFS) on port 2049. Windows systems release the data through the Server Messaging Block (SMB) and NetBIOS-ports 135-139 on NT, and port 445 on Win2K. Through these protocols, attackers can achieve the equivalent of file-level, client-side authentication, which can be used to gain further access of a target system.

Network admins can mitigate some of the risk associated with FTPs with some simple precautions. Networks with Windows boxes should block access to ports 139 and 445 from external networks wherever possible. On Unix systems, port 2049 should be blocked, file sharing should be restricted and file requests through the Showmount should be logged for indication of attempted break-ins.

12. Selective Program Insertions

A selective program insertion is when an attacker places a destructive program--a virus, worm or Trojan horse--on a target system. Collectively known as malware, these programs can cause problems ranging from a systems crash, to the deletion of files, to password sniffing, to the opening of backdoors that allow unobstructed network access.

A Trojan horse is a program that replaces and assumes the functions of a legitimate application. R00tkits, BackOrifice and Netbus are among the best known Trojans that have opened backdoors, sniffed passwords and relayed user information to unauthorized parties. Many security experts believe Dutch gray-hat hacker Dimitri Van de Glessen used the QAZ Trojan to exploit a known IIS vulnerability to break into Microsoft's R&D network last fall.

Viruses and worms are probably the best known malware threat. Just like the biological organisms that make humans sick, computer viruses are programs designed to cause damage to an application or network component. Usually comprised of a payload and propagation mechanism, a virus can delete files, alter configurations and damage Registry and system settings. A worm is basically the same as a virus except it can self-replicate, meaning it can spread itself across networks and the Internet.

Conventional antivirus scanners will detect and remove most of the known malware in the wild. But, as the new Melissa variant showed us in January, AV scanners that solely search for known signatures are not always effective in stopping malicious scripts. Some network administrators are augmenting their malware defenses with alternative technologies such as behavior blockers, which stop suspicious code based on behavior patterns, not signatures. Other applications will quarantine viruses and suspicious scripts in shielded areas, typically called sandboxes, which deny the malware access to system resources as it attempts to execute its payload.

A time bomb, sometimes called a logic bomb, is an inserted program that executes its malicious payload on a predetermined time or date. Internal saboteurs and disgruntled employees will often plant time bombs to damage or destroy their company's systems. The best known case of this kind is what Timothy Lloyd did in 1996 when he found out his employer, New Jersey-based Omega Engineering, was about to fire him. The time bomb Lloyd planted went off weeks after his termination, causing more than $12 million in damages and costing the company its strategic position as a market leader. Programs that monitor applications attempting to change other applications or files will usually detect a time bomb as it's going off.

13. Port Scanning and Polling

Through port scanning and polling, an attacker can observe the functions and defenses of various system ports. Through a shotgun approach, an attacker will make random attempts to gain access through unprotected ports. For example, scanning could be used to determine whether default SNMP community strings are open to the public, meaning information can be extracted for use in a remote command attack.

14.TCP/IP Sequence Stealing, Passive Port Listening and Packet Interception

TCP/IP sequence stealing, passive port listening and packet interception are ways of collecting critical information for accessing networks. Unlike invasive and brute-force attacks, these methods have a more stealth-like quality.

TCP/IP sequence stealing is the capturing of sequence numbers, which can be used to make an attacker's packets appear legitimate. When one system requests a session with another, the systems exchange TCP synchronization numbers. An attacker can determine the algorithm used to generate these numbers if they are not randomized. The stolen sequence could be used to disguise the attacker as one or both of the original systems, allowing him to bypass a firewall's packet filters. This is especially effective when used in conjunction with IP spoofing.

A successful TCP/IP attack could allow an attacker to intercept transactions between two organizations, providing an opportunity for a man-in-the-middle attack. An attacker could then manipulate either one or both sides of the transaction without either victim being aware of it.

Through passive port listening, an attacker will monitor and log the messages and files sent to and from all accessible ports on a target system to find a vulnerable access point. Attackers will look for logon and password combinations to identify ports with applications requiring authentication.

Packet interception is the binding of an active listener program to a remote port on a target system to intercept and redirect all or specified types of messages. Messages could be redirected to an unauthorized system, read and then either routed back to the attacker unchanged, not routed back, or routed back with changes.

In some versions of Secured Shell Service Daemon (SSHD), only the public key is used for authentication. If an attacker learns the public key, he could create and insert forged packets. The targeted system would assume that the sender of the forged packets has legitimate system access. Virtual private networks (VPNs) that use SSHD as the logon and session authentication manager are subject to SSH, SSL and SSHD vulnerabilities.

15. HTTPD Attacks

HTTPD is the protocol that manages the behavior of the ports and buffers used by Web servers for Internet access. It's subject to five types of vulnerabilities: buffer overflows, HTTPD bypasses, cross scripting, Web code vulnerabilities and URL floods.

To cause a buffer overflow, an attacker will induce errors at Web traffic ports by entering large character strings to find a susceptible overflow field. Once a field spills over into a code-executing field, an attacker will enter another string that will spill a command into the executable field. Buffer overflows can give an attacker access to a command prompt, the ability to execute r-shell codes or start a Telnet session.

Certain implementations of HTTP can be used to create an HTTPD bypass, granting access to a server's activity logging functions. With these implementations, a Web page can be accessed and altered without the system's Web server recording the change. Crackers, hacktivists and cybervandals often use this method to deface Web pages.

Web-code vulnerabilities can appear in many languages and application extensions, including VB, Visual C++, ASP, TCL, Perl, PHP, XML, CGI and Cold Fusion. Basically, an attacker will exploit a known weakness in an application, such as CGI scripts not checking input or the IIS RDS vulnerability in showcode.asp that grants remote command privileges.

Through cross scripting and cross-site scripting, an attacker can exploit the exchange of cookies between a browser and a Web server. This facilitates the planting of scripts that change a Web page's appearance and behavior. These scripts can launch malware, capture confidential information and expose sensitive data--such as credit card numbers and passwords.

And, an attacker could cause a denial of service with an URL flood, which is done by inundating HTTP port 80 with repeated rapid-reload requests that exceed the TCP Time-to-Live (TTL) limit. Because HTTPF requests require key generation, flooding HTTPF port 443 with repeated requests can also cause a denial of service by tying up system resources.

Some users and managers hate hearing this, but there's no quick fix for securing a network or Web site. Information security is an ongoing process that evolves with the threats--albeit at a slightly slower pace. Firewalls, IDSes, routers and honeypots can provide an effective layered defense, but the greatest equipment in the world won't help for long unless an organization also has a process for upgrading applications, applying patches, testing for vulnerabilities and addressing discovered security problems.

It would be embarrassing to recount the number of firms that have IDSes running, but don't monitor their logs; that install firewalls, but never upgrade them; or that make massive Web-site improvements without making parallel security improvements. As unexciting and obvious as it sounds, the best way to safeguard a Web site from attack is to approach security as the ongoing challenge that it is, rather than a one-time effort, and always remember the basics.

KEN BRANDT (kbrandt@tigertesting.com),
STU GREEN (sgreen@tigertesting.com) and
ENRIQUE ZÚÑIGA (ezuniga@tigertesting.com) are managing directors at Tiger Testing, a Web-site security testing firm.

HOME