14.3 Investigation of Known Vulnerabilities

After performing full TCP and UDP port scanning, along with initial investigation of accessible network services to qualify nmap results and obtain further useful information, you usually know enough to properly investigate known vulnerabilities.

Sites such as MITRE CVE, SecurityFocus, ISS X-Force, and Packet Storm provide bug details, along with publicly accessible exploit scripts. To fully qualify vulnerabilities by hand, you often need to use such tools. What follows is a breakdown of the results I obtained from these sites in relation to the accessible network services I identified in this case study.

14.3.1 Cisco IOS Accessible Service Vulnerabilities

Telnet, NTP, and SNMP services are accessible on the Cisco IOS 12.2.8 router at 192.168.10.1 . Through checking MITRE CVE, SecurityFocus, and ISS X-Force, no remotely exploitable issues were identified that affect this version of IOS.

Therefore, the two particular threats to this Cisco IOS router are from:

Telnet service password grinding
SNMP service community string grinding

14.3.2 Solaris 8 Accessible Service Vulnerabilities

OpenSSH 3.1p1 and Sendmail 8.11.6 were found running on the Solaris 8 mail server at 192.168.10.10 . Table 14-3 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to OpenSSH 3.1p1.

Table 14-3. Relevant OpenSSH vulnerabilities identified

CVE	BID	XFID	Notes
CVE-2002-0639	5093	9169	OpenSSH 3.3 and prior contains vulnerabilities in challenge-response handling code.
CVE-2003-0190	7467	11902	OpenSSH 3.6.1p1 and earlier, with PAM support enabled, allows remote attackers to determine valid usernames via a timing attack.
CVE-2003-0682	N/A	13214	"Memory bugs " in OpenSSH 3.7.1 and prior.
CVE-2003-0693	8628	13191	OpenSSH 3.7.1 and prior contains buffer management errors, resulting in denial of service or arbitrary code being executed.
CVE-2003-0695	N/A	13215	OpenSSH 3.7.1 and prior contains further buffer management errors.

From investigating CVE-2002-0639 in more detail, I find that OpenSSH is only exploitable if SKEY or BSD_AUTH authentication methods are supported (default under OpenBSD 3.x). Two public exploits for this issue under OpenBSD have been released: although they don't remotely exploit Solaris hosts , they are available from: ^[1]

^[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

http://packetstormsecurity.org/0207-exploits/sshutup-theo.tar.gz

http://www.securityfocus.com/data/vulnerabilities/exploits/openssh3.1obsdexp.txt

Example 14-16 shows how to use the gobblessh patched OpenSSH client (from sshutup-theo.tar.gz , as discussed in Chapter 4) check to see if the remote host supports SKEY or BSD_AUTH authentication mechanisms.

Example 14-16. Checking for authentication support using gobblessh

#

./gobblessh -l root 192.168.10.10 -M skey

[*] remote host supports ssh2

[*] server_user: root:skey

[*] keyboard-interactive method available

[x] bsdauth (skey) not available

Permission denied (publickey,password,keyboard-interactive).

#

./gobblessh -l root 192.168.10.10 -M bsdauth -S invalid

[*] remote host supports ssh2

[*] server_user: root:invalid

[*] keyboard-interactive method available

[x] bsdauth (invalid) not available

Permission denied (publickey,password,keyboard-interactive).

In this case, both SKEY and BSD_AUTH authentication mechanisms aren't supported, and so the CVE-2002-0639 challenge-response exploit won't be effective.

CVE-2003-0190, on the other hand, relies on a timing bug in OpenSSH related to the PAM authentication mechanism. By searching Packet Storm and SecurityFocus for exploit scripts and tools, I find a useful tool, available at:

http://lab.mediaservice.net/code/ssh_brute.c

http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff

The recent memory bugs and buffer management issues identified in OpenSSH (CVE-2003-0682, CVE-2003-0693, and CVE-2003-0695) have no publicly available remote exploit scripts. Due to the way that these bugs are nested and rely on a number of variables for successful remote exploitation, it is unlikely that reliable exploits will be made publicly available.

Table 14-4 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to Sendmail 8.11.6.

Table 14-4. Relevant Sendmail vulnerabilities identified

CVE	BID	XFID	Notes
CVE-2002-1337	6991	10748	A buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, as processed by the `crackaddr( )` function of headers.c.
CVE-2003-0161	7230	11653	The `prescan( )` function in Sendmail before 8.12.9 doesn't properly handle certain conversions from `char` and `int` types, causing denial of service or possible execution of arbitrary code.
CVE-2003-0694	8641	13204	The `prescan( )` function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code.

The LSD security research team (http://www.lsd-pl.net) posted an excellent technical analysis and discussion of the CVE-2002-1337 crackaddr( ) bug. To remotely exploit the Sendmail service, useful data must exist after the static buffer in which the overflow occurs, resulting in the execution path being disrupted (commonly resulting in a crash).

LSD found that on most Unix platforms, the static buffer isn't followed by such useful data. Their post to the BugTraq mailing list in March 2003 contained the low-level technical details, archived at http://www.securityfocus.com/archive/1/313757. In particular, they found that Solaris 8 running Sendmail 8.11.6 doesn't crash when provided with the malformed email address, and isn't, therefore, remotely exploitable.

At the time of writing, there are also no public tools or scripts to exploit the recent Sendmail 8.12.9 prescan( ) bugs (CVE-2003-0161 and CVE-2003-0694).

14.3.3 Windows 2000 Accessible Service Vulnerabilities

The two accessible ports on the Windows 2000 server at 192.168.10.25 are both IIS 5.0 web service instances. By enumerating the enabled IIS subsystems and components , you can look through MITRE CVE and other vulnerability lists in an efficient manner. Table 14-5 shows a list of known remotely exploitable security issues relating to this IIS server, as derived from MITRE CVE, SecurityFocus, and Microsoft security bulletin databases.

Table 14-5. Relevant IIS vulnerabilities identified

CVE	BID	Microsoft	Notes
CVE-2000-0884	1806	MS00-078	Unicode vulnerability allows remote attackers to read files outside the web root and possibly execute commands
CVE-2001-0241	2674	MS01-023	Remote msw3prt.dll ISAPI extension overflow through crafted requests to .printer files
CVE-2001-0333	2708	MS01-026	IIS superfluous decodes vulnerability, very similar to Unicode, by double-encoding characters to traverse out of directories and possibly execute commands
CVE-2001-0500	2880	MS01-033	Remote idq.dll ISAPI extension overflow through requests for .ida and .idq files
CVE-2002-0079	4485	MS02-018	ASP chunked encoding overflow
CVE-2002-0147	4490	MS02-018	ASP chunked encoding overflow variant
CVE-2003-0109	7116	MS03-007	Remote ntdll.dll overflow through IIS 5.0 exploitable through WebDAV HTTP methods (such as `SEARCH` and `PROPFIND` )

{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

After assembling a list of serious remotely exploitable vulnerabilities, visit Packet Storm, SecurityFocus, and underground web sites to assemble a toolkit. You can find the exploits at the following URLs.

CVE-2000-0884 and CVE-2001-0333

http://packetstormsecurity.org/0101-exploits/unitools.tgz

http://www.xfocus.org/exploits/200110/iissystem.zip

http://www.securityfocus.com/bid/1806/exploit/

CVE-2001-0241