Understanding Concepts In Enterprise Network
Security And Risk Management
Part 1 of 3 : Understanding Risks In Networked Systems
------------------------------------------------------
By the consultants of the Network Security Solutions Ltd.
Front-line Information Security Team (FIST), January 1998.
fist@ns2.co.uk http://www.ns2.co.uk
------------------------------------------------------------------------------
Table Of Contents
------------------------------------------------------------------------------
Understanding Risks In Networked Systems
----------------------------------------
1. Introduction
2. Understanding the basic concepts behind vulnerabilities
existing by default in popular network operating systems
3. Common remote security hazards found on most networks,
the impact of effective information gathering
4. Identifying security risks present, tools and utilities
Appendicies
-----------
(i) Vulnerability listing for common TCP and UDP services
(ii) Vulnerability listing for common RPC services
------------------------------------------------------------------------------
1 Introduction
------------------------------------------------------------------------------
This series of 3 documents was written to give an overview of the concepts
involved when identifying and tackling weaknesses in networked computer
systems (primarily Unix-based servers), parts 2 and 3 of this paper also
explain risk management concepts regarding network security.
The second and third papers in this series will be released in late
January, they will be accessible along with all other NSS-FIST papers
from the NSS-FIST papers and advisories index at :
http://www.ns2.co.uk/docs.html
We hope you enjoy reading this paper, and hopefully learn a little about
network security in the meantime!
The Network Security Solutions Ltd. FIST staff (fist@ns2.co.uk)
------------------------------------------------------------------------------
2 Understanding the basic concepts behind vulnerabilities existing
'by default' in popular network operating systems
------------------------------------------------------------------------------
Many network server* platforms run a handful of network services by default,
systems administrators and network operations staff may not be knowledgable
when it comes to network security issues, consequently default services
that are present on networked hosts may not be removed in many cases.
(* specific examples being Solaris, IRIX, Linux and Windows NT Server)
The IRIX operating system is a good example of a network server platform
with default weaknesses. Many releases of IRIX over the last few years
(5.2 to around 6.2), have at least handful of serious security hazards that
are present upon installation -- primarily default service and default user
account problems.
An IRIX machine installed 'out of the box' on a network usually has
unpassworded default user accounts, this combined with 10 or more local
vulnerabilities can easily lead to a root compromise. Remote vulnerabilities
also exist in default IRIX services such as pcnfsd, statd and objectserver.
System crackers exploiting these vulnerabilities can easily gain remote root
access to IRIX hosts.
The Silicon Graphics IRIX security support centre can be accessed at
http://www.sgi.com/Support/security/security.html
Default security risks exist in most network server platforms, examples
include Windows NT with it's default Guest user, Solaris with it's fingerd
that allows finger query 'bouncing' to take place, and IRIX with it's
abundance of default security risks.
There are three main types of default security risk to be found, being :
- Default services
- Default service and network configurations
- Default user accounts
Default services that contain vulnerabilities are rare or currently
non-existant in the latest releases of most platforms, although they are
fairly common in earlier releases. We will cover service vulnerabilities in
more detail later on.
Default service and network configurations are also rare in the latest
releases of operating systems, although recent releases have contained
misconfigurations such as :
- Running fingerd, netstat, or systat services
- Running Sendmail with EXPN functionality enabled
A classic example of a misconfiguration that poses a security risk is with
the /etc/hosts.equiv containing a wildcard '+' symbol on old SunOS 4.1.3_U1
systems by default, thus allowing anyone to remotely log into the host as
the 'bin' user using 'rsh' or 'rlogin'.
Default user accounts are common in primarily IRIX, VAX/VMS and Windows NT
systems. Many 'system crackers' have entire listings of operating system
releases and the default user accounts in place under each, recent cracking
tools written by such system crackers have automated routines that will
check massive numbers of hosts for such default user accounts.
------------------------------------------------------------------------------
3 Common remote security hazards found on most networks,
the impact of effective information gathering
------------------------------------------------------------------------------
A typical network will consist of a handful of Microsoft Windows 95/98 or NT
workstations, SGI IRIX workstations and a selection of servers running Linux,
Solaris or Windows NT to act as e-mail, http and ftp servers. If network
segmentation exists, the network may have a router or firewall that performs
filtering.
Many corporate networks have internal segmentation in place, which is
implemented so that each site or network has it's own firewall, with a set
of filtering rules relevant to that network (ie. it only trusts those who
it needs to). This is fairly effective at preventing crackers from
gaining unauthorised access to large portions of a corporate network,
as specific 'trusted' hosts need to be breached to gain access to the
other segments.
If a malicious user or system cracker already has a degree of authorised
access to internal networks and hosts, it would be relatively simple for
him to breach many of the hosts on that network segment, depending on the
security policies in place (although many corporations tend to concentrate
entirely on firewalling and network segmentation, instead of individual
host security).
On our typical network (described above), most system crackers would take
the following steps to identify vulnerabilities in the networked hosts :
- A stealth TCP portscan
- A UDP portscan
- An RPCinfo 'dump' of the RPC services running
- 'Banner collection' from FTP, telnet, SMTP, POP3, IMAP and HTTP
services running
- Checking for default users by querying fingerd and Sendmail
Stealth TCP portscanning is a very fast and effective way of identifying open
TCP ports on hosts without being logged (unless specialist logging daemons
are in place), the 'nmap' portscanner is efficient at performing this kind of
task, nmap is available from http://www.ns2.co.uk/archive/tools/nmap.tgz .
Upon scanning a network in this fashion, the cracker will be able to get a
very good idea of how the networked hosts operate, identifying mail servers,
web servers and systems running RPC services. The TCP ports that crackers are
usually interested in are :
21 (ftp) 23 (telnet) 25 (smtp) 53 (domain) 79 (finger)
80 (http) 110 (pop3) 111 (sunrpc) 139 (samba) 143 (imap)
514 (shell)
( please see appendix (i) for information regarding the exact
vulnerabilities in TCP and UDP services )
Like TCP portscanning, UDP portscanning can identify potentially vulnerable
services using UDP ports, such as tftp which operates on port 69 and routed
which operates on port 520.
If the 'sunrpc' service is running on port 111, the cracker will query which
RPC services are running, RPC services that can help lead to a breach of
security include :
100001 (rstatd) 100002 (rusersd) 100005 (mountd) 100008 (rwalld)
100017 (rexd) 100022 (x25) 100024 (status) 100026 (bootparam)
100083 (tooltalk) 100300 (nisd) 150001 (pcnfsd)
( please see appendix (ii) for information regarding the exact
vulnerabilities in these RPC services )
Now that the cracker has identified the TCP, UDP and RPC services running on
each host, he will attempt to identify the exact version or release of the
services installed.
Certain releases of most services running on Unix-based platforms such as
FTP, Sendmail, BIND, Apache and NCSA httpd, QPOP, Samba and IMAP contain
vulnerabilities which can lead a remote root compromise of a host.
Even today, security hazards are found in these popular services (a good
example is BIND, which is widely used across the internet in nameservers).
By connecting to the services that may be vulnerable, the cracker will
attempt to identify the release of the service by looking at the banner it
produces upon connection, it we telnet to port 25 (smtp) on 192.9.200.1,
for example :
cube# telnet 192.9.200.1 25
Trying 192.9.200.1 ...
Connected to 192.9.200.1.
Escape character is '^]'.
220 rook Sendmail 4.1/SMI-4.1 ready at Fri, 8 Jan 99 11:10:36 GMT
The host is running 'Sendmail 4.1/SMI-4.1', this host is probably also
running SunOS 4.1.x, and is therefore vulnerable to an attack which can
result in a remote root compromise of the host.
Such 'banner collection' can be used to determine vulnerable versions of
services running on the following ports :
21 (ftp) 23 (telnet) 25 (smtp) 80 (http) 110 (pop3)
143 (imap)
Alternate methods such as querying the functionality of services can also be
used to identify specific releases, this is true for the 'domain' service
running on port 53, Samba running on port 139 and a handful of others, such
as 'sshd' that runs on port 22.
If the hosts run fingerd or Sendmail with EXPN options enabled, then the
cracker could identify any default user accounts in place on the hosts,
he could also identify test or guest accounts that may be in place.
An example of how Sendmail is exploited to identify user login names is :
cube# telnet 192.9.200.1 25
Trying 192.9.200.1 ...
Connected to 192.9.200.1.
Escape character is '^]'.
220 rook Sendmail 4.1/SMI-4.1 ready at Fri, 8 Jan 99 11:10:36 GMT
help
214-Commands:
214- HELO MAIL RCPT DATA RSET
214- NOOP QUIT HELP VRFY EXPN
214-For more info use "HELP <topic>".
214-smtp
214-To report bugs in the implementation contact Sun Microsystems
214-Technical Support.
214-For local information contact postmaster at this site.
214 End of HELP info
expn root
250 Operator <root>
expn test
250 Test Account <test>
expn abc123
550 abc123... User unknown
To summarise, by using a 4 programs -- nmap, telnet, rpcinfo and finger,
a typical cracker can identify :
- The TCP, UDP and RPC services each host on the network is running
- The operating system releases of many of the hosts
- The releases of key services, such as Sendmail and FTP
- Any default, test or guest user accounts in place on the hosts
Through this information gathering exercise, the cracker can easily identify
vulnerable network components, and proceed to exploit any vulnerabilities
to gain evalated network access or priviledges.
We will cover strategies used to help manage these risks over the next
2 papers, these will be available in mid-to-late January 1999, they can
be downloaded (along with other NSS-FIST papers), from :
http://www.ns2.co.uk/docs.html
------------------------------------------------------------------------------
4 Identifying security risks present, tools and utilities
------------------------------------------------------------------------------
NSS-FIST has created an archive for some of the tools commonly used by
crackers to scan networks for vulnerabilities, these can also be used
constructively in a security auditing environment. Although most cracker
tools don't check for all known remote vulnerabilities, they are certainly
very useful.
The NSS-FIST cracker tools archive can be accessed at :
http://www.ns2.co.uk/cracker-tools.html
Network Security Solutions Ltd., is also currently developing a plethora
of security tools for Unix and Windows based platforms, these will be
available over the next few months, feel free to visit our site at
http://www.ns2.co.uk , also look out for free 'lite' versions of our
software!
------------------------------------------------------------------------------
Appendix (i) Vulnerability listing for common TCP and UDP services
------------------------------------------------------------------------------
FTP (TCP port 21)
-----------------
In early wu-ftpd versions, there existed many security problems that could
lead to a root compromise of the host, many of the latest FTP daemons
(updated or released in at least 1998) are perfectly up-to-date and secure.
The latest version of wu-ftpd is available from :
ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-18.tar.Z
Telnet (TCP port 23)
--------------------
The only prominent security problem regarding telnet and /usr/bin/login
is that the banners it displays upon connecting to the port can be used
to help determine the operating system of the host. With some operating
systems it is possible to disable your telnet daemon from displaying
banners, as with some releases of Linux with it's /etc/issue.net file.
SMTP (TCP port 25)
------------------
Mail service programs such as Sendmail can be exploited to gain user and
mail aliasing information through issuing 'EXPN' queries, we suggest you
check that your mailservers don't support EXPN querying.
Earlier versions of Sendmail (especially before version 8.8.5), can be
exploited to gain access to a host, we suggest you visit www.sendmail.org
and ensure you are running a secure version.
Domain (TCP and UDP port 53)
----------------------------
DNS service programs such as BIND are known to have security problems that
can lead to a remote root compromises of hosts, if you haven't upgraded
your BIND release since Spring 1998, it will probably be vulnerable to a
handful of such attacks, see the relevant CERT advisory for more information
on the subject :
http://www.cert.org/ftp/cert-advisories/CA-98.05.bind_problems
Finger (TCP port 79)
--------------------
The fingerd service can be used to produce listings of users on hosts,
including information that is useful to system crackers, such as the last
IP address that they logged in from, and user idle times.
A lot of fingerd service releases can be used to perform finger request
'bouncing', this allows crackers to hide their true IP addresses when
performing masses of finger requests against networked hosts.
HTTP (TCP port 80)
------------------
Early releases of the Apache HTTP daemon were bundled with insecure CGI
programs such as phf, finger and test-cgi.
Running the /cgi-bin/phf program allowed remote users to view files on
the webserver as the 'nobody' user.
The /cgi-bin/finger program acted as a finger gateway, allowing crackers to
finger users on the hosts in the same manner as they would abuse the
fingerd service running on TCP port 79 (described above).
The /cgi-bin/test-cgi script could be abused to gain listings of files on
the webserver, thus allowing crackers to determine which packages were
installed on webservers running the vulnerable script.
The latest version of Apache can be downloaded from www.apache.org, it is
relatively secure nowadays.
Other HTTP daemons such as NCSA (prior to version 1.5) are vulnerable to
attacks which result in a remote root compromise of the webserver, it is
advisable to ensure you are running the latest HTTP daemon at all times.
POP3 (TCP port 110)
-------------------
Qualcomm's widely-used POP3 daemon -- QPOP, was found to be vulnerable to
a handful of attacks resulting in a remote root compromise of the host,
versions 2.2 and 2.4 of the daemon are vulnerable to such an attack, with
version 2.5 also having some minor security problems.
The latest version of Qualcomm's QPOP service daemon can be downloaded
from :
ftp://ftp.qualcomm.com/Eudora/servers/unix/popper/qpopper2.53.tar.Z
Many POP3 service daemons fall victim to brute-force login/password
attempts, this is because of a lack of logging upon an incorrect
login/password combination, and the fact that many POP3 daemons don't
disconnect the user upon 3 bad logins. An automated POP3 brute-force
program is available from the NSS-FIST cracker tools archive, at :
http://www.ns2.co.uk/cracker-tools.html
Samba/NetBIOS (TCP port 139)
----------------------------
Versions of Samba are vulnerable to an attack that results in a remote root
compromise of the host, the latest versions are patched against this.
Samba share passwords can also be brute-forced, visit the NSS-FIST cracker
tools archive for more information :
http://www.ns2.co.uk/cracker-tools.html
IMAP (TCP port 143)
-------------------
Older IMAP releases available from Washington University are vulnerable to
a handful of attacks that result in a remote root compromise of the host,
for more information about the publically exploits available, we advise
that you visit www.rootshell.com and perform a search for 'IMAP'.
The latest versions of the IMAP service daemon are relatively secure, and
can be downloaded from :
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
Shell (TCP port 514)
--------------------
The shell service that runs on port 514 can be abused by crackers to
gain access to your host without being logged, by using rsh in this
fashion (after breaching the host and installing an .rhosts file) :
# rsh -l user victim.here.com csh -i
Warning: no access to tty; thus no job control in this shell...
victim% who
victim%
Presence of the shell service also allows crackers to move files across
networks very quickly and unlogged, by using the 'rcp' program.
TFTP (UDP port 69)
------------------
TFTP is used in a handful of situations where a very simple file transfer
needs to take place (to upload files to routers for example), it has weak
authentication, and shouldn't be used in normal network operation.
Routed (UDP port 520)
---------------------
BSD-derived routed service daemons are vulnerable to an RIP 'tracefile'
attack, where critical files can be overwritten and, in some cases, remote
root access can be gained.
We suggest that you check you are running a secure release of routed and
have any relevant vendor-released security patches installed. It may be
advisable to suggest 'gated' as an alternative, which is available for
free from www.gated.org
------------------------------------------------------------------------------
Appendix (ii) Vulnerability listing for common RPC services
------------------------------------------------------------------------------
Rstatd
------
The rstatd RPC service can be abused to gauge the effectiveness of Denial
of Service attacks against hosts, it merely reports system load and
paging information.
Rusersd
-------
The rusersd RPC service can be queried to gain login information of those
logged into hosts.
Mountd
------
The mountd RPC service can be queried to list any NFS exports present on
hosts, and identify any misconfigurations present.
Rwalld
------
The rwalld RPC service can be abused by crackers and 'flood' all your local
users with text, it isn't advisable to run rwalld if the host is connected to
the internet.
Rexd
----
The rexd RPC service is massively insecure and can be used by crackers to
execute commands remotely, rexd's authentication is very weak.
X.25
----
x.25 RPC services can be abused by crackers who want to 'hop' onto x.25
networks and attack hosts. If a host is acting as an x.25 gateway, crackers
will target the host to install a 'sniffer' to catch login names and
passwords.
Status
------
A status RPC service is massively insecure under Solaris 2.4, and a public
exploit exists to gain remote root access to hosts running Solaris 2.4 with
statd.
We strongly recommend that if your hosts are running primarily IRIX or
Solaris operating systems, that you approach your vendor and install any
relevant statd patches.
Bootparam
---------
If misconfigured, the bootparam RPC service can be coaxed into revealing the
NIS domain name of the machine.
Tooltalk
--------
Security vulnerabilities exist in the ToolTalk service (rpc.ttdbserver),
a public remote exploit also can be found on www.rootshell.com for this,
it is effective against :
- Solaris
- IRIX
- HP-UX
If you are running any of the above platforms, we suggest you approach your
vendor immediately and install any relevant rpc.ttdbserver patches, or
disable the service entirely.
NIS
---
A security vulnerability exists in the Solaris NIS+ RPC service, which if
exploited can result in a remote root compromise of the host.
Sun have released a patch to address this problem, and can be downloaded
from the 'public patch access' section at http://sunsolve1.sun.com
a public exploit doesn't exist for this vulnerability to date.
PCNFSD
------
A security vulnerability exists in the pcnfsd RPC service, which is exploited
can result in a remote root compromise of the host, because of the fact that
the exploit doesn't rely on any shellcode being passed to the target, it is
effective against most hosts running pcnfsd, primarily IRIX hosts.
If any of your hosts run the pcnfsd RPC service, we suggest you approach
your vendor for a pcnfsd patch (if supported) and install it immediately.
------------------------------------------------------------------------------
Copyright (c) Network Security Solutions Ltd. 1998
All rights reserved, all trademarks acknowledged
http://www.ns2.co.uk
This document may be distributed in the public domain
as long as the above copyright notices remain intact.
------------------------------------------------------------------------------