Understanding Concepts In Enterprise Network Security And Risk Management Part 1 of 3 : Understanding Risks In Networked Systems ------------------------------------------------------ By the consultants of the Network Security Solutions Ltd. Front-line Information Security Team (FIST), January 1998. fist@ns2.co.uk http://www.ns2.co.uk ------------------------------------------------------------------------------ Table Of Contents ------------------------------------------------------------------------------ Understanding Risks In Networked Systems ---------------------------------------- 1. Introduction 2. Understanding the basic concepts behind vulnerabilities existing by default in popular network operating systems 3. Common remote security hazards found on most networks, the impact of effective information gathering 4. Identifying security risks present, tools and utilities Appendicies ----------- (i) Vulnerability listing for common TCP and UDP services (ii) Vulnerability listing for common RPC services ------------------------------------------------------------------------------ 1 Introduction ------------------------------------------------------------------------------ This series of 3 documents was written to give an overview of the concepts involved when identifying and tackling weaknesses in networked computer systems (primarily Unix-based servers), parts 2 and 3 of this paper also explain risk management concepts regarding network security. The second and third papers in this series will be released in late January, they will be accessible along with all other NSS-FIST papers from the NSS-FIST papers and advisories index at : http://www.ns2.co.uk/docs.html We hope you enjoy reading this paper, and hopefully learn a little about network security in the meantime! The Network Security Solutions Ltd. FIST staff (fist@ns2.co.uk) ------------------------------------------------------------------------------ 2 Understanding the basic concepts behind vulnerabilities existing 'by default' in popular network operating systems ------------------------------------------------------------------------------ Many network server* platforms run a handful of network services by default, systems administrators and network operations staff may not be knowledgable when it comes to network security issues, consequently default services that are present on networked hosts may not be removed in many cases. (* specific examples being Solaris, IRIX, Linux and Windows NT Server) The IRIX operating system is a good example of a network server platform with default weaknesses. Many releases of IRIX over the last few years (5.2 to around 6.2), have at least handful of serious security hazards that are present upon installation -- primarily default service and default user account problems. An IRIX machine installed 'out of the box' on a network usually has unpassworded default user accounts, this combined with 10 or more local vulnerabilities can easily lead to a root compromise. Remote vulnerabilities also exist in default IRIX services such as pcnfsd, statd and objectserver. System crackers exploiting these vulnerabilities can easily gain remote root access to IRIX hosts. The Silicon Graphics IRIX security support centre can be accessed at http://www.sgi.com/Support/security/security.html Default security risks exist in most network server platforms, examples include Windows NT with it's default Guest user, Solaris with it's fingerd that allows finger query 'bouncing' to take place, and IRIX with it's abundance of default security risks. There are three main types of default security risk to be found, being : - Default services - Default service and network configurations - Default user accounts Default services that contain vulnerabilities are rare or currently non-existant in the latest releases of most platforms, although they are fairly common in earlier releases. We will cover service vulnerabilities in more detail later on. Default service and network configurations are also rare in the latest releases of operating systems, although recent releases have contained misconfigurations such as : - Running fingerd, netstat, or systat services - Running Sendmail with EXPN functionality enabled A classic example of a misconfiguration that poses a security risk is with the /etc/hosts.equiv containing a wildcard '+' symbol on old SunOS 4.1.3_U1 systems by default, thus allowing anyone to remotely log into the host as the 'bin' user using 'rsh' or 'rlogin'. Default user accounts are common in primarily IRIX, VAX/VMS and Windows NT systems. Many 'system crackers' have entire listings of operating system releases and the default user accounts in place under each, recent cracking tools written by such system crackers have automated routines that will check massive numbers of hosts for such default user accounts. ------------------------------------------------------------------------------ 3 Common remote security hazards found on most networks, the impact of effective information gathering ------------------------------------------------------------------------------ A typical network will consist of a handful of Microsoft Windows 95/98 or NT workstations, SGI IRIX workstations and a selection of servers running Linux, Solaris or Windows NT to act as e-mail, http and ftp servers. If network segmentation exists, the network may have a router or firewall that performs filtering. Many corporate networks have internal segmentation in place, which is implemented so that each site or network has it's own firewall, with a set of filtering rules relevant to that network (ie. it only trusts those who it needs to). This is fairly effective at preventing crackers from gaining unauthorised access to large portions of a corporate network, as specific 'trusted' hosts need to be breached to gain access to the other segments. If a malicious user or system cracker already has a degree of authorised access to internal networks and hosts, it would be relatively simple for him to breach many of the hosts on that network segment, depending on the security policies in place (although many corporations tend to concentrate entirely on firewalling and network segmentation, instead of individual host security). On our typical network (described above), most system crackers would take the following steps to identify vulnerabilities in the networked hosts : - A stealth TCP portscan - A UDP portscan - An RPCinfo 'dump' of the RPC services running - 'Banner collection' from FTP, telnet, SMTP, POP3, IMAP and HTTP services running - Checking for default users by querying fingerd and Sendmail Stealth TCP portscanning is a very fast and effective way of identifying open TCP ports on hosts without being logged (unless specialist logging daemons are in place), the 'nmap' portscanner is efficient at performing this kind of task, nmap is available from http://www.ns2.co.uk/archive/tools/nmap.tgz . Upon scanning a network in this fashion, the cracker will be able to get a very good idea of how the networked hosts operate, identifying mail servers, web servers and systems running RPC services. The TCP ports that crackers are usually interested in are : 21 (ftp) 23 (telnet) 25 (smtp) 53 (domain) 79 (finger) 80 (http) 110 (pop3) 111 (sunrpc) 139 (samba) 143 (imap) 514 (shell) ( please see appendix (i) for information regarding the exact vulnerabilities in TCP and UDP services ) Like TCP portscanning, UDP portscanning can identify potentially vulnerable services using UDP ports, such as tftp which operates on port 69 and routed which operates on port 520. If the 'sunrpc' service is running on port 111, the cracker will query which RPC services are running, RPC services that can help lead to a breach of security include : 100001 (rstatd) 100002 (rusersd) 100005 (mountd) 100008 (rwalld) 100017 (rexd) 100022 (x25) 100024 (status) 100026 (bootparam) 100083 (tooltalk) 100300 (nisd) 150001 (pcnfsd) ( please see appendix (ii) for information regarding the exact vulnerabilities in these RPC services ) Now that the cracker has identified the TCP, UDP and RPC services running on each host, he will attempt to identify the exact version or release of the services installed. Certain releases of most services running on Unix-based platforms such as FTP, Sendmail, BIND, Apache and NCSA httpd, QPOP, Samba and IMAP contain vulnerabilities which can lead a remote root compromise of a host. Even today, security hazards are found in these popular services (a good example is BIND, which is widely used across the internet in nameservers). By connecting to the services that may be vulnerable, the cracker will attempt to identify the release of the service by looking at the banner it produces upon connection, it we telnet to port 25 (smtp) on 192.9.200.1, for example : cube# telnet 192.9.200.1 25 Trying 192.9.200.1 ... Connected to 192.9.200.1. Escape character is '^]'. 220 rook Sendmail 4.1/SMI-4.1 ready at Fri, 8 Jan 99 11:10:36 GMT The host is running 'Sendmail 4.1/SMI-4.1', this host is probably also running SunOS 4.1.x, and is therefore vulnerable to an attack which can result in a remote root compromise of the host. Such 'banner collection' can be used to determine vulnerable versions of services running on the following ports : 21 (ftp) 23 (telnet) 25 (smtp) 80 (http) 110 (pop3) 143 (imap) Alternate methods such as querying the functionality of services can also be used to identify specific releases, this is true for the 'domain' service running on port 53, Samba running on port 139 and a handful of others, such as 'sshd' that runs on port 22. If the hosts run fingerd or Sendmail with EXPN options enabled, then the cracker could identify any default user accounts in place on the hosts, he could also identify test or guest accounts that may be in place. An example of how Sendmail is exploited to identify user login names is : cube# telnet 192.9.200.1 25 Trying 192.9.200.1 ... Connected to 192.9.200.1. Escape character is '^]'. 220 rook Sendmail 4.1/SMI-4.1 ready at Fri, 8 Jan 99 11:10:36 GMT help 214-Commands: 214- HELO MAIL RCPT DATA RSET 214- NOOP QUIT HELP VRFY EXPN 214-For more info use "HELP ". 214-smtp 214-To report bugs in the implementation contact Sun Microsystems 214-Technical Support. 214-For local information contact postmaster at this site. 214 End of HELP info expn root 250 Operator expn test 250 Test Account expn abc123 550 abc123... User unknown To summarise, by using a 4 programs -- nmap, telnet, rpcinfo and finger, a typical cracker can identify : - The TCP, UDP and RPC services each host on the network is running - The operating system releases of many of the hosts - The releases of key services, such as Sendmail and FTP - Any default, test or guest user accounts in place on the hosts Through this information gathering exercise, the cracker can easily identify vulnerable network components, and proceed to exploit any vulnerabilities to gain evalated network access or priviledges. We will cover strategies used to help manage these risks over the next 2 papers, these will be available in mid-to-late January 1999, they can be downloaded (along with other NSS-FIST papers), from : http://www.ns2.co.uk/docs.html ------------------------------------------------------------------------------ 4 Identifying security risks present, tools and utilities ------------------------------------------------------------------------------ NSS-FIST has created an archive for some of the tools commonly used by crackers to scan networks for vulnerabilities, these can also be used constructively in a security auditing environment. Although most cracker tools don't check for all known remote vulnerabilities, they are certainly very useful. The NSS-FIST cracker tools archive can be accessed at : http://www.ns2.co.uk/cracker-tools.html Network Security Solutions Ltd., is also currently developing a plethora of security tools for Unix and Windows based platforms, these will be available over the next few months, feel free to visit our site at http://www.ns2.co.uk , also look out for free 'lite' versions of our software! ------------------------------------------------------------------------------ Appendix (i) Vulnerability listing for common TCP and UDP services ------------------------------------------------------------------------------ FTP (TCP port 21) ----------------- In early wu-ftpd versions, there existed many security problems that could lead to a root compromise of the host, many of the latest FTP daemons (updated or released in at least 1998) are perfectly up-to-date and secure. The latest version of wu-ftpd is available from : ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-18.tar.Z Telnet (TCP port 23) -------------------- The only prominent security problem regarding telnet and /usr/bin/login is that the banners it displays upon connecting to the port can be used to help determine the operating system of the host. With some operating systems it is possible to disable your telnet daemon from displaying banners, as with some releases of Linux with it's /etc/issue.net file. SMTP (TCP port 25) ------------------ Mail service programs such as Sendmail can be exploited to gain user and mail aliasing information through issuing 'EXPN' queries, we suggest you check that your mailservers don't support EXPN querying. Earlier versions of Sendmail (especially before version 8.8.5), can be exploited to gain access to a host, we suggest you visit www.sendmail.org and ensure you are running a secure version. Domain (TCP and UDP port 53) ---------------------------- DNS service programs such as BIND are known to have security problems that can lead to a remote root compromises of hosts, if you haven't upgraded your BIND release since Spring 1998, it will probably be vulnerable to a handful of such attacks, see the relevant CERT advisory for more information on the subject : http://www.cert.org/ftp/cert-advisories/CA-98.05.bind_problems Finger (TCP port 79) -------------------- The fingerd service can be used to produce listings of users on hosts, including information that is useful to system crackers, such as the last IP address that they logged in from, and user idle times. A lot of fingerd service releases can be used to perform finger request 'bouncing', this allows crackers to hide their true IP addresses when performing masses of finger requests against networked hosts. HTTP (TCP port 80) ------------------ Early releases of the Apache HTTP daemon were bundled with insecure CGI programs such as phf, finger and test-cgi. Running the /cgi-bin/phf program allowed remote users to view files on the webserver as the 'nobody' user. The /cgi-bin/finger program acted as a finger gateway, allowing crackers to finger users on the hosts in the same manner as they would abuse the fingerd service running on TCP port 79 (described above). The /cgi-bin/test-cgi script could be abused to gain listings of files on the webserver, thus allowing crackers to determine which packages were installed on webservers running the vulnerable script. The latest version of Apache can be downloaded from www.apache.org, it is relatively secure nowadays. Other HTTP daemons such as NCSA (prior to version 1.5) are vulnerable to attacks which result in a remote root compromise of the webserver, it is advisable to ensure you are running the latest HTTP daemon at all times. POP3 (TCP port 110) ------------------- Qualcomm's widely-used POP3 daemon -- QPOP, was found to be vulnerable to a handful of attacks resulting in a remote root compromise of the host, versions 2.2 and 2.4 of the daemon are vulnerable to such an attack, with version 2.5 also having some minor security problems. The latest version of Qualcomm's QPOP service daemon can be downloaded from : ftp://ftp.qualcomm.com/Eudora/servers/unix/popper/qpopper2.53.tar.Z Many POP3 service daemons fall victim to brute-force login/password attempts, this is because of a lack of logging upon an incorrect login/password combination, and the fact that many POP3 daemons don't disconnect the user upon 3 bad logins. An automated POP3 brute-force program is available from the NSS-FIST cracker tools archive, at : http://www.ns2.co.uk/cracker-tools.html Samba/NetBIOS (TCP port 139) ---------------------------- Versions of Samba are vulnerable to an attack that results in a remote root compromise of the host, the latest versions are patched against this. Samba share passwords can also be brute-forced, visit the NSS-FIST cracker tools archive for more information : http://www.ns2.co.uk/cracker-tools.html IMAP (TCP port 143) ------------------- Older IMAP releases available from Washington University are vulnerable to a handful of attacks that result in a remote root compromise of the host, for more information about the publically exploits available, we advise that you visit www.rootshell.com and perform a search for 'IMAP'. The latest versions of the IMAP service daemon are relatively secure, and can be downloaded from : ftp://ftp.cac.washington.edu/mail/imap.tar.Z Shell (TCP port 514) -------------------- The shell service that runs on port 514 can be abused by crackers to gain access to your host without being logged, by using rsh in this fashion (after breaching the host and installing an .rhosts file) : # rsh -l user victim.here.com csh -i Warning: no access to tty; thus no job control in this shell... victim% who victim% Presence of the shell service also allows crackers to move files across networks very quickly and unlogged, by using the 'rcp' program. TFTP (UDP port 69) ------------------ TFTP is used in a handful of situations where a very simple file transfer needs to take place (to upload files to routers for example), it has weak authentication, and shouldn't be used in normal network operation. Routed (UDP port 520) --------------------- BSD-derived routed service daemons are vulnerable to an RIP 'tracefile' attack, where critical files can be overwritten and, in some cases, remote root access can be gained. We suggest that you check you are running a secure release of routed and have any relevant vendor-released security patches installed. It may be advisable to suggest 'gated' as an alternative, which is available for free from www.gated.org ------------------------------------------------------------------------------ Appendix (ii) Vulnerability listing for common RPC services ------------------------------------------------------------------------------ Rstatd ------ The rstatd RPC service can be abused to gauge the effectiveness of Denial of Service attacks against hosts, it merely reports system load and paging information. Rusersd ------- The rusersd RPC service can be queried to gain login information of those logged into hosts. Mountd ------ The mountd RPC service can be queried to list any NFS exports present on hosts, and identify any misconfigurations present. Rwalld ------ The rwalld RPC service can be abused by crackers and 'flood' all your local users with text, it isn't advisable to run rwalld if the host is connected to the internet. Rexd ---- The rexd RPC service is massively insecure and can be used by crackers to execute commands remotely, rexd's authentication is very weak. X.25 ---- x.25 RPC services can be abused by crackers who want to 'hop' onto x.25 networks and attack hosts. If a host is acting as an x.25 gateway, crackers will target the host to install a 'sniffer' to catch login names and passwords. Status ------ A status RPC service is massively insecure under Solaris 2.4, and a public exploit exists to gain remote root access to hosts running Solaris 2.4 with statd. We strongly recommend that if your hosts are running primarily IRIX or Solaris operating systems, that you approach your vendor and install any relevant statd patches. Bootparam --------- If misconfigured, the bootparam RPC service can be coaxed into revealing the NIS domain name of the machine. Tooltalk -------- Security vulnerabilities exist in the ToolTalk service (rpc.ttdbserver), a public remote exploit also can be found on www.rootshell.com for this, it is effective against : - Solaris - IRIX - HP-UX If you are running any of the above platforms, we suggest you approach your vendor immediately and install any relevant rpc.ttdbserver patches, or disable the service entirely. NIS --- A security vulnerability exists in the Solaris NIS+ RPC service, which if exploited can result in a remote root compromise of the host. Sun have released a patch to address this problem, and can be downloaded from the 'public patch access' section at http://sunsolve1.sun.com a public exploit doesn't exist for this vulnerability to date. PCNFSD ------ A security vulnerability exists in the pcnfsd RPC service, which is exploited can result in a remote root compromise of the host, because of the fact that the exploit doesn't rely on any shellcode being passed to the target, it is effective against most hosts running pcnfsd, primarily IRIX hosts. If any of your hosts run the pcnfsd RPC service, we suggest you approach your vendor for a pcnfsd patch (if supported) and install it immediately. ------------------------------------------------------------------------------ Copyright (c) Network Security Solutions Ltd. 1998 All rights reserved, all trademarks acknowledged http://www.ns2.co.uk This document may be distributed in the public domain as long as the above copyright notices remain intact. ------------------------------------------------------------------------------