210 likes | 227 Views
Learn how network perimeter defenses like firewalls and intrusion detection systems are not enough to ensure security. Explore the vulnerabilities in popular applications and the potential threats they pose. Discover advanced techniques for exploiting these vulnerabilities and how to strengthen your overall security.
E N D
Advanced Windows NT Security: I got a super cool firewall… Joey__ So what? You don’t impress me much! (c) 2000, SecureSolv.com (Pvt.) Ltd.
Do you feel safe today? • Network perimeter defenses such as firewalls and traditional Intrusion Detection Systems can protect you against attempts to manipulate network services which you don’t intend to provide. • In reality, your network is only as secure as the applications which you use to provide network services! • As harsh as it may seem, 15000 dollars you spent on your firewall can’t protect you and your 3000 dollar application is not secure at all! So do you feel safe today? (c) 2000, SecureSolv.com (Pvt.) Ltd.
In The Real World… • Take an award winning application… • Take a site that is self proclaimed to have survived 3 million intrusion attempts… • Add a bit of investigation and some reverse engineering into the equation… • And give a little bit of action to the debugger… • Fire-up the favorite assembler to wrap everything up… • Hmm… suddenly the world doesn’t seem all that secure… (c) 2000, SecureSolv.com (Pvt.) Ltd.
The Application • The ***** News Server is advanced news server software that makes it easy for you to provide users with fast access to Internet (USENET) news groups. • The ***** News Server is installed in thousands of organizations world-wide, ranging from large Internet Service Providers and Fortune 500 companies with hundreds of thousands of users, to mid-sized and small organizations. - Vendor • "Overall, no other news server combines the ease of use, blazing performance, flexibility, cross-platform support, scalability, and wide range of features found in *****“ - ServerWatch Review (c) 2000, SecureSolv.com (Pvt.) Ltd.
The Potential Victim • Information security related “anti-hacker” site that has not been compromised for years and is self proclaimed to have survived 3 million intrusion attempts… • Apache 3.1.9 on Windows NT 4.0 with all the latest service packs and hot-fixes. • No inbound TCP connections/UDP allowed except for TCP port 80. • HTTP proxy scheme that would re-direct queries to multiple internal web servers based on the URL. (c) 2000, SecureSolv.com (Pvt.) Ltd.
Let There Be News! • Computer security related newsgroups (c) 2000, SecureSolv.com (Pvt.) Ltd.
Who Wants Source Anyway? How much do we know? • CGI Application. • Win32 PE (Portable Executable) File Format with no compression/encryption. • HTTP GET/POST queries passed in to the application as an environment variable. Lets load the binary into our favorite disassembler, IDA and take a look at how things work under the hood! (c) 2000, SecureSolv.com (Pvt.) Ltd.
Lets See What We Got! (c) 2000, SecureSolv.com (Pvt.) Ltd.
Static Buffers On The Stack (c) 2000, SecureSolv.com (Pvt.) Ltd.
Where Did All The Bounds Checking Go? (c) 2000, SecureSolv.com (Pvt.) Ltd.
Doom On You! (c) 2000, SecureSolv.com (Pvt.) Ltd.
Give Me The ESP • Let’s fire up our favorite debugger SoftICE and set a breakpoint at 0x0041E6A0. • Note the current stack pointer (ESP) value. We got all what we need! Now lets exploit away… (c) 2000, SecureSolv.com (Pvt.) Ltd.
Injector • Standard Winsock based HTTP client code. • GET www.victim.com/cgi-bin/victim.exe?xxxxxxxxxx HTTP/1.1 Host: www.victim.com • URL encodes the payload. • Encodes the reverse-connect information (the host and the port) into the payload. (c) 2000, SecureSolv.com (Pvt.) Ltd.
Payload!!! • Locate itself and get more room on the stack. • Setup Structured Exception Handling. • Scan user memory for Kernel32.dll image. • Decode the in memory PE structure and locate LoadLibrayA and GetProcAddress exports. • Load the required libraries and resolve the required imports into a jump table. • Connect to the encoded host and port via TCP. • Spawn CMD.EXE • Redirect CMD.EXE stdin,stdout,stderr into the connected TCP stream. (c) 2000, SecureSolv.com (Pvt.) Ltd.
Payload Code (c) 2000, SecureSolv.com (Pvt.) Ltd.
Payload Code (c) 2000, SecureSolv.com (Pvt.) Ltd.
Payload Code (c) 2000, SecureSolv.com (Pvt.) Ltd.
Payload Code (c) 2000, SecureSolv.com (Pvt.) Ltd.
Advanced Topics Structured Exception Handling issues. • Exception frame structure. DWORD lpPreviousHandlerRecord DWORD ExceptionHandler DWORD dwUserDefined • Exception handler function (ExceptionHandler) cannot reside on the stack. • OS default exception frame (xframe) must be preserved for proper Win32 operation. (c) 2000, SecureSolv.com (Pvt.) Ltd.
Advanced Topics Going kernel mode directly. • All native API calls made though the Int 0x2e Native Call Interface. • Locate KeAllocateSelector in the micro kernel (NTOSKRNL.EXE) • NtCreateSection to create a section. • Load the ring-0 payload into the section. • Create a 32-bit call gate via KeAllocateSelector and go ring-0. • Setup KE_TRAP_FRAME. • Execute ring-0 payload. (c) 2000, SecureSolv.com (Pvt.) Ltd.
The Future… • Intrusion Prevention Systems. • Buffer overflow protection for Windows NT. • Extensive application sandboxing. • Subsystem/platform services sandboxing. • TCP/IP stack protection. • Intelligent application functionality pattern analysis. Beyond the invisible! (c) 2000, SecureSolv.com (Pvt.) Ltd.