Application Exploits

An application-based exploit is just that, an exploit of an application or OS. Applications are generally wrought with poor coding, back doors, bugs, and/or mistakes. This being said, it is important to first understand why these problems exist. Problems with applications are generally not by design, but more because the code is rushed out or not going through a strict enough QA process. Because of this, it is very common to see very buggy software that causes problems. Worse yet, what if most of those problems could be exploited by an attacker? Well, they can and they will and you must be aware of, find, and fix these issues to remain secure. This section of the chapter looks at all this in enough detail for you to prepare for the SSCP exam.

Poor Coding

Poor coding is explained very easily. Code is the shortened nickname for programming language code. For example, an administrator wanted to write a program that would allow them to simplify the adding or deleting of users on their network OS. If they were not an expert programmer and/or had no one to check their work, they could potentially leave an opening somewhere, most commonly with Microsoft Windows-based OSs and applications and unchecked buffers. Poor coding is just that; the poor or lacking creation of production code that does not work as advertised, or worse yet, opens a hole in systems that can be exploited.

Back Doors

Back doors are by far the worst of all poor coding offenses. A back door is a way left in the code for the programmer to get back into the system or program behind the normal methods provided with the final release of the software. If a back door is left in a Windows OS, this would allow malicious users to bypass the normal authentication process and perhaps come in the system unbeknownst to the SSCP. It is important to keep up to date on all security news lists to remain aware of all the newest hot fixes that close these problems up.

Buffer Overflows

One of the most commonly heard of and exploited application exploits is the buffer overflow. Before we explain the attack, lets look at what a buffer is. A buffer is a sort of holding area for data. To speed processing, many software programs use a memory buffer to store changes to data, then the information in the buffer is copied to the disk. When more information is put into the buffer than it is able to handle, a buffer overflow occurs. Overflows can be caused deliberately by hackers and then exploited to run malicious code.

There are two types of overflows: stack overflows and heap overflows. The stack and the heap are two areas of the memory structure that are allocated when a program is run. Function calls are stored in the stack, and dynamically allocated variables are stored in the heap. A particular amount of memory is allocated to the buffer. Attackers can use buffer overflows in the heap to overwrite a password, a filename, or other data. If the filename is overwritten, a different file will be opened. If this is an executable file, code will be run that was not intended to be run. On UNIX systems, the substituted program code is usually the command interpreter, which allows the attacker to execute commands with Superuser privileges. On Windows systems, the overflow code can be used to send an HTTP request to download malicious code of the attacker's choice.

Buffer overflows are based on the way the C programming language works. Many function calls do not check to ensure that the buffer will be big enough to hold the data copied to it. Programmers can use calls that do this check to prevent overflows, but many do not.

Creating a buffer overflow attack requires that the hacker understand assembly language as well as technical details about the OS to be able to write the replacement code to the stack. However, the code for these attacks is often published so that others, who have less technical knowledge, can use it. Some types of firewalls, called stateful inspection firewalls, allow buffer overflow attacks through, whereas application gateways (if properly configured) can filter out most overflow attacks.

The Out-of-Band Attack

The out-of-band (OOB) attack is one that exploits vulnerabilities in some Microsoft networks; thus, it is sometimes called the Windows OOB bug. The WinNuke program and variations such as Sinnerz and Muerte create an OOB data transmission that crashes the machine to which it is sent. It works like this:

• A TCP/IP connection is established with the target IP address, using port 139 (the NetBIOS port).

• Then the program sends data using a flag called MSG_OOB (or Urgent) in the packet header.

• This flag instructs the computer's Winsock to send data called out-of-band data. Upon receipt of this flag, the targeted Windows server expects a pointer to the position in the packet where the Urgent data ends, with normal data following, but the OOB pointer in the packet created by WinNuke points to the end of the frame, with no data following.

• The Windows machine does not know how to handle this situation and ceases communicating on the network.

• Service is denied to any users who subsequently attempt to communicate with it. A WinNuke attack usually requires a reboot of the affected system to reestablish network communications.

Windows 95 and Windows NT 3.51/4.0 are vulnerable to the WinNuke exploit, unless the fixes provided by Microsoft have been installed. Windows 98/ME and Windows 2000/XP are not vulnerable to WinNuke. Unfortunately, many networks still use older Microsoft OSs, sometimes without updating patches and service packs.