CompFoo pt. 6: Attacks and Defenses 3

1
Comp-Foo pt. 6Attacks and Defenses 3

• Misconfiguration
• No authentication
• Misconfigured robots.txt
• Default password
• Suid shell scripts
• FTP root inside webroot
• Unnecessary privileges
• Plaintext password storage

• Information leakage
• Private documents publicly accessible
• Source disclosure
• Info enumeration
• Banner grabbing
• Revealing error messages

2
Misconfiguration

• Oh my! This door is unlocked!
• Oh my! The alarm is off!
• Oh my! A new TV!
• /gank

3
No Authentication

• Tools Don't be silly
• Difficulty of exploitation Go find a 4-year old
  if it's too hard for youThis is just what it
  sounds like. Some controls or information are not
  protected by a password or other method of
  authentication. This is usually due to an
  assumption that no one will ever guess the name
  of a directory or something of that ilk.

4
No AuthenticationDefense

• This hardly needs saying, but...
• Use authentication to protect anything you don't
  want just anybody touching.

5
Misconfigured robots.txt

• The file robots.txt is a file located in the
  root directory of a web site which specifies what
  web spidering utilities are or are not allowed to
  index.
• What most people don't understand is that web
  spidering utilities cannot index something if it
  has never been linked to.
• As such, private directories should not go into
  robots.txt. If they have been linked to, use meta
  tags to prevent indexing instead.

6
SUID shell scripts

• On many operating systems, it is impossible, I
  repeat, impossible, to write a secure SUID shell
  script.
• So don't use them!

7
Default Password

• Tools http//www.defaultpassword.com
• Difficulty of exploitation How much more easy
  could it be? The answer is none. None more
  easy.Often times, a system or piece of hardware
  will come with a default password. Sometimes,
  this password cannot even be changed.This is a
  problem.

8
Default PasswordDefense

• If the manufacturer of your device neglected to
  make a password change possible, it's likely that
  the security level of the system is somewhere
  between none and pitiful.
• Give it away, give it away, give it away now.

9
FTP root inside webroot

• With this configuration, anyone with FTP
  privileges can run code under the privileges of
  the web server.
• That's a REAL problem when the web server is
  running as root.
• Which brings us to our next point...

10
Unneccesary privileges

• Users should not be able to modify the contents
  of your website. (unless it's a wiki )
• Website admins should not be able to modify the
  server configuration.
• Server admins should not be able to modify other
  people's servers.
• Why?

11
Plaintext password storage

• Passwords should always be stored in an
  encrypted, preferably hashed format.
• Remember, multiple layers of security.

12

• Simply because they don't need to!

13
Think misconfiguration isn't a big deal?

• The website for the Recording Industry
  Association of America (RIAA.org) was hacked on
  August 28, 2002. Their non-authenticated admin
  directory was listed in their robots.txt file.
• Apache.org's anonymous ftproot was the same as
  their webroot. Their installation of MySQL was
  running as root, and was reachable locally, to
  allow bugzilla (whose user/pass to access the
  database with full rights were stored in
  plaintext) to work. Using SELECT INTO queries,
  attackers could then write files as root on the
  system.

14
Information Leakage

• ERROR Login failed.
• Password entered does not match string doggy.

15
Private documents,publicly accessible

• If your password file is accessible to everyone,
  (especially if it contains plaintext passwords,)
  it is a huge issue. Even when hashed, passwords
  can still be retrieved.
• In earlier Unix systems, /etc/passwd actually
  contained hashed passwords. Currently, the hashes
  are stored in /etc/shadow, which by default is
  only accessible by root.

16
Private documents,publicly accessible
Other documents can have serious implications if
found as well, and may represent a breach in
security in itself. Take for example a case
where a boy stole hundreds of credit card
numbers from an e-commerce site. How did he do
it?
17
Shoe goes on hand.

• He viewed the source of the page.
• The case made against him was shattered when it
  came out that each and every person who visited
  that site got a full copy of the customer
  database.

18
Source disclosure

• Difficulty of exploitation Easy to
  ModerateSource disclosure vulnerabilities
  involve being able to view the underlying code
  for some system.While this is not often a
  vulnerability in itself, it makes an attacker's
  job a lot easier.

19
Source DisclosureDefense

• Often times, the culprit on a source disclosure
  vulnerability is a script or program designed to
  display specific information specified by the
  user.Just make sure you're very careful about
  defining what is accessible and what
  isn't.Preferably, however, you should avoid
  using user input directly.

20
Info enumeration

• Info enumeration is allowing, by some publicly
  performable process, a way to identify something
  secret about a system.
• An example is being able to find valid usernames
  on a Unix system running Apache by trying various
  usernames on the web server like so
• http//host/root

21
Banner Grabbing

• Tools Telnet, Netcat
• Difficulty of exploitation Easy PeasyBanner
  grabbing is getting information about a system
  that it is freely giving out, usually the names
  of services being run and their versions.

22
Banner GrabbingDefense

• A simple (and amusing) defense for this is to
  simply make your applications give incorrect
  answers!
• Nota bene This will not stop a determined
  attacker, who may attempt to use OS
  fingerprinting techniques.

23
Revealing error messages

• When you show that an SQL query has failed, you
  don't need to display the entire query in the
  error message. The messages can be hideously
  verbose if you really want them to, but only for
  the admins.
• The more information an attacker has, the easier
  their job is.