After performing full TCP and UDP port scanning, along with initial investigation of accessible network services to qualify nmap results and obtain further useful information, you usually know enough to properly investigate known vulnerabilities. Sites such as MITRE CVE, SecurityFocus, ISS X-Force, and Packet Storm provide bug details, along with publicly accessible exploit scripts. To fully qualify vulnerabilities by hand, you often need to use such tools. What follows is a breakdown of the results I obtained from these sites in relation to the accessible network services I identified in this case study. 14.3.1 Cisco IOS Accessible Service VulnerabilitiesTelnet, NTP, and SNMP services are accessible on the Cisco IOS 12.2.8 router at 192.168.10.1. Through checking MITRE CVE, SecurityFocus, and ISS X-Force, no remotely exploitable issues were identified that affect this version of IOS. Therefore, the two particular threats to this Cisco IOS router are from:
14.3.2 Solaris 8 Accessible Service VulnerabilitiesOpenSSH 3.1p1 and Sendmail 8.11.6 were found running on the Solaris 8 mail server at 192.168.10.10. Table 14-3 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to OpenSSH 3.1p1.
From investigating CVE-2002-0639 in more detail, I find that OpenSSH is only exploitable if SKEY or BSD_AUTH authentication methods are supported (default under OpenBSD 3.x). Two public exploits for this issue under OpenBSD have been released: although they don't remotely exploit Solaris hosts, they are available from:[1]
Example 14-16 shows how to use the gobblessh patched OpenSSH client (from sshutup-theo.tar.gz, as discussed in Chapter 4) check to see if the remote host supports SKEY or BSD_AUTH authentication mechanisms. Example 14-16. Checking for authentication support using gobblessh# ./gobblessh -l root 192.168.10.10 -M skey [*] remote host supports ssh2 [*] server_user: root:skey [*] keyboard-interactive method available [x] bsdauth (skey) not available Permission denied (publickey,password,keyboard-interactive). # ./gobblessh -l root 192.168.10.10 -M bsdauth -S invalid [*] remote host supports ssh2 [*] server_user: root:invalid [*] keyboard-interactive method available [x] bsdauth (invalid) not available Permission denied (publickey,password,keyboard-interactive). In this case, both SKEY and BSD_AUTH authentication mechanisms aren't supported, and so the CVE-2002-0639 challenge-response exploit won't be effective. CVE-2003-0190, on the other hand, relies on a timing bug in OpenSSH related to the PAM authentication mechanism. By searching Packet Storm and SecurityFocus for exploit scripts and tools, I find a useful tool, available at:
The recent memory bugs and buffer management issues identified in OpenSSH (CVE-2003-0682, CVE-2003-0693, and CVE-2003-0695) have no publicly available remote exploit scripts. Due to the way that these bugs are nested and rely on a number of variables for successful remote exploitation, it is unlikely that reliable exploits will be made publicly available. Table 14-4 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to Sendmail 8.11.6.
The LSD security research team (http://www.lsd-pl.net) posted an excellent technical analysis and discussion of the CVE-2002-1337 crackaddr( ) bug. To remotely exploit the Sendmail service, useful data must exist after the static buffer in which the overflow occurs, resulting in the execution path being disrupted (commonly resulting in a crash). LSD found that on most Unix platforms, the static buffer isn't followed by such useful data. Their post to the BugTraq mailing list in March 2003 contained the low-level technical details, archived at http://www.securityfocus.com/archive/1/313757. In particular, they found that Solaris 8 running Sendmail 8.11.6 doesn't crash when provided with the malformed email address, and isn't, therefore, remotely exploitable. At the time of writing, there are also no public tools or scripts to exploit the recent Sendmail 8.12.9 prescan( ) bugs (CVE-2003-0161 and CVE-2003-0694). 14.3.3 Windows 2000 Accessible Service VulnerabilitiesThe two accessible ports on the Windows 2000 server at 192.168.10.25 are both IIS 5.0 web service instances. By enumerating the enabled IIS subsystems and components, you can look through MITRE CVE and other vulnerability lists in an efficient manner. Table 14-5 shows a list of known remotely exploitable security issues relating to this IIS server, as derived from MITRE CVE, SecurityFocus, and Microsoft security bulletin databases.
After assembling a list of serious remotely exploitable vulnerabilities, visit Packet Storm, SecurityFocus, and underground web sites to assemble a toolkit. You can find the exploits at the following URLs.
|