fall 2012 badolato presentation: when bad things happen to computer networks

When Bad Things Happen to Computer Networks

A demonstration of how hackers break into systems,and what we can all do to reduce our risks

Mike O’Leary

School of Emerging TechnologiesTowson University

Edward V. Badolato Distinguished Speaker SeriesSeptember 7, 2012

Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 1 / 81

Physical Attacks

Suppose you have physical access to a fully patched Windows 7machine, but don’t have the password.

Can you log on?

Sure!

What happens when you press the blue and white button on thebottom left of a Windows logon screen?

What happens if you change that program?


Physical Attacks- Demo



Rather than boot to the hard drive, we will boot to a CD-ROM; sayBacktrack 5.

BIOS passwords can prevent this, but physical access also lets mereset BIOS passwords, usually via jumper settings on the motherboard.


Physical Attacks- Others

The “Sticky Keys” feature can be attacked in the same fashion; theprogram is c:\Windows\System32\sethc.exe

To log in as a particular user (rather than as System), one can use ahex editor to modify c:\Windows\System32\msv1 0.dll. Changingtwo bytes in that file allows you to log on to any account without apassword.Kon-Boot.

Boot to the CD, and let the tool do the work for you.The tool is picked up as a virus by many anti-virus tools, so carefuldownloading!

Bart’s PE


Physical Attacks- Countermeasures

Protect the phyisical deviceEncrypt important data.

BitlockerWindows 7 component, but required Windows 7 Enterprise or Windows 7Ultimate.

TrueCrypt: http://www.truecrypt.org/Free softwareLet’s you encrypt a volume of files; the volume is treated as a separatehard drive in Windows.Encrypted volumes can take on any name, and can be nested.


Physical Attacks- Countermeasures Demo


Passwords

Why attack passwords?They give authenticated access, meaning that they will not trip intrusiondetection systems.

How are passwords stored?Plain text (disaster!)Hashed (terrible!)Salted & Hashed (Might be OK)

How can you attack a stored password?Brute force attacksWord listsRainbow tables


Passwords

The speed of a brute force attack depends on the underlying hashingalgorithm.

A PC with a high end graphics card using an older algorighm (SHA1)can try roughly one billion password guesses per second.Amazon’s cloud service would let a user try roughly 100,000passwords on 400,000 accounts each day, for a cost of roughly $3501

m3g9tr0n claims to have cracked 122 million passwords (MD5, SHA1)in five months2

1http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/2http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords


Password Attacks

In 2009, RockYou.com was compromised, leading to the loss of 32million passwords.

These passwords were in plain text.Attackers have used this as starting point to generate word lists.

In 2010, Gawker lost 1.5 million unsalted hashed passwordsOn June 6, LinkedIn lost 6.46 million unsalted password hashes

LinkedIn has 160 million accounts.More than 90% of these hashes have been cracked.

On June 6, eHarmony lost 1.5 million unsalted password hashes.On July 12, Yahoo! voices lost 400,000 plain text passwords andemail addresses.On July 23, Gamigo (a German gaming company) lost 11 millionhashed passwords.

They also lost 8.2 million email addressesOn August 10, Blizzard lost an unknown number of password hashes,including all of the accounts from their North American servers.

The number of Blizzard accounts runs well into the millions, just inNorth America.


Password Attacks

Do you re-use your passwords?

Could an attacker guess your account name?

What would happen?

Ask Mat Honan. After an hour-long attack on August 3, he discoveredthat3

His Google account was taken over, then wiped.His Twitter account was compromised and used to spread vitriolHis AppleID account was hackedAll of the data on his iPhone, iPad, and MacBook was wiped.

Why? They wanted to use his Twitter account.

3http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/


Password Attacks- Demo

We can perform a live attack on a password protected service bysimply trying various combinations.

This is often noticeable to intrusion detection systems, but if it isspread across multiple attacker machines, it is difficult to stop.

In this first example, we attack a simple e-commerce site.



Looking at the source, we see that the request to log in isA request made via SSLTarget page is http://shop.index.phpGET parameters include

main page = loginaction = processzenid = 65dsqnj1qs9hn8h57ij6dkk22veopsul

POST parameters includepassword, specified by the usersecurityToken = d597db5e25bda24bb43c65307d9c21ca as a hiddenfield.

We build a corresponding request using Hydra.We specify a list of user names (-L)We specify a list of passwords (-P)We specify what we expect to see in an error page (the text “Error”)We specify the number of threads (-t)We specify the timeout (-w)We specify where we dump the resulrs (-o)We use verbose output (-vV)



These attacks can also be performed against domain controllers.

Suppose that the domain UNSEEN has the domain controllerephebe.unseen.disc.tu located at the address 192.168.1.30.We again use hydra

The method is now smbThe address is specified as wellOther parameters are chosen as in the previous example.


Passwords Attacks- Countermeasures

Lots of folks have given you lots of advice on passwordsUse an uncommon wordInlude some captial lettersMake some substitutions- say replace an “a” with an “4”Include a numberInclude a symbol


Password Attacks- Countermeasures

Source: http://xkcd.com/936/



There is no substitute for length in your passwords.If you are using random symbols & characters, then at least 12characters.If you use word(s), then double this.

Attackers already know the common tricks for making passwordsmore “complex”; they use wordlists and then permute them with all ofthese common tricks.

Use different passwords for different accountsHow can I manage different passwords?

Use PasswordSafe, a free program available athttp://passwordsafe.sourceforge.net/


Application Attacks

Most computer attacks rely on software vulnerabilitiesThese are mistakes in a program that can be exploited to violate asecurity policyWhen found, these are classified and given a common CVE name &number (http://cve.mitre.org)

Some vulnerabilities allow a third-party access to a systemOthers allow a user a greater level of access to a system thanintented (privilege escalation)Some vulnerabilities do not require user actionVulnerabilities in the core operating system can be particularlyproblematic.

Microsoft patches are numbered by year and patch number.MS08-067 (CVE 2008-4250)- Microsoft Server Service Vulnerability

Windows 2000, 2003, XPMS03-026 (CVE 2003-0352)- Microsoft RPC DCOM.

Affects Windows NT, 2000, 2003.Root cause of Blaster worm, Nachi worm.


Application Attacks

Attackers have turned their attention to application level atacksThese focus on

Web browsersActive content for web browsers

JavaFlash

DocumentsMicrosoft WordMicrosoft ExcelAdobe Reader

Browser attacks require the user to visit a web page hosting themalicious content

Document attacks require the user to open the malicious document


Application Attacks

Suppose you knew that the target was running Adobe Reader.

1/2012 CVE 2011-2462 Adobe Reader U3D Memory Corruption 9.4.6, 10.1.1

9/2010 CVE 2010-2883 Adobe CoolType SING Table uniqueNameStack Buffer Overflow

8.2.4, 9.3.4

3/2010 CVE 2010-0188 Adobe Acrobat Bundled LibTIFF IntegerOverflow

8.2, 9.3

12/2009 CVE 2009-4324 Adobe Doc.media.newPlayer Use AfterFree Vulnerability

9.2

12/2009 CVE 2009-3459 Adobe FlateDecode Stream Predictor 02Integer Overflow

9.2

11/2009 CVE 2009-2990 Adobe U3D CLODProgressiveMeshDecla-ration Array Overrun

7.1.4, 8.1.7, 9.2

3/2009 CVE 2009-0927 Adobe Collab.getIcon() Buffer Overflow 7.1.1, 8.1.3, 9.1

3/2009 CVE 2009-0658 Adobe JBIG2Decode Heap Corruption 9.0

12/2008 CVE 2008-2992 Adobe util.printf() Buffer Overflow 8.1.3


Application Attacks

Suppose you knew that the target was running Microsoft Office:

6/2012 CVE 2012-0013 MS12-005 Microsoft Office ClickOnce Un-safe Object Package Handling Vulnerability

Word 07, 10

4/2012 CVE 2012-0158 MS12-027 MSCOMCTL ActiveX BufferOverflow

Word 07, 10

12/2011 CVE 2010-3333 MS10-087 Microsoft Word RTF pFrag-ments Stack Buffer Overflow

Word 03, 07, 10

11/2011 CVE 2010-0822 MS11-038 Excel Malformed OBJ RecordHandling Overflow

Excel 02

11/2011 CVE 2011-0105 MS11-021 Excel .xlb Buffer Overflow Excel 07

5/2010 CVE 2010-0033 MS10-004 PowerPoint Viewer TextByte-sAtom Stack Buffer Overflow

PowerPoint Viewer 03

2/2010 CVE 2009-3129 MS09-067 Excel Malformed FEATHEADERRecord Vulnerability

Excel 02, 03, 07


Application Attacks

Suppose you knew that the target was running Adobe Flash Player:

8/20/2012 CVE 2012-1535 Adobe Flash Player 11.3 FontParsing Code Execution

11.3.300.271 (8/14/2012)

6/25/2012 CVE 2012-0779 Adobe Flash Player Object TypeConfusion

11.2.202.235 (5/3/2012)

6/20/2012 CVE 2011-2110 Adobe Flash Player AVM Ver-ification Logic Array IndexingCode & Execution

10.3.181.23 (11/11/2011)

4/20/2012 CVE 2008-5499 Adobe Flash Player ActionScriptLaunch Command ExecutionVulnerability

10.0.12.36 (10/4/2008)

3/8/2012 CVE 2012-0754 Adobe Flash Player .mp4 ’cprt’Overflow

11.1.102.55 (11/11/2011)


Application Attacks

How does an application attack work?Let’s demonstrate an attack based on CVE 2012-1889, MS12-043Microsoft XML Core Services MSXML Uninitialized MemoryCorruption

This is a vulnerability in how Windows handles XML, and is of criticalimportance for Internet Explorer.Code to exploit this vulnerability was publicly released on June 15 (viaMetasploit); it is likely that this vulnerability was being exploited byothers privately before this time.Microsoft did not patch this vulnerability until they released MS12-043,on July 10.Anyone using Internet Explorer prior to the release of the patch wouldhave been vulnerable.


Application Attacks- Demo

The attacking machine will be using Backtrack 5 R3.

The victim machine will be a Windows 7 workstation, running ServicePack 1 (the latest), but not patched with MS12-043.


Application Attacks

Another common attack target, especially lately has been Java.

8/27/2012 CVE 2012-4681 Java 7 Applet Remote Code Execution Java 7U6

7/9/2012 CVE 2012-1723 Java Applet Field Bytecode VerifierCache Remote Code Execution

Java 6U32, Java 7U5

3/29/2012 CVE 2012-0507 Java AtomicReferenceArray Type Vio-lation Vulnerability

Java 6U30, Java 7U2

11/29/2011 CVE 2011-3544 Java Applet Rhino Script Engine Re-mote Code Execution

Java 6U27, Java 7


Application Attacks

We demonstrate the use of the July Java attack (CVE 2012-1723,Java Applet Field Bytecode Verifier Cache Remote Code Execution)on a system.

The target will be a Windows 7 machine, but this time it will not bepatched up to Service Pack 1.After compromising the target, we will use CVE 2010-3338,(MS10-092 Windows Escalate Task Scheduler XML PrivilegeEscalation) which is one of the vulnerabilties exploited by Stuxnet.

This will allow us to gain full control over the system at the SYSTEMlevel.We will grab the password hashes and crack them.We will add a new administrator to the system (us!)We will ensure that the system connects back to us, even if the systemis subsequently rebooted.


Application Attacks- Countermeasures

Be sure all of your software is up to date.Pay special attention to:

Browsers (IE, Chrome, Firefox, Safari)MS OfficeAdobe Flash, ReaderJava

Don’t install software if you do not need it!The attacks on IE succeeded in part because we leveraged the existingJava install!


Application Attacks- Countermeasures

The final attack succeded because the user:Clicked on a malicious linkWas running an outdated version of JavaWas running an unpatched version of Windows

This attack required multiple failures in multiple places!

Don’t be fearful that your security posture is imperfect; instead make itdifficult for an attacker to exploit you by being aware and resposive tothe threats.


Questions?

Mike O’LearySchool of Emerging TechnologiesTowson [email protected]


fall 2012 badolato presentation: when bad things happen to computer networks

Spiritual

bad things happen

countermeasures mike oleary

demo mike oleary

mike oleary

application attackssuppose

application attacks

towson university

physical access