Presentation is loading. Please wait.

Presentation is loading. Please wait.

Roshan Newa Saransh Chauhan. About Windows XPerience  first consumer oriented OS built on Windows NT kernel  first released on 25 October 2001  Improved.

Published byErik Franklin Modified over 9 years ago

Similar presentations

Presentation on theme: "Roshan Newa Saransh Chauhan. About Windows XPerience  first consumer oriented OS built on Windows NT kernel  first released on 25 October 2001  Improved."— Presentation transcript:

1 Roshan Newa Saransh Chauhan

2 About Windows XPerience  first consumer oriented OS built on Windows NT kernel  first released on 25 October 2001  Improved GUI, tight integration of application such as IE and Windows Media player, firewall  much vaunted most secured Windows OS so far.  40 Million SLOC (Source lines of code)

3 UPnP  protocols that allow devices to connect and communicate seamlessly  dynamically join a network, obtain an IP address, announce its name, convey its capabilities upon request, and learn about the presence and capabilities of other devices  used in XP to detect and integrate with UPNP aware devices by providing a URL for automatic configuration

4 UPnP Flaw in XP  three separate exploits:  a remote buffer overflow flaw, which can load remote code into an XP system;  Denial of Service (DoS)  Distributed Denial of Service (DDoS) flaws, which can let intruders use zombie XP systems to flood Internet servers with bogus requests

5 UPnP in XP : Buffer Overflow  The memory registers EAX and ECX are overwritten causing them to contain invalid addresses  svchost.exe process will access an invalid memory address at a 'mov' instruction  The SSDP service also listens on Multicast and Broadcast addresses  Gaining system access to an entire network of XP machines is possible with only one anonymous UDP SSDP attack session

6 UPnP in XP: DoS and DDoS  UPNP device sends out an advertisement  Attacker:  sends a,malicious spoofed UDP packet containing an SSDP advertisement  force the XP client to connect back to a specified IP address and pass on a specified HTTP/HTTPS request  specify a CHARGEN (Character Generator) service on a remote machine causing the XP client to connect and get caught in a tight read/malloc loop

7 UPnP in XP  Deliberate intention by Microsoft for UPnP to work that way.  Microsoft describes the flaw as "unprecedented" and "serious," and the company is providing a wide range of fixes  Microsoft Security Bulletin MS01-054

8 Escalation of Privilege (EOP)  Permission against verification of identity.  exploiting a bug or design flaw to gain access to resources  result : the application performs actions with more privileges than intended  Elevation of privilege," then, is not a class of attack, as much as it is the process of any attack.

9 EOP in XP  EOP: Vertical and Horizontal  Identity demonstrated by tokens associated user.  software program obtain privileges  Installation/startup script tells your system what the software needs in order to run  system tracks privileges associated with each user and application  Applications not needing extensive permissions usually run with privileges of the current request.  Installing as administrator have access to more privileges needed

10 Attacking via EOP in XP  Run code on the victim's machine borrowing the privileges of one of his system-level apps.  find process that is running with higher privileges  Crash it so that you do something that makes it give its privileges to you  interrupt the program as it executes, and makes it run additional code supplied by the attacker  install a set of tools, referred to as a root kit

11 EOP in XP : Examples  C:\Documents and Settings\All Users\Start Menu\Programs\Startup  Flaw in Network Connection Manager (Microsoft Security Bulletin MS02-042)  Vulnerability in Plug and Play (Microsoft Security Bulletin MS05-055)  Vulnerability in Windows (Microsoft Security Bulletin MS06-075)  Vulnerability in Windows Kernel (Microsoft Security Bulletin MS06-049)  Vulnerability in Internet Information Services (Microsoft Security Bulletin MS08-005)

12 XP Recovery Console  perform a limited range of tasks using a CLI  enable administrators to recover from situations where Windows does not boot to GUI  Use, copy, rename, or replace files and folders  Enable or disable service or device startup  Repair the boot sector or (MBR)  Create and format partitions on drives

13 Flaw in XP Recovery Console  Win2k Boot Disc Can Bypass Windows XP Passwords  In Win2k password is mandatory, Under Windows XP, this technique grants the user unrestricted access to the computer  physical access to a PC for a long enough period of time  install keystroke logging software to steal passwords or backdoor programs to grant themselves unrestricted remote access

14 Flaw in XP Recovery Console  problem is unrelated to a registry feature of XP that allows an Administrator to set up automatic logon when the Recovery  BIOS level password  Encrypted file system  put the PCs behind a locked door or put a lock on the PCs themselves

15 Remote Code Execution  Feature of network enabled application.  ability to trigger any arbitrary command on the target machine or a target process without physical access to the target system  worst effect a bug can have because it allows an attacker to completely take over the vulnerable process  commonly exploited by malware to run on a computer without the owners consent

16 Remote Code Execution in XP  Typically triggered by buffer overflow and holes in applications:  help and Support center feature:  remotely execute code on vulnerable systems because of the way the Help and Support Center handles HCP URL validation  triggered by visiting a malicious website or viewing a malicious email message  unregister the HCP protocol to block known attack vectors by deleting from the registry

17 Remote Code Execution in XP  IGMPv3  vulnerability exists in the Internet Group Management Protocol Version 3 (IGMPv3) for IPv4 and the Multicast Listener Discovery (MLD) for IPv6  a remote, unauthenticated attacker, sending specially crafted packets, could run arbitrary code in the security context of SYSTEM  Zipped folders flaw could allow remote code execution  Serious AIM flaw allows remote code execution without user interaction

18 …change of guard

19

20 COMEDY OF ERRORS William Shakespeare

21 COMEDY OF ERRORS (XP-SP2) Bill Gates

22

23 Window’s URI Handling  Windows shell insufficiently handles invalid URIs  Attacker could gain the same user rights as the logged on user  What if the user is administrator? Attacker could take complete control of an affected system

24 Window’s URI Handling Modus Operandi  Create a specially crafted URI  Provide the URI as input to an application  The app attempts to access the resource referred by the URI  Processing specially crafted URI input could allow arbitrary code to be executed

25

26

27 Remote Desktop DDoS attacks  Could let an attacker remotely crash computers  Affects the Windows Remote Desktop Service  Users experience errors ranging from inability to use certain services to small error messages  Nothing much serious, thankfully… link

28

29

30 Remote Desktop DDoS attacks  A version of the Win32 API - may allow a local user to elevate his privileges  Might allow a remote attacker to execute arbitrary code on this host  Attacker needs to find a way to misuse of Win32 API  Lure a user into visiting a specially crafted web page  Execute active content on a web page

31

32 Windows Explorer Vulnerability Remote code execution risk  Windows Explorer provides a GUI for accessing file system  Windows handling of COM objects

33 Windows Explorer Vulnerability Modus Operandi  Get user to click on a link to a malicious website  User prompted to perform several actions needed to connect to a certain file server  File server causes Windows Explorer to fail and allow code execution  Activated with link in email message

34

35 and by the way…  How long do you think you would take to find a bug in your code?  What if your code exceeds millions of lines?

36 Don’t ask Bill Gates; he took seven years…

37 SMB Remote Code Execution (2001-2008)  SMB (Server Message Block)  Windows Server service - connects different network resources over a network  File servers  Print servers  Send malicious messages to a Windows machine using Windows Server - attempt to take control of the computer

38 SMB Remote Code Execution MS blog says: "Public tools, including a Metasploit module, are available to perform this attack." Metasploit is an open-source toolkit used by hackers and security professionals to build attack code

39 SMB Remote Code Execution Modus Operandi  Victim sent a malicious e-mail message  Message, when opened, would try to connect to a server run by the attacker  Steal network authentication credentials from the victim, used to gain access to the victim's machine.  Attack cannot be made across the firewall, only the machines in your local LAN can exploit this flaw

40

41 Worms

42 Blaster - Win32/Msblast  First reported on August 11, 2003  Reverse engineered a Microsoft patch  Launched a DDoS attack on windowsupdate.com - MS temporarily shut down the site

43 Blaster - Win32/Msblast Modus Operandi  Exploits a RPC Distributed Component Object Model (DCOM) vulnerability  Displays messages that Bill Gates might not like… “billy gates why do you make this possible ? Stop making money and fix your software!!” And “I just want to say LOVE YOU SAN!!”

44 Blaster - Win32/Msblast Detects internet connection and restarts Executes a fake batchfile to restarts the system Registry entry, launched every time Windows starts: HKEY_LOCAL_MACHINE\SOF TWARE\Microsoft\Windows\Cu rrentVersion\Run\windows auto update = msblast.exe Image Source : http://en.wikipedia.org/wiki/Image:Windows_XP_Emergency_Shutdown.png

45

46 Win32/Sasser  Started spreading on April 30, 2004  Exploits a Buffer Overflow in LSASS (Local Security Authority Subsystem Service)  Scans IP addresses and connects to victims' computers primarily through TCP port 445 and 139

47 Win32/Sasser  Adds a file file C:\WIN.LOG or C:\WIN2.LOG on the PCs hard disk  Shutdown timer appears due to the worm crashing LSASS.exe  Can be checked by a firewall

48 Sasserization Effects of the Sasser Worm  News agency Agence France-Presse (AFP) had all its satellite communications blocked for hours  Delta Air Lines having to cancel several trans- atlantic flights  The British Coastguard had its electronic mapping service disabled for a few hours

49 …and finally…

50

Download ppt "Roshan Newa Saransh Chauhan. About Windows XPerience  first consumer oriented OS built on Windows NT kernel  first released on 25 October 2001  Improved."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Computer Viruses.

Computer Viruses.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Installing software on personal computer

Installing software on personal computer
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
1 Computer Security: Protect your PC and Protect Yourself.

1 Computer Security: Protect your PC and Protect Yourself.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Similar presentations

Ads by Google