CSI NetSec2004

Information about CSI NetSec2004

Published on October 29, 2007

Author: WoodRock

Source: authorstream.com

Content

On the Quality of Exploit Code Iván Arce:  On the Quality of Exploit Code Iván Arce Core Security Technologies 46 Farnsworth St Boston, MA 02210   Ph: (617) 399-6980 www.coresecurity.com CSI NetSec 2004 | June 14-16 2004 | San Francisco, CA Slide2:  Prologue: Context and definitions Why exploit code? Quality metrics Examples Epilogue: Future work OUTLINE Slide3:  PROLOGUE Lets start by defining a common language:  Lets start by defining a common language Vulnerability(noun) “A flaw in a system that, if leveraged by an attacker, can potentially impact the security of said system” Also: security bug, security flaw, security hole Exploit (verb) “To use or manipulate to one’s advantage” (Webster) “A security hole or an instance of taking advantage of a security hole” VULNERABILITIES & EXPLOITS Exploit code is not just “proof of concept”:  Exploit code is not just “proof of concept” Proof of Concept exploit - PoC (noun) A software program or tool that exploits a vulnerability with the sole purpose of proving its existence. Exploit code (noun) A software program or tool developed to exploit a vulnerability in order to accomplish a specific goal. Possible goals: denial of service, arbitrary execution of code, etc. EXPLOIT CODE Slide6:  WHY TALK ABOUT EXPLOIT CODE? An emerging role in the infosec practice The classic attack uses exploit code...:  ATTACKER The classic attack uses exploit code... ANATOMY OF A REAL WORLD ATTACK Exploit code becomes more sofisticated:  Exploit code becomes more sofisticated Add a simple “listen shell” echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &" Add an account to the compromised system: echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:1WXmkX74Ws8fX/MFI3.j5HKahNqIQ0:12311:0:99999:7:::" >> /etc/shadow Execute a “bind-shell” Execute a “reverse shell” Deploy and execute a multi-purpose agent Command shell, FTP, TFTP, IRC, “zombies”, snifers, rootkits... Deploy and execute agent that re-uses existing connection. Deploy and execute agent that has low-level interaction with the OS Syscall Proxing Loader payloads,etc. EXPLOIT CODE FUNCTIONALITY Exploit code becomes a “valueable asset”:  Exploit code becomes a “valueable asset” Detailed information about vulnerabilities has value Exploit code is being bought and sold Included in commercial software offerings Exploit code development training Several books on exploiting software and exploit code development “Exploiting Software”, Hoglund & McGraw “The Shellcoder´s Handbook”, Koziol et. al. “Hacking: The Art of Exploitation”, Jon Erickson A RECENT TREND IN THE INDUSTRY Some legitimate uses for exploit code :  Some legitimate uses for exploit code Penetration Testing Test and fine-tune firewall configurations Test and fine-tune IDS configurations Test incident response capabilities Vulnerability Management WHAT CAN I DO WITH MY EXPLOITS? The penetration testing process:  The penetration testing process Penetration Testing EXPLOIT CODE & PENETRATION TESTING Using exploits to test and configure firewalls:  Using exploits to test and configure firewalls Firewall configuration and testing EXPLOIT CODE & FIREWALLS Using exploits to test and configure Intrusion Detection Systems:  Using exploits to test and configure Intrusion Detection Systems IDS configuration and testing EXPLOIT CODE & INTRUSION DETECTION SYSTEMS Vulnerability management: Scan & Patch strategy:  Vulnerability management: Scan & Patch strategy THE VULNERABILITY MANAGEMENT PROCESS Vulnerability Management Use exploit code to minimize errors and prioritize better:  Use exploit code to minimize errors and prioritize better IMPROVED VULNERABILITY MANAGEMENT PROCESS Vulnerability Management + Exploit Code Use exploit code to verify correct mitigation:  Use exploit code to verify correct mitigation AN ADDITIONAL IMPROVEMENT Vulnerability Management + Exploit Code + Verification Using Exploits Combine vulnerability management and penetration testing:  Combine vulnerability management and penetration testing VULNERABILITY MANAGEMENT & PENETRATION TESTING COMBO Vulnerability Management + Rapid Penetration Testing Using Exploits Slide18:  QUALITY METRICS The legitimate uses of exploit code calls for quality metrics:  The legitimate uses of exploit code calls for quality metrics There are several legitimate uses for exploit code Practitioners need to understand the quality of the tools they use Taxonomies and metrics are a reasonable way to provide a “more scientific” approach to measure exploit code quality Once a taxonomy and a set of metrics is chosen it can be used for comparative analysis and to measure R&D advances in the field Any given taxonomy and set of metrics is arbitrary and must be created and used in light of its application in the real world QUALITY METRICS FOR EXPLOIT CODE A few more definitions are needed...:  A few more definitions are needed... Remote exploit A program or tool that does not require legitimate access to the vulnerable system in order to exploit the security flaw Exploit payload The portions of the exploit code that implements the desired functionality after successful exploitation of a vulnerable system Example payloads: “add inetd service” “add account” “bind shell” “reverse shell” EXPLOIT CODE INTERNALS A few more definitions are needed...:  A few more definitions are needed... Exploit attack vector The means used by the exploit code to trigger the vulnerability on the target system MS04-011 “Microsoft SSL PCT vulnerability” (CAN-2003-0719) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0719 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.securityfocus.com/archive/1/361836 One vulnerability with seven attack vectors: MS IIS/Exchange ports https:443, smtp:25, imap:993, pop3:995, nntp:563 MS Active directory ports ldaps:636, globalcatLDAPssl: 3269 EXPLOIT CODE INTERNALS A few more definitions are needed...:  A few more definitions are needed... Exploit technique The method used by the exploit code to alter the execution flow of a vulnerable system and force it to execute the exploit’s payload. Some exploit techniques Overwriting the stack memory Read/write operations Write/execute operations Write operations Overwriting the heap memory Read/write operations Write/exec operations Mirrored write operations Overwriting process flow control structures Pointer overwrite (GOT, PLT, class pointers, destructors, atexit() ) Program data overwrite (authorization keys, flags, credentials, FDs) EXPLOIT CODE INTERNALS These metrics can be used to assess the quality of exploit code:  These metrics can be used to assess the quality of exploit code Attack vectors One More than one All Exploit logic Brute-forcing vs. hard-coded addresses OS fingerprinting vs. OS selection by the user Connection usage Total running time Debugging capabilities, documentation, fixes Exploit technique and reliability Some techniques are inherently more reliable than other Lab testing under ideal conditions 80% - 100% 50% - 79% 20% - 49% Less than 20% GENERIC QUALITY METRICS Metrics related to network topology characteristics :  Metrics related to network topology characteristics Network topology constrains Link layer constrains (dialup, PPP, wireless, etc) LAN vs. WAN Attacker behind NAT device Target behind NAT device Target behind FW blocking incoming connections Target behind FW blocking in/out connections Target behind Proxy/Application gateway FW IP Fragmentation Network footprint Latency Constrained bandwidth GENERIC QUALITY METRICS Metrics related to the runtime enviroment of the vulnerable system/application :  Metrics related to the runtime enviroment of the vulnerable system/application Runtime environment System load Multi-threading Fork & Exec Multiplexing/Asynchronous service Filesystem access Memory and file descriptors Environment variables and command line arguments Compile options, debugging, optimizations, logging Service startup (manual, boot time, inetd, etc.) GENERIC QUALITY METRICS Metrics related to security hardened systems and services :  Metrics related to security hardened systems and services Security hardening measures Vulnerable service runs as unprivileged process Privilege separation/downgrade Sand-boxing (chroot, jail, systrace, capabilities) Non executable stack Non executable heap StackGuard, StackShield, ProPolice, Microsoft VS /GS flag PaX, GrSecurity, W ^ X Portability and OS dependence Exploit uses external libraries or programs? Exploit run on specific OS? Exploits requires local privileges? GENERIC QUALITY METRICS Metrics related to system stability :  Metrics related to system stability System stability After successful exploitation Unstable service Interrupted service System reboot or halt After unsuccessful exploitation Unstable service Interrupted service System reboot or halt System pollution and clean-up Modifies configuration Modifies file system Leaves audit trace GENERIC QUALITY METRICS OS coverage for exploits that target MS Windows:  OS coverage for exploits that target MS Windows Architecture x86 - Intel IA32 (32bit) x86 - Intel IA64 (64bit) Operating System WinNT, Win2k, WinXP, Win2003 Operating System editions WinNT 4.0: Workstation, Server, Enterprise, Terminal Server Win2k: Professional, Server, Advanced Server WinXP: Home, Professional Win2003: Standard, Enterprise, Web Service Packs WinNT 4.0: SP0-SP6,SP6a Win2k: SP0-SP4 WinXP: SP0-SP1 (SP2 Q3/2004) Win2003: SP0 Languages English, Spanish, French , Portuguese, German, Chinese WINDOWS EXPLOITS: OS COVERAGE OS coverage for exploits that target Linux:  OS coverage for exploits that target Linux Architecture x86 - Intel IA32 (32bit), x86 - Intel IA64 (64bit), ARM, SPARC Linux Distribution RedHat, Suse, Debian, Mandrake (Conectiva, Fedora, TurboLinux, Inmunix, OpenWall, Gentoo, …) Linux distribution versions RedHat: 6.2, 7, 7.11, 7.2, 7.3, 8, 9 Suse: 7, 7.1, 7.2, 7.3, 8., 8.1, 9, 9.1 Debian: 2.0, 2.1, 2.2, 3 Mandrake: 7.1, 7.2, 8, 8.1, 8.2, 9, 10 Kernel versions Linux kernel 2.2.0 - 2.2.26 Linux kernel 2.4.0 – 2.4.26 Linux kernel 2.6.0 - 2.6.6 User Space and Applications Glibc and Gcc versions, default application versions, default compile options LINUX EXPLOITS: OS COVERAGE OS coverage for exploits that target Solaris:  OS coverage for exploits that target Solaris Architecture Intel x86, sun4m, sun4u Solaris versions 2.5.1, 2.6, 7, 8, 9 Patch clusters and individual patches Software Packages and compiled applications Security settings no_exec_user_stack = 1 SOLARIS EXPLOITS: OS COVERAGE Slide31:  EXAMPLES The MS RPC DCOM vulnerability exploited by the Blaster worm:  The MS RPC DCOM vulnerability exploited by the Blaster worm Vulnerability: CAN-2003-0528 Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Vulnerable Systems winNT 4, winNT4 Terminal Services, win2k, winXP,win 2003 Attack vectors Ports 135/tcp, 135/udp, 139/tcp, 445/tcp, 593/tcp, 80/tcp, >1024/tcp Plus 135/udp broadcast Publicly available exploit code winrpcdcom.c (FlashSky, xfocus.org) dcom.c ( HD Moore, modified from xfocus.org) msrpc_dcom_ms03_026.pm (HD Moore, included in metasploit 2.0) Rpcexec.c (ins1der, trixterjack at yahoo.com) dcom48.c (OC192 www.k-otik.com) MS RPC DCOM VULNERABILITY The MS LSASS.EXE vulnerability exploited by the Sasser worm:  The MS LSASS.EXE vulnerability exploited by the Sasser worm Vulnerability: CAN-2003-0533 Microsoft Security Bulletin MS04-011 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.eeye.com/html/Research/Advisories/AD20040413C.html Vulnerable Systems win2k, winXP,win 2003 Attack vectors Ports 139/tcp, 445/tcp Publicly available exploit code HOD-ms04011-lsasrv-expl.c (houseofdabus) ms04011lsass.c ( www.k-otik.com) MS LSASS VULNERABILITY The OpenSSL vulnerability exploited by the Slapper worm:  The OpenSSL vulnerability exploited by the Slapper worm Vulnerability: CAN-2002-0656 http://www.kb.cert.org/vuls/id/102795 http://www.securityfocus.com/bid/5363/info/ Vulnerable Systems OpenSSL version < 0.9.7-beta2 All systems running Apache based web servers on Linux, *BSD unix, Windows, Solaris, HP-UX, …. Attack vectors Port 443/tcp Publicly available exploit code OpenF*ck.c ([email protected]) OpenF*ckV2.c (“OF version r00t VERY PRIV8 spabam”) Openssl-too-open (Solar Eclipse) OPENSSL VULNERABILITY Slide35:  EPILOGUE Conclusion and future work:  Conclusion and future work Conclusion There are several legitimate uses for exploit code We need to understand the tools we use We propose a set of metrics to measure quality of exploit code Future work Refine the proposed metrics Test against publicly available exploits Comparative analysis Extend into a model with more quantifiable parameters and possibly a suitable “QoE”metric EPILOGUE Slide37:  THANK YOU! Iván Arce [email protected]:  CONTACT INFORMATION Headquarters · Boston, MA 46 Farnsworth St Boston, MA 02210  |  USA Ph: (617) 399-6980 | Fax: (617) 399-6987 [email protected] Research and Development Center Argentina (Latin America) Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires | Argentina Tel/Fax: (54 11) 5032-CORE (2673) [email protected] www.coresecurity.com Iván Arce [email protected]

Related presentations


Other presentations created by WoodRock

VoIP endfassung
18. 06. 2007
0 views

VoIP endfassung

Lone Wolf Presentation
22. 04. 2008
0 views

Lone Wolf Presentation

Guersenfinal
17. 04. 2008
0 views

Guersenfinal

10 bridge
16. 04. 2008
0 views

10 bridge

Reveiwfinal spring
14. 04. 2008
0 views

Reveiwfinal spring

ch03 edit
13. 04. 2008
0 views

ch03 edit

Howcroft CME
10. 04. 2008
0 views

Howcroft CME

ARPA07distribute
09. 04. 2008
0 views

ARPA07distribute

PowerPoint Presentation 2007
07. 04. 2008
0 views

PowerPoint Presentation 2007

Central Asia short
30. 03. 2008
0 views

Central Asia short

APALSAGeneralMeeting
27. 03. 2008
0 views

APALSAGeneralMeeting

elements compounds mixtures
04. 01. 2008
0 views

elements compounds mixtures

Moodle for english teachers
27. 06. 2007
0 views

Moodle for english teachers

YagerDOE2005
17. 09. 2007
0 views

YagerDOE2005

JESSICA2 HKJU Dec 18 2002
17. 09. 2007
0 views

JESSICA2 HKJU Dec 18 2002

wipo smes del 07 www 76775
24. 09. 2007
0 views

wipo smes del 07 www 76775

LDAP Integration
24. 09. 2007
0 views

LDAP Integration

SAR presentation Final
24. 09. 2007
0 views

SAR presentation Final

Politics ml Z
02. 10. 2007
0 views

Politics ml Z

sparkles
04. 10. 2007
0 views

sparkles

Extreme Makeover
17. 09. 2007
0 views

Extreme Makeover

current status ebxml cppa tc
29. 10. 2007
0 views

current status ebxml cppa tc

ast201 2007 lect11
28. 11. 2007
0 views

ast201 2007 lect11

judicial
28. 08. 2007
0 views

judicial

Laptop Security
28. 08. 2007
0 views

Laptop Security

hammer fatriv
28. 08. 2007
0 views

hammer fatriv

Air Monitoring
23. 10. 2007
0 views

Air Monitoring

CONFINED
07. 11. 2007
0 views

CONFINED

Kansas GRB 5
15. 11. 2007
0 views

Kansas GRB 5

ATS
16. 11. 2007
0 views

ATS

Lecture 4 Bioterrorism Dunne
17. 11. 2007
0 views

Lecture 4 Bioterrorism Dunne

wieser sybase
20. 11. 2007
0 views

wieser sybase

rushdie
21. 11. 2007
0 views

rushdie

Napoleon I
26. 11. 2007
0 views

Napoleon I

SonnetOL
11. 08. 2007
0 views

SonnetOL

Steve Lafferty optimized
11. 08. 2007
0 views

Steve Lafferty optimized

Tibetian test 2
11. 08. 2007
0 views

Tibetian test 2

Plumbing an Information Space
02. 01. 2008
0 views

Plumbing an Information Space

Tree of Life 3 11 03
11. 08. 2007
0 views

Tree of Life 3 11 03

savas dangerous offenders
11. 08. 2007
0 views

savas dangerous offenders

Memory Revisited
12. 10. 2007
0 views

Memory Revisited

Dermatology Revision
05. 01. 2008
0 views

Dermatology Revision

FROM THE DISCOVERY OF HELIX
16. 10. 2007
0 views

FROM THE DISCOVERY OF HELIX

504d AACR poster 2005 cfg
30. 10. 2007
0 views

504d AACR poster 2005 cfg

Zeeberg
17. 09. 2007
0 views

Zeeberg

sweep
11. 08. 2007
0 views

sweep

Industrialization Ideology
26. 10. 2007
0 views

Industrialization Ideology

CS438 08 Bridges
28. 12. 2007
0 views

CS438 08 Bridges

sa advocacy
24. 09. 2007
0 views

sa advocacy

CausalArguments
26. 11. 2007
0 views

CausalArguments

JostDeutschAwards
07. 01. 2008
0 views

JostDeutschAwards

Class24ImlicatureExp
19. 02. 2008
0 views

Class24ImlicatureExp

Lars Nord Presentation at HA2005
08. 10. 2007
0 views

Lars Nord Presentation at HA2005

ConEvals
27. 02. 2008
0 views

ConEvals

moodle themes
27. 06. 2007
0 views

moodle themes

Moodle lokalp
27. 06. 2007
0 views

Moodle lokalp

Moodle na UE final
27. 06. 2007
0 views

Moodle na UE final

SIRESENAC06
06. 03. 2008
0 views

SIRESENAC06

Seance 4 Alissa fr
24. 10. 2007
0 views

Seance 4 Alissa fr

SKita gesture
11. 08. 2007
0 views

SKita gesture

8 lessons learnt from nms
18. 03. 2008
0 views

8 lessons learnt from nms

WORKING IN THE EU INSTITUTIONS
20. 03. 2008
0 views

WORKING IN THE EU INSTITUTIONS

semantic web applications
25. 03. 2008
0 views

semantic web applications

FutureofNews
05. 10. 2007
0 views

FutureofNews

sxu 1 05 06
11. 08. 2007
0 views

sxu 1 05 06

canarias
23. 10. 2007
0 views

canarias

Reintegration ProgramFinal
28. 12. 2007
0 views

Reintegration ProgramFinal

G Abaee
22. 11. 2007
0 views

G Abaee

tromsoe
11. 08. 2007
0 views

tromsoe

glazerbusan
12. 10. 2007
0 views

glazerbusan

Stockholm Tutorial June 2001
12. 03. 2008
0 views

Stockholm Tutorial June 2001

TF Rschede
18. 06. 2007
0 views

TF Rschede

telwisa 5
18. 06. 2007
0 views

telwisa 5

Teitler Framework
18. 06. 2007
0 views

Teitler Framework

STRUMENTI tris DI ATTUAZIONE
18. 06. 2007
0 views

STRUMENTI tris DI ATTUAZIONE

strategic plan
18. 06. 2007
0 views

strategic plan

STEROIDS
18. 06. 2007
0 views

STEROIDS

Slide musso taranto
18. 06. 2007
0 views

Slide musso taranto

V 005 Gierke
18. 06. 2007
0 views

V 005 Gierke

Vorlesung BGB AT 1
18. 06. 2007
0 views

Vorlesung BGB AT 1

violenza
18. 06. 2007
0 views

violenza

Varma
18. 06. 2007
0 views

Varma

usenix
18. 06. 2007
0 views

usenix

unter Mitglieder wenn das geht
18. 06. 2007
0 views

unter Mitglieder wenn das geht

Unterrichtsbeobachtu ng
18. 06. 2007
0 views

Unterrichtsbeobachtu ng

Traechtigkeit
18. 06. 2007
0 views

Traechtigkeit

todoslossantosanual
02. 11. 2007
0 views

todoslossantosanual

vortrag we mu 220602
18. 06. 2007
0 views

vortrag we mu 220602

SOR Legal Updates 2006 141962 7
11. 08. 2007
0 views

SOR Legal Updates 2006 141962 7

Bigwood 1
13. 03. 2008
0 views

Bigwood 1

lrec metadata
14. 11. 2007
0 views

lrec metadata

termininfo D2D Konferenz2006
18. 06. 2007
0 views

termininfo D2D Konferenz2006

3320 l09
17. 09. 2007
0 views

3320 l09

typologie
18. 06. 2007
0 views

typologie

antalya
03. 09. 2007
0 views

antalya

sermonpp thy will be done
11. 08. 2007
0 views

sermonpp thy will be done

gabriel
24. 09. 2007
0 views

gabriel

tack2
24. 09. 2007
0 views

tack2

VORTRAG BW
18. 06. 2007
0 views

VORTRAG BW

The Perils of Childhood Obesity
11. 08. 2007
0 views

The Perils of Childhood Obesity

GT TurkeyCountryPresent ation
23. 10. 2007
0 views

GT TurkeyCountryPresent ation

Open Everything 3 9
01. 10. 2007
0 views

Open Everything 3 9

arnaud
28. 09. 2007
0 views

arnaud

file1180026507
22. 10. 2007
0 views

file1180026507

yasinsky
24. 09. 2007
0 views

yasinsky

healthy body esteem
03. 10. 2007
0 views

healthy body esteem

moodle presentation epfl final
27. 06. 2007
0 views

moodle presentation epfl final

37 Yale SA Program Overview 07
24. 09. 2007
0 views

37 Yale SA Program Overview 07

song slides
11. 08. 2007
0 views

song slides

Stuttgart
18. 06. 2007
0 views

Stuttgart

site wsa
29. 02. 2008
0 views

site wsa

pearson
24. 09. 2007
0 views

pearson

09 s4 fr
11. 03. 2008
0 views

09 s4 fr

EPS
17. 10. 2007
0 views

EPS

OARS CRJ 2006
24. 09. 2007
0 views

OARS CRJ 2006

7Paul Hopkin
11. 12. 2007
0 views

7Paul Hopkin

Sofia 29 09 30 02
23. 11. 2007
0 views

Sofia 29 09 30 02

santTOPch11
11. 08. 2007
0 views

santTOPch11

HumanCapitalFINAL
24. 09. 2007
0 views

HumanCapitalFINAL

Carmelo Polino
22. 10. 2007
0 views

Carmelo Polino

Poeplau ECLOUD07
03. 01. 2008
0 views

Poeplau ECLOUD07

peytonap
17. 09. 2007
0 views

peytonap

BUTE 2005feb Milano COST291
16. 10. 2007
0 views

BUTE 2005feb Milano COST291