Computer Security CS 426 Lecture 27

ComputerSecurityCS426Lecture27SANSTop-20InternetSecurityAttackTargetsOperatingSystems•W1.InternetExplorer•W2.WindowsLibraries•W3.MicrosoftOffice•W4.WindowsServices•W5.WindowsConfigurationWeaknesses•M1.MacOSX•U1.UNIXConfigurationWeaknessesCross-PlatformApplications•C1WebApplications•C2.DatabaseSoftware•C3.P2PFileSharingApplications•C4InstantMessaging•C5.MediaPlayers•C6.DNSServers•C7.BackupSoftware•C8.Security,Enterprise,andDirectoryManagementServersOthers•NetworkDevices–N1.VoIPServersandPhones–N2.NetworkandOtherDevicesCommonConfigurationWeaknesses•SecurityPolicyandPersonnel–H1.ExcessiveUserRightsandUnauthorizedDevices–H2.Users(Phishing/SpearPhishing)•SpecialSection–Z1.ZeroDayAttacksandPreventionStrategiesW1.InternetExplorer•UnpatchedorolderversionsofInternetExplorercontainmultiplevulnerabilitiesthatcanleadtomemorycorruption,spoofingandexecutionofarbitraryscripts.Themostcriticalissuesaretheonesthatleadtoremotecodeexecutionwithoutanyuserinteractionwhenauservisitsamaliciouswebpageorreadsanemail.•Theseflawshavebeenwidelyexploitedtoinstallspyware,adwareandothermalwareonusers'systems.•TheVMLzero-dayvulnerabilityfixedbyMicrosoftpatchMS06-055waswidelyexploitedbymaliciouswebsitesbeforethepatchwasavailable.W2:WindowsLibraries•TheselibrariesusuallyhavethefileextensionDLLorOCX(forlibrariescontainingActiveXcontrols).•Duringthepastyear,severalwindowslibrarieswerereportedtohavecriticalvulnerabilities.Inanumberofcases,exploitcodeswerediscoveredbeforepatcheswereavailable(zero-day).•InDecember2005,avulnerability(CVE-2005-4560)wasreportedintheGraphicsRenderingEngine:whenhandlingspeciallycraftedWindowsMetafile(WMF)images,itcouldcausearbitrarycodetobeexecuted.ApatchwasnotavailableuntilearlyJanuary2006.W3.MicrosoftOffice•Vulnerabilitiesintheseproductscanbeexploitedviathefollowingattackvectors:–maliciousOfficedocumentinanemailmessage.–hoststhedocumentonawebserverorsharedfolder.NotethatIEautomaticallyopensOfficedocuments.Hence,browsingthemaliciouswebpageorfolderissufficientforthevulnerabilityexploitation.–runsanewsserverorhijacksaRSSfeedthatsendsmaliciousdocumentstoemailclients.•AlargenumbercriticalflawswerereportedlastyearinMSOfficeapplications.Afewofthemwereexploitedatazero-day.W4.WindowsServices•SeveralofthecoresystemservicesareexposedthroughnamedpipeendpointsaccessiblethroughtheCommonInternetFileSystem(CIFS)protocol,wellknownTCP/UDPportsandincertaincasesephemeralTCP/UDPports.•Whenexploited,thesevulnerabilitiesaffordtheattackerthesameprivilegesthattheservicehadonthehost.•Criticalvulnerabilitiesreportedwithinthepastyear:–ServerService(MS06-040,MS06-035)–iRoutingandRemoteAccessService(MS06-025)–ExchangeService(MS06-019)W5WindowsConfigurationWeaknesses•1.UserConfiguredPasswordWeaknesses•2.ServiceAccountPasswords–Non-systemServiceaccountsneedpasswordsinWindows.•3.NullLog-on–nullsessionshaveallowedanonymoususerstoenumeratesystems,shares,anduseraccounts.M1.MacOSX•Themajorityofthecriticalflawsdiscoveredinthepastyearfallintosixdifferentcategories:–Safari–ImageIO-Vulnerabilitiesinthisframeworkcouldpotentiallyaffectmanydifferentapplications.–Unix–Wireless-AcriticalvulnerabilityinMacOSX'swirelessnetworksubsystemallowsphysically-proximateattackerstogaincompletecontrol.Attackcanoccurevenifthatsystemwasnotpartofthesamelogicalnetworkastheattacker.AdditionalflawswerediscoveredintheBluetoothwirelessinterfacesubsystem,withsimilarresults.–Virus/Trojan-ThefirstvirusesandtrojansfortheMacOSXplatformwerediscoveredinthepastyear.–OtherU1.UNIXConfigurationWeaknesses•MostUnix/Linuxsystemsincludeanumberofstandardservicesintheirdefaultinstallation.–Theseservices,eveniffullypatched,canbethecauseofunintendedcompromises.•Ofparticularinterestarebrute-forceattacksagainstcommandlineaccesssuchasSSH,FTP,andtelnet.–Itisimportanttorememberthatbruteforcingpasswordscanbeausedasatechniquetocompromiseevenafullypatchedsystem.C1WebApplications•ApplicationssuchasContentManagementSystems(CMS),Wikis,Portals,BulletinBoards,•Everyweekhundredsofvulnerabilitiesarebeingreportedinthesewebapplications,andarebeingactivelyexploited.•Thenumberofattemptedattackseverydayforsomeofthelargewebhostingfarmsrangefromhundredsofthousandstoevenmillions.–PHPRemoteFileInclude–SQLInjection–Cross-SiteScripting(XSS)–Cross-siterequestforgeries(CSRF)–DirectoryTraversalC2.DatabaseSoftware•Useofdefaultconfigurationswithdefaultusernamesandpasswords.•BufferoverflowsinprocessesthatlistenonwellknownTCP/UDPports.•SQLInjectionviathedatabase'sowntoolsorwebfront-endsaddedbyusers.•Useofweakpasswordsforprivilegedaccounts•37CVEentriesonOraclesinceOctober2005C3.P2PFileSharingApplications•TheP2Pnetworksthemselvesmaybeattackedbymodifyinglegitimatefileswithmalware,seedingmalwarefilesintoshareddirectories,exploitingvulnerabilitiesintheprotocolorerrorsincoding,blocking(filtering)theprotocol,denialofservicebymakingthenetworkfunctionslowly,spammingandidentityattacksthatidentifynetworkusersandharassthem.C4.InstantMessaging•Recentattacksincludenewvariationsintheestablishmentandspreadofbotnets,andtheuseofcompromisedinstantmess