Exploiting Vulnerabilities

I l @ ve RuBoard

Exploiting known vulnerabilities is the most common method of attack. Exploit tools are widely available and can be run without any knowledge of the vulnerability being exploited. These tools make it point-and-hack. There are basically two groups of tools: the tools which find systems with known vulnerabilities and those that attack the known vulnerability.

Scanners and Profilers

Scanners will look at many systems, making a preliminary evaluation of the software being run on them. They will usually sweep through address spaces looking for systems which are running services which may be able to be compromised. They are often able to determine the system hardware and what operating system is running, including the version of that operating system. They can determine what services are available on each system and what software is servicing those services. This information is often put into a database so when a new vulnerability is discovered in a specific version of software, all the systems which are running that software can be retrieved to create a list of systems which are likely to be able to be compromised. Some scanners can have the speed at which they scan a network adjusted to reduce the likelihood of detection.

Profilers take a more in-depth evaluation of a specific system to determine the type of hardware and software being used. They will attempt to identify the versions and patch levels so that a specific attack can be crafted. The processes of scanning and profiling are often combined.

Sniffers and Snoopers

A snooper is a program that watches data travel through the system looking for a particular type of information. The snooper may be attached to a network interface to watch all the network traffic or to a disk interface to watch all the data flowing to or from the disk. Snoopers can also be parasites, inserted inside a system, like the print spooler or login system, secretly gathering information.

To protect yourself from these types of attacks, you must monitor what is running on your system and the programs that are on your system, so you know if something is running that shouldn't be, or if programs have changed unexpectedly. You may also want to investigate an encrypted file system, that is, a system that stores all the files in an encrypted form. Encrypted networking can also be employed, so all the transmissions from your system are encrypted.

Generally, a system listens only to the network address which is for that system. However, a network sniffer put the network interface into promiscuous mode, so it will listen to all the packets. Then the sniffer decodes these packets.

Snort, created by Martin Roesch and included on the CD-ROM, is an open source network intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content matching, and real-time alerting. It utilizes a flexible rules language and a modular plug-in mechanism which allows it to be easily expanded.

Since Snort is freely available, it is quite popular with the hacker community for the very reasons it is popular with system administrators ” it is easy to use and very powerful.

Security Tools

There are a large number of very useful security tools that test your system's configuration and permissions on critical files, as well as test for known security holes. These are excellent for identifying where your system has shortcomings and where to spend your resources to close these security holes. They are also invaluable tools to hackers. If you haven't run these programs or have neglected to repair a defect, a hacker can run these tools to determine how to compromise your system. Security tools should be kept on removable disk media, or on a disk that can be unmounted and powered off when not in use. You should not keep security auditing tools on the system; make the hacker bring his own tools.

More prudently, use all available security auditing tools to discover all security problems and fix them! Then continue to monitor and audit the security of your system.

Buffer Overflows

Buffer overflows are the result of faulty programs that do not adequately manage strings or buffers. Programmers tend not to test for overflows, since good data will not be a problem and the testing slows down the program.

A buffer overflow occurs when a program writes data beyond the bounds of allocated memory. This can occur when indexing beyond the end of an array, or indexing a pointer beyond allocated memory, or passing more data to a routine than it can handle. In each case, data is written in an unexpected location, causing unexpected results. Often the program will abort. However, there are cases where the overflow can cause data to be written to a memory mapped file, or cause security problems through stack-smashing attacks. Stack-smashing attacks target a specific programming fault: careless use of data buffers allocated on the program's run-time stack, namely, local variables and function arguments.

A creative attacker can take advantage of a buffer overflow vulnerability through stack-smashing and then run any arbitrary code. Common attackers exploit buffer overflows to get an interactive shell on the machine. In the most common attack, an intruder attempts to overflow the buffer of a remote daemon or service to inject his code into the program's address space and overwrite the return address of some function. When this function returns, it will jump into the intruder's code and perform the illicit code. The resultant shell will have the privileges of the program which was exploited.

File Permissions

A hacker can compromise a system by exploiting inadequately protected files. As we have seen, there are a great number of files that will open security problems if they are not properly secured. You should monitor the status of the file system with a tool that monitors file size , permissions, ownership, timestamps, and computes a strong checksum of the contents of the file. If you, the system manager, are not monitoring file permissions regularly, you will be susceptible to a permissions attack.

  • Directory permissions protect all of the files and directories in the directory. Inadequate permissions on directories cause a trickle-down security problem, since the inadequate permissions grants access to the contents of the directory and any file or directory in the original directory can be modified. This allows a hacker to step down through all the contained directories within the directory tree and compromise any of the files within. This problem is greater when the weak permissions are closer to the root directory. Inappropriate permissions on the root directory, /, will allow access to the entire file system. How often do you check the permissions of the root file system?

  • Device files control the access to the physical devices represented by these files. Insufficient permissions on these files can allow hackers to access the devices themselves . When these devices are modems, it gives the hacker the ability to use these devices to call out to other systems. Inadequate permissions on network interfaces enables hackers to sniff the network for valuable information. In the case of disk devices, this will grant access to all the files contained on the device. There are hacker tools that allow the hacker to traverse the file system on a disk by having access only to the device file that contains the file system. This tool does basically what the operating system does ” it reads pointers and blocks of data from the disk and interprets the data it receives as directories and files. It also allows the hacker to change the permissions on any file on the disk to which he has write access to the device file. This can include other device files. If a hacker has access to the memory device, usually /dev/mem or /dev/kmem , he has access to everything that is in the system's memory: programs, data, and state information. Basically, this is the entire system. An open door like this will spell disaster.

I l @ ve RuBoard


Halting the Hacker. A Practical Guide to Computer Security
Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
ISBN: 0130464163
EAN: 2147483647
Year: 2002
Pages: 210

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net