Attacking a Web Server and Application

1
Attacking a Web Server and Application

• Logan McKenna

2
Server Information Gathered

• Server OS Ubuntu Linux
• Apache Version 2.0.54
• Perl Version 5.8.7
• Mod Perl Version 2.0.1

3
Possible Attacks

• Cookies
• Apache
• Security Setup
• CGI Scripting
• Allows the execution of custom code
• Buffer Overflow Exploits

4
Perl Translation Attack

• Issue characters the Perl translator will not
  filter
• An example of such an attack would look like
• http//www.odci.gov/cgi-bin/query?0a/bin/cat20/e
  tc/passwd
• 0a is the line feed character and 20 is the
  space
• If this attack is possible a listing of the
  /etc/passwd file will be displayed
• This attack is not possible on Allans Server

5
Packet Sniffing

• The packet sniffer I used was Ethereal
• I ran through all the possible commands and
  options a user can choose.
• I found out everything is transferred in plain
  text.
• The help button uses JavaScript to call help
  files stored in a directory

6
Packet Sniffing Continued

• Can call any help file
• http//alraymond.kicks-ass.org/cgi-bin/user_help.p
  l?config_fileframecal/demohelp_topic2
• Permissions are set correctly
• Cannot call any other system files

7
Valid Help Files
8
Deletion

• Deletion function does not authenticate
• http//alraymond.kicks-ass.org/cgi-bin/framecal/fr
  amecal.pl?session_file456c4e991c6c0e25calendard
  emoitem_to_mod_del16month11year2006actionD
  eleteEvent
• Allan implemented a fix by disabling the Public
  View
• My solution to logon and get the session file
  numbers
• Changed the Deletion code to authenticate at each
  deletion call

9
Secure ?

• Implement SSL
• Update all the system software
• SSL exploits and buffer overflow exploits have
  recently been found