logging in or signing up CSI NetSec2004 WoodRock Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 67 Category: Entertainment License: All Rights Reserved Like it (1) Dislike it (0) Added: October 29, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript On the Quality of Exploit Code Iván Arce: On the Quality of Exploit Code Iván Arce Core Security Technologies 46 Farnsworth St Boston, MA 02210 Ph: (617) 399-6980 www.coresecurity.com CSI NetSec 2004 | June 14-16 2004 | San Francisco, CASlide2: Prologue: Context and definitions Why exploit code? Quality metrics Examples Epilogue: Future work OUTLINESlide3: PROLOGUELets start by defining a common language: Lets start by defining a common language Vulnerability(noun) “A flaw in a system that, if leveraged by an attacker, can potentially impact the security of said system” Also: security bug, security flaw, security hole Exploit (verb) “To use or manipulate to one’s advantage” (Webster) “A security hole or an instance of taking advantage of a security hole” VULNERABILITIES & EXPLOITSExploit code is not just “proof of concept”: Exploit code is not just “proof of concept” Proof of Concept exploit - PoC (noun) A software program or tool that exploits a vulnerability with the sole purpose of proving its existence. Exploit code (noun) A software program or tool developed to exploit a vulnerability in order to accomplish a specific goal. Possible goals: denial of service, arbitrary execution of code, etc. EXPLOIT CODESlide6: WHY TALK ABOUT EXPLOIT CODE? An emerging role in the infosec practiceThe classic attack uses exploit code...: ATTACKER The classic attack uses exploit code... ANATOMY OF A REAL WORLD ATTACKExploit code becomes more sofisticated: Exploit code becomes more sofisticated Add a simple “listen shell” echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &" Add an account to the compromised system: echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:1WXmkX74Ws8fX/MFI3.j5HKahNqIQ0:12311:0:99999:7:::" >> /etc/shadow Execute a “bind-shell” Execute a “reverse shell” Deploy and execute a multi-purpose agent Command shell, FTP, TFTP, IRC, “zombies”, snifers, rootkits... Deploy and execute agent that re-uses existing connection. Deploy and execute agent that has low-level interaction with the OS Syscall Proxing Loader payloads,etc. EXPLOIT CODE FUNCTIONALITYExploit code becomes a “valueable asset”: Exploit code becomes a “valueable asset” Detailed information about vulnerabilities has value Exploit code is being bought and sold Included in commercial software offerings Exploit code development training Several books on exploiting software and exploit code development “Exploiting Software”, Hoglund & McGraw “The Shellcoder´s Handbook”, Koziol et. al. “Hacking: The Art of Exploitation”, Jon Erickson A RECENT TREND IN THE INDUSTRYSome legitimate uses for exploit code : Some legitimate uses for exploit code Penetration Testing Test and fine-tune firewall configurations Test and fine-tune IDS configurations Test incident response capabilities Vulnerability Management WHAT CAN I DO WITH MY EXPLOITS?The penetration testing process: The penetration testing process Penetration Testing EXPLOIT CODE & PENETRATION TESTINGUsing exploits to test and configure firewalls: Using exploits to test and configure firewalls Firewall configuration and testing EXPLOIT CODE & FIREWALLSUsing exploits to test and configure Intrusion Detection Systems: Using exploits to test and configure Intrusion Detection Systems IDS configuration and testing EXPLOIT CODE & INTRUSION DETECTION SYSTEMS Vulnerability management: Scan & Patch strategy: Vulnerability management: Scan & Patch strategy THE VULNERABILITY MANAGEMENT PROCESS Vulnerability ManagementUse exploit code to minimize errors and prioritize better: Use exploit code to minimize errors and prioritize better IMPROVED VULNERABILITY MANAGEMENT PROCESS Vulnerability Management + Exploit CodeUse exploit code to verify correct mitigation: Use exploit code to verify correct mitigation AN ADDITIONAL IMPROVEMENT Vulnerability Management + Exploit Code + Verification Using ExploitsCombine vulnerability management and penetration testing: Combine vulnerability management and penetration testing VULNERABILITY MANAGEMENT & PENETRATION TESTING COMBO Vulnerability Management + Rapid Penetration Testing Using ExploitsSlide18: QUALITY METRICSThe legitimate uses of exploit code calls for quality metrics: The legitimate uses of exploit code calls for quality metrics There are several legitimate uses for exploit code Practitioners need to understand the quality of the tools they use Taxonomies and metrics are a reasonable way to provide a “more scientific” approach to measure exploit code quality Once a taxonomy and a set of metrics is chosen it can be used for comparative analysis and to measure R&D advances in the field Any given taxonomy and set of metrics is arbitrary and must be created and used in light of its application in the real world QUALITY METRICS FOR EXPLOIT CODEA few more definitions are needed...: A few more definitions are needed... Remote exploit A program or tool that does not require legitimate access to the vulnerable system in order to exploit the security flaw Exploit payload The portions of the exploit code that implements the desired functionality after successful exploitation of a vulnerable system Example payloads: “add inetd service” “add account” “bind shell” “reverse shell” EXPLOIT CODE INTERNALSA few more definitions are needed...: A few more definitions are needed... Exploit attack vector The means used by the exploit code to trigger the vulnerability on the target system MS04-011 “Microsoft SSL PCT vulnerability” (CAN-2003-0719) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0719 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.securityfocus.com/archive/1/361836 One vulnerability with seven attack vectors: MS IIS/Exchange ports https:443, smtp:25, imap:993, pop3:995, nntp:563 MS Active directory ports ldaps:636, globalcatLDAPssl: 3269 EXPLOIT CODE INTERNALSA few more definitions are needed...: A few more definitions are needed... Exploit technique The method used by the exploit code to alter the execution flow of a vulnerable system and force it to execute the exploit’s payload. Some exploit techniques Overwriting the stack memory Read/write operations Write/execute operations Write operations Overwriting the heap memory Read/write operations Write/exec operations Mirrored write operations Overwriting process flow control structures Pointer overwrite (GOT, PLT, class pointers, destructors, atexit() ) Program data overwrite (authorization keys, flags, credentials, FDs) EXPLOIT CODE INTERNALSThese metrics can be used to assess the quality of exploit code: These metrics can be used to assess the quality of exploit code Attack vectors One More than one All Exploit logic Brute-forcing vs. hard-coded addresses OS fingerprinting vs. OS selection by the user Connection usage Total running time Debugging capabilities, documentation, fixes Exploit technique and reliability Some techniques are inherently more reliable than other Lab testing under ideal conditions 80% - 100% 50% - 79% 20% - 49% Less than 20% GENERIC QUALITY METRICSMetrics related to network topology characteristics : Metrics related to network topology characteristics Network topology constrains Link layer constrains (dialup, PPP, wireless, etc) LAN vs. WAN Attacker behind NAT device Target behind NAT device Target behind FW blocking incoming connections Target behind FW blocking in/out connections Target behind Proxy/Application gateway FW IP Fragmentation Network footprint Latency Constrained bandwidth GENERIC QUALITY METRICSMetrics related to the runtime enviroment of the vulnerable system/application : Metrics related to the runtime enviroment of the vulnerable system/application Runtime environment System load Multi-threading Fork & Exec Multiplexing/Asynchronous service Filesystem access Memory and file descriptors Environment variables and command line arguments Compile options, debugging, optimizations, logging Service startup (manual, boot time, inetd, etc.) GENERIC QUALITY METRICSMetrics related to security hardened systems and services : Metrics related to security hardened systems and services Security hardening measures Vulnerable service runs as unprivileged process Privilege separation/downgrade Sand-boxing (chroot, jail, systrace, capabilities) Non executable stack Non executable heap StackGuard, StackShield, ProPolice, Microsoft VS /GS flag PaX, GrSecurity, W ^ X Portability and OS dependence Exploit uses external libraries or programs? Exploit run on specific OS? Exploits requires local privileges? GENERIC QUALITY METRICSMetrics related to system stability : Metrics related to system stability System stability After successful exploitation Unstable service Interrupted service System reboot or halt After unsuccessful exploitation Unstable service Interrupted service System reboot or halt System pollution and clean-up Modifies configuration Modifies file system Leaves audit trace GENERIC QUALITY METRICSOS coverage for exploits that target MS Windows: OS coverage for exploits that target MS Windows Architecture x86 - Intel IA32 (32bit) x86 - Intel IA64 (64bit) Operating System WinNT, Win2k, WinXP, Win2003 Operating System editions WinNT 4.0: Workstation, Server, Enterprise, Terminal Server Win2k: Professional, Server, Advanced Server WinXP: Home, Professional Win2003: Standard, Enterprise, Web Service Packs WinNT 4.0: SP0-SP6,SP6a Win2k: SP0-SP4 WinXP: SP0-SP1 (SP2 Q3/2004) Win2003: SP0 Languages English, Spanish, French , Portuguese, German, Chinese WINDOWS EXPLOITS: OS COVERAGE OS coverage for exploits that target Linux: OS coverage for exploits that target Linux Architecture x86 - Intel IA32 (32bit), x86 - Intel IA64 (64bit), ARM, SPARC Linux Distribution RedHat, Suse, Debian, Mandrake (Conectiva, Fedora, TurboLinux, Inmunix, OpenWall, Gentoo, …) Linux distribution versions RedHat: 6.2, 7, 7.11, 7.2, 7.3, 8, 9 Suse: 7, 7.1, 7.2, 7.3, 8., 8.1, 9, 9.1 Debian: 2.0, 2.1, 2.2, 3 Mandrake: 7.1, 7.2, 8, 8.1, 8.2, 9, 10 Kernel versions Linux kernel 2.2.0 - 2.2.26 Linux kernel 2.4.0 – 2.4.26 Linux kernel 2.6.0 - 2.6.6 User Space and Applications Glibc and Gcc versions, default application versions, default compile options LINUX EXPLOITS: OS COVERAGE OS coverage for exploits that target Solaris: OS coverage for exploits that target Solaris Architecture Intel x86, sun4m, sun4u Solaris versions 2.5.1, 2.6, 7, 8, 9 Patch clusters and individual patches Software Packages and compiled applications Security settings no_exec_user_stack = 1 SOLARIS EXPLOITS: OS COVERAGE Slide31: EXAMPLESThe MS RPC DCOM vulnerability exploited by the Blaster worm: The MS RPC DCOM vulnerability exploited by the Blaster worm Vulnerability: CAN-2003-0528 Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Vulnerable Systems winNT 4, winNT4 Terminal Services, win2k, winXP,win 2003 Attack vectors Ports 135/tcp, 135/udp, 139/tcp, 445/tcp, 593/tcp, 80/tcp, >1024/tcp Plus 135/udp broadcast Publicly available exploit code winrpcdcom.c (FlashSky, xfocus.org) dcom.c ( HD Moore, modified from xfocus.org) msrpc_dcom_ms03_026.pm (HD Moore, included in metasploit 2.0) Rpcexec.c (ins1der, trixterjack at yahoo.com) dcom48.c (OC192 www.k-otik.com) MS RPC DCOM VULNERABILITY The MS LSASS.EXE vulnerability exploited by the Sasser worm: The MS LSASS.EXE vulnerability exploited by the Sasser worm Vulnerability: CAN-2003-0533 Microsoft Security Bulletin MS04-011 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.eeye.com/html/Research/Advisories/AD20040413C.html Vulnerable Systems win2k, winXP,win 2003 Attack vectors Ports 139/tcp, 445/tcp Publicly available exploit code HOD-ms04011-lsasrv-expl.c (houseofdabus) ms04011lsass.c ( www.k-otik.com) MS LSASS VULNERABILITY The OpenSSL vulnerability exploited by the Slapper worm: The OpenSSL vulnerability exploited by the Slapper worm Vulnerability: CAN-2002-0656 http://www.kb.cert.org/vuls/id/102795 http://www.securityfocus.com/bid/5363/info/ Vulnerable Systems OpenSSL version < 0.9.7-beta2 All systems running Apache based web servers on Linux, *BSD unix, Windows, Solaris, HP-UX, …. Attack vectors Port 443/tcp Publicly available exploit code OpenF*ck.c (spax@zone-h.org) OpenF*ckV2.c (“OF version r00t VERY PRIV8 spabam”) Openssl-too-open (Solar Eclipse) OPENSSL VULNERABILITY Slide35: EPILOGUEConclusion and future work: Conclusion and future work Conclusion There are several legitimate uses for exploit code We need to understand the tools we use We propose a set of metrics to measure quality of exploit code Future work Refine the proposed metrics Test against publicly available exploits Comparative analysis Extend into a model with more quantifiable parameters and possibly a suitable “QoE”metric EPILOGUESlide37: THANK YOU!Iván Arce ivan.arce@coresecurity.com: CONTACT INFORMATION Headquarters · Boston, MA 46 Farnsworth St Boston, MA 02210 | USA Ph: (617) 399-6980 | Fax: (617) 399-6987 info@coresecurity.com Research and Development Center Argentina (Latin America) Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires | Argentina Tel/Fax: (54 11) 5032-CORE (2673) info.argentina@coresecurity.com www.coresecurity.com Iván Arce ivan.arce@coresecurity.com You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
CSI NetSec2004 WoodRock Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 67 Category: Entertainment License: All Rights Reserved Like it (1) Dislike it (0) Added: October 29, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript On the Quality of Exploit Code Iván Arce: On the Quality of Exploit Code Iván Arce Core Security Technologies 46 Farnsworth St Boston, MA 02210 Ph: (617) 399-6980 www.coresecurity.com CSI NetSec 2004 | June 14-16 2004 | San Francisco, CASlide2: Prologue: Context and definitions Why exploit code? Quality metrics Examples Epilogue: Future work OUTLINESlide3: PROLOGUELets start by defining a common language: Lets start by defining a common language Vulnerability(noun) “A flaw in a system that, if leveraged by an attacker, can potentially impact the security of said system” Also: security bug, security flaw, security hole Exploit (verb) “To use or manipulate to one’s advantage” (Webster) “A security hole or an instance of taking advantage of a security hole” VULNERABILITIES & EXPLOITSExploit code is not just “proof of concept”: Exploit code is not just “proof of concept” Proof of Concept exploit - PoC (noun) A software program or tool that exploits a vulnerability with the sole purpose of proving its existence. Exploit code (noun) A software program or tool developed to exploit a vulnerability in order to accomplish a specific goal. Possible goals: denial of service, arbitrary execution of code, etc. EXPLOIT CODESlide6: WHY TALK ABOUT EXPLOIT CODE? An emerging role in the infosec practiceThe classic attack uses exploit code...: ATTACKER The classic attack uses exploit code... ANATOMY OF A REAL WORLD ATTACKExploit code becomes more sofisticated: Exploit code becomes more sofisticated Add a simple “listen shell” echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &" Add an account to the compromised system: echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:1WXmkX74Ws8fX/MFI3.j5HKahNqIQ0:12311:0:99999:7:::" >> /etc/shadow Execute a “bind-shell” Execute a “reverse shell” Deploy and execute a multi-purpose agent Command shell, FTP, TFTP, IRC, “zombies”, snifers, rootkits... Deploy and execute agent that re-uses existing connection. Deploy and execute agent that has low-level interaction with the OS Syscall Proxing Loader payloads,etc. EXPLOIT CODE FUNCTIONALITYExploit code becomes a “valueable asset”: Exploit code becomes a “valueable asset” Detailed information about vulnerabilities has value Exploit code is being bought and sold Included in commercial software offerings Exploit code development training Several books on exploiting software and exploit code development “Exploiting Software”, Hoglund & McGraw “The Shellcoder´s Handbook”, Koziol et. al. “Hacking: The Art of Exploitation”, Jon Erickson A RECENT TREND IN THE INDUSTRYSome legitimate uses for exploit code : Some legitimate uses for exploit code Penetration Testing Test and fine-tune firewall configurations Test and fine-tune IDS configurations Test incident response capabilities Vulnerability Management WHAT CAN I DO WITH MY EXPLOITS?The penetration testing process: The penetration testing process Penetration Testing EXPLOIT CODE & PENETRATION TESTINGUsing exploits to test and configure firewalls: Using exploits to test and configure firewalls Firewall configuration and testing EXPLOIT CODE & FIREWALLSUsing exploits to test and configure Intrusion Detection Systems: Using exploits to test and configure Intrusion Detection Systems IDS configuration and testing EXPLOIT CODE & INTRUSION DETECTION SYSTEMS Vulnerability management: Scan & Patch strategy: Vulnerability management: Scan & Patch strategy THE VULNERABILITY MANAGEMENT PROCESS Vulnerability ManagementUse exploit code to minimize errors and prioritize better: Use exploit code to minimize errors and prioritize better IMPROVED VULNERABILITY MANAGEMENT PROCESS Vulnerability Management + Exploit CodeUse exploit code to verify correct mitigation: Use exploit code to verify correct mitigation AN ADDITIONAL IMPROVEMENT Vulnerability Management + Exploit Code + Verification Using ExploitsCombine vulnerability management and penetration testing: Combine vulnerability management and penetration testing VULNERABILITY MANAGEMENT & PENETRATION TESTING COMBO Vulnerability Management + Rapid Penetration Testing Using ExploitsSlide18: QUALITY METRICSThe legitimate uses of exploit code calls for quality metrics: The legitimate uses of exploit code calls for quality metrics There are several legitimate uses for exploit code Practitioners need to understand the quality of the tools they use Taxonomies and metrics are a reasonable way to provide a “more scientific” approach to measure exploit code quality Once a taxonomy and a set of metrics is chosen it can be used for comparative analysis and to measure R&D advances in the field Any given taxonomy and set of metrics is arbitrary and must be created and used in light of its application in the real world QUALITY METRICS FOR EXPLOIT CODEA few more definitions are needed...: A few more definitions are needed... Remote exploit A program or tool that does not require legitimate access to the vulnerable system in order to exploit the security flaw Exploit payload The portions of the exploit code that implements the desired functionality after successful exploitation of a vulnerable system Example payloads: “add inetd service” “add account” “bind shell” “reverse shell” EXPLOIT CODE INTERNALSA few more definitions are needed...: A few more definitions are needed... Exploit attack vector The means used by the exploit code to trigger the vulnerability on the target system MS04-011 “Microsoft SSL PCT vulnerability” (CAN-2003-0719) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0719 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.securityfocus.com/archive/1/361836 One vulnerability with seven attack vectors: MS IIS/Exchange ports https:443, smtp:25, imap:993, pop3:995, nntp:563 MS Active directory ports ldaps:636, globalcatLDAPssl: 3269 EXPLOIT CODE INTERNALSA few more definitions are needed...: A few more definitions are needed... Exploit technique The method used by the exploit code to alter the execution flow of a vulnerable system and force it to execute the exploit’s payload. Some exploit techniques Overwriting the stack memory Read/write operations Write/execute operations Write operations Overwriting the heap memory Read/write operations Write/exec operations Mirrored write operations Overwriting process flow control structures Pointer overwrite (GOT, PLT, class pointers, destructors, atexit() ) Program data overwrite (authorization keys, flags, credentials, FDs) EXPLOIT CODE INTERNALSThese metrics can be used to assess the quality of exploit code: These metrics can be used to assess the quality of exploit code Attack vectors One More than one All Exploit logic Brute-forcing vs. hard-coded addresses OS fingerprinting vs. OS selection by the user Connection usage Total running time Debugging capabilities, documentation, fixes Exploit technique and reliability Some techniques are inherently more reliable than other Lab testing under ideal conditions 80% - 100% 50% - 79% 20% - 49% Less than 20% GENERIC QUALITY METRICSMetrics related to network topology characteristics : Metrics related to network topology characteristics Network topology constrains Link layer constrains (dialup, PPP, wireless, etc) LAN vs. WAN Attacker behind NAT device Target behind NAT device Target behind FW blocking incoming connections Target behind FW blocking in/out connections Target behind Proxy/Application gateway FW IP Fragmentation Network footprint Latency Constrained bandwidth GENERIC QUALITY METRICSMetrics related to the runtime enviroment of the vulnerable system/application : Metrics related to the runtime enviroment of the vulnerable system/application Runtime environment System load Multi-threading Fork & Exec Multiplexing/Asynchronous service Filesystem access Memory and file descriptors Environment variables and command line arguments Compile options, debugging, optimizations, logging Service startup (manual, boot time, inetd, etc.) GENERIC QUALITY METRICSMetrics related to security hardened systems and services : Metrics related to security hardened systems and services Security hardening measures Vulnerable service runs as unprivileged process Privilege separation/downgrade Sand-boxing (chroot, jail, systrace, capabilities) Non executable stack Non executable heap StackGuard, StackShield, ProPolice, Microsoft VS /GS flag PaX, GrSecurity, W ^ X Portability and OS dependence Exploit uses external libraries or programs? Exploit run on specific OS? Exploits requires local privileges? GENERIC QUALITY METRICSMetrics related to system stability : Metrics related to system stability System stability After successful exploitation Unstable service Interrupted service System reboot or halt After unsuccessful exploitation Unstable service Interrupted service System reboot or halt System pollution and clean-up Modifies configuration Modifies file system Leaves audit trace GENERIC QUALITY METRICSOS coverage for exploits that target MS Windows: OS coverage for exploits that target MS Windows Architecture x86 - Intel IA32 (32bit) x86 - Intel IA64 (64bit) Operating System WinNT, Win2k, WinXP, Win2003 Operating System editions WinNT 4.0: Workstation, Server, Enterprise, Terminal Server Win2k: Professional, Server, Advanced Server WinXP: Home, Professional Win2003: Standard, Enterprise, Web Service Packs WinNT 4.0: SP0-SP6,SP6a Win2k: SP0-SP4 WinXP: SP0-SP1 (SP2 Q3/2004) Win2003: SP0 Languages English, Spanish, French , Portuguese, German, Chinese WINDOWS EXPLOITS: OS COVERAGE OS coverage for exploits that target Linux: OS coverage for exploits that target Linux Architecture x86 - Intel IA32 (32bit), x86 - Intel IA64 (64bit), ARM, SPARC Linux Distribution RedHat, Suse, Debian, Mandrake (Conectiva, Fedora, TurboLinux, Inmunix, OpenWall, Gentoo, …) Linux distribution versions RedHat: 6.2, 7, 7.11, 7.2, 7.3, 8, 9 Suse: 7, 7.1, 7.2, 7.3, 8., 8.1, 9, 9.1 Debian: 2.0, 2.1, 2.2, 3 Mandrake: 7.1, 7.2, 8, 8.1, 8.2, 9, 10 Kernel versions Linux kernel 2.2.0 - 2.2.26 Linux kernel 2.4.0 – 2.4.26 Linux kernel 2.6.0 - 2.6.6 User Space and Applications Glibc and Gcc versions, default application versions, default compile options LINUX EXPLOITS: OS COVERAGE OS coverage for exploits that target Solaris: OS coverage for exploits that target Solaris Architecture Intel x86, sun4m, sun4u Solaris versions 2.5.1, 2.6, 7, 8, 9 Patch clusters and individual patches Software Packages and compiled applications Security settings no_exec_user_stack = 1 SOLARIS EXPLOITS: OS COVERAGE Slide31: EXAMPLESThe MS RPC DCOM vulnerability exploited by the Blaster worm: The MS RPC DCOM vulnerability exploited by the Blaster worm Vulnerability: CAN-2003-0528 Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Vulnerable Systems winNT 4, winNT4 Terminal Services, win2k, winXP,win 2003 Attack vectors Ports 135/tcp, 135/udp, 139/tcp, 445/tcp, 593/tcp, 80/tcp, >1024/tcp Plus 135/udp broadcast Publicly available exploit code winrpcdcom.c (FlashSky, xfocus.org) dcom.c ( HD Moore, modified from xfocus.org) msrpc_dcom_ms03_026.pm (HD Moore, included in metasploit 2.0) Rpcexec.c (ins1der, trixterjack at yahoo.com) dcom48.c (OC192 www.k-otik.com) MS RPC DCOM VULNERABILITY The MS LSASS.EXE vulnerability exploited by the Sasser worm: The MS LSASS.EXE vulnerability exploited by the Sasser worm Vulnerability: CAN-2003-0533 Microsoft Security Bulletin MS04-011 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.eeye.com/html/Research/Advisories/AD20040413C.html Vulnerable Systems win2k, winXP,win 2003 Attack vectors Ports 139/tcp, 445/tcp Publicly available exploit code HOD-ms04011-lsasrv-expl.c (houseofdabus) ms04011lsass.c ( www.k-otik.com) MS LSASS VULNERABILITY The OpenSSL vulnerability exploited by the Slapper worm: The OpenSSL vulnerability exploited by the Slapper worm Vulnerability: CAN-2002-0656 http://www.kb.cert.org/vuls/id/102795 http://www.securityfocus.com/bid/5363/info/ Vulnerable Systems OpenSSL version < 0.9.7-beta2 All systems running Apache based web servers on Linux, *BSD unix, Windows, Solaris, HP-UX, …. Attack vectors Port 443/tcp Publicly available exploit code OpenF*ck.c (spax@zone-h.org) OpenF*ckV2.c (“OF version r00t VERY PRIV8 spabam”) Openssl-too-open (Solar Eclipse) OPENSSL VULNERABILITY Slide35: EPILOGUEConclusion and future work: Conclusion and future work Conclusion There are several legitimate uses for exploit code We need to understand the tools we use We propose a set of metrics to measure quality of exploit code Future work Refine the proposed metrics Test against publicly available exploits Comparative analysis Extend into a model with more quantifiable parameters and possibly a suitable “QoE”metric EPILOGUESlide37: THANK YOU!Iván Arce ivan.arce@coresecurity.com: CONTACT INFORMATION Headquarters · Boston, MA 46 Farnsworth St Boston, MA 02210 | USA Ph: (617) 399-6980 | Fax: (617) 399-6987 info@coresecurity.com Research and Development Center Argentina (Latin America) Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires | Argentina Tel/Fax: (54 11) 5032-CORE (2673) info.argentina@coresecurity.com www.coresecurity.com Iván Arce ivan.arce@coresecurity.com