The Top 10 Bugs in Windows 2000 From Jesper Johanssen’s W2K Security Vulnerabilities Lecture

MS01-036: Active Directory Password Changing  LDAP over SSL can be used to change users password  Directory fails to check credentials  Password can be changed by anyone  Review AD permissions. Pre-W2K compatible access group gives access to AD from low-level client. Default: Everyone is added to this group. The group has READ on every attribute of every object in the AD. Attributes can be queried over LDAP.

MS  Only on DC that are configured to allow LDAP over SSL on TCP port 636  Solution: remove the EVERYONE group from the Pre-W2K Compatible Access group and reboot all DC  This may break access to Win9x systems  Patch: – D=31065

MS00-078: Directory Traversal Vulnerability  One of the SANS Top 20 threats  Replace the / in the../ with a UTF-8 Unicode representation of a / (%co%af)  Attacker has full read access to everything in the IIS partition that the IUSR account has read access to.  Focus on %systemdrive% gives access to that drive. Can run any program on the IIS server.  Test URL: htttp://your-server- name/scripts/..%c0%af../winnt/system32/cmd.exe ?/c+dir+c:\

MS00-086: File Request Parsing Vulnerability  Attacker can append shell commands to an HTTP request  Commands will be run by OS  Important to check permissions on system binaries  Lots of preconditions before this attack works

MS  Preconditions – A.CMD or.BAT file must be on the server – It must exist in an executable sub-dir of IIS – File size > 0 length  Test: exe would list the C directory exe  Fixed by SP2

MS01-026: CGI Decoding Error  IIS receives Web request – It decoded the request to remove escape chars and unicode – A security check is run on the decoded request – Request is decoded again  The 2 nd request may not have passed the 1 st security check and is passed  Patch: ReleaseID=29787 (IIS4.0), (IIS5.0)

IIS Buffer Overflows  MS – Internet Printing Protocol ISAPI – Shipped by default in W2K Server, Adv Server, DataCenter Server – IPP allows remote users to submit print requests across the Net. – You configure a URL as the location of the printer – Send very long header in the http request to the server will run commands on the server. FIX THIS ASAP! – Remove.printer extension form supported ISAPI extensions in IIS. Disable IPP by group policy.

IIS Buffer Overflows  MS – FrontPage Server Extension Sub-Component Buffer Overflow vulnerability – Visual Interdev RAD Remote Deployment Support component is an optional component of IIS used by Visual Interdev 6.0. – Patch: ReleaseID=31038 (NT4.0), 30727(W2K)

IIS Buffer Overflows  MS – ISAPI idq.dll buffer overflow vulnerability – Mentioned in the SANS Top 20 list. Refer to it for more detail. – Affects all W2K servers running Indexing Services – This bug allows Code Red and Nimda to exploit your system. – Patches: ReleaseID=30833, 30800

IIS Cross-site Scripting & Code Submission Vulnerabilities  Cross-scripting: ability to insert a script into a WWW request  Used to relay script code from a bad site to a secured site to the user’s browser where it’s executed  Append the script code to a URL on the bad www site OR embed it in an HTML formatted e- mail.  Fix: apply SP2

MS01-007: Executing Code as SYSTEM with NetDDE  NetDDE (Network Dynamic Data Exchange) is used for interprocess communication  NetDDE service runs as SYSTEM  Client processes can send messages to server process  Message can include code to run  Any user can start the NetDDE Mgr Service and talk to 3 trusted shares: chat$, CLPBK$ and hearts$. You can bind a program to that share and NetDDE server will run it  Patch: ReleaseID=27526

Programs Open DLLs on Startup  When a user opens a document by double clicking it in Explorer or using the start:run menu, most programs (like Office) will try to find some DLLs. If any of these DLLs are found in the dir where the doc lives, MS will execute them as part of the load process.  DLL and program must NOT be already loaded in memory for this to work.

Programs Open DLLs on Startup  One Exploit – programs store all attachments in a known directory as soon as they are received – Attacker mails a rogue DLL and then mails an doc that uses that DLL. – When the user opens the doc, the DLL fires up. – Outlook is exempt from this since it doesn’t store the attachment until it’s opened

VBScript Worms and Other Outlook Problems  Outlook includes a powerful macro language – Used by the Melissa family of worms  Apply the Outlook Security Patch! – Blocks vbs, exe, com, bat, cmd, pif, mdb attachments – Sets Outlook to execute in the restricted sites zone

MS00-043: Buffer Overflow in OL Express & Outlook  Attacker can send malformed header to OE or OL  Inetcomm.dll crashes  Attacker gets to execute code  Immediate MUST FIX!  Patch: SP1, IE5.5 SP 1, OE 5.01 Patch,

Outlook Express Converts Subject to Attachments  OE converts a long subject to a text attachment  Attacker can choose the Icon used by the attachment  Microsoft hasn’t decided if this is a feature or bug or 

Summary  These are some of the more serious Windows 2000 vulnerabilities  The fix is simple: Install the Patches  The consequence: attackers take control of the system for their purposes  Liability issue since the patches are available. Why didn’t you install them?