internet holes — part 5a: 50 ways to attack your web systems

5
December I995 Network Security Exportable encryption policy found ‘unacceptable’ Erin English An effort by the US government to create an acceptable data encryption standard has promptly been shot down by a coalition of top US computer, online and software companies. The Clinton administration, hoping to satisfy the requirements of the US National Security Agency, the electronic commerce industry, as well as other federal entities, offered up a compromise proposal that would provide for a slightly stronger level of exportable encryption, but still allows the US government to have in its possession a spare copy of the encryption key. Unsatisfied with the proposal, a group of 37 companies has announced it will In the next six months, come up with its own policy proposal and present it to the White House as well as Congress. Among the companies involved are Lotus Development Corp., America Online, Apple Computer, AT&T, Oracle, Microsoft, Tandem Computers and Sybase. John Pescatore, pnalyst with research firm International Data Corp. said that while the government has made an effort to provide for higher bit encryption schemes, what is important is whether the government will be able to have m back door access” a Companies are pleased with 128-bit encryption schemes where they are tough to break, but those are currently not exportable. “The Clinton proposal took a baby step that’s trying to make everyone happy: make the industry happy make the intelligence community happy make law enforcement happy - but there Is no chance of making all three happy” he said. “The Clinton administration said we will allow up to 64 bits, which is a nice hefty level of security.. . but only if it includes this key escrow feature”, he continued. Industry analysts predict it will be three years at least until a viable solution will be agreed upon by all parties; banter has been going on for all of 1995 and will continue into 1996. Internet Holes - Part 5a: 50 Ways to Attack Your Web Systems Fred Cohen The Internet is now the world’s most popular network and it is full of potential vulnerablities. In this series of articles, we explore the vulnerabilities of the Internet and what you can do to mitigate them. This is the ftrst of a two-part subsection in the Internet Holes series which considers a large number of ways to attack a system connected to the World Wide Web. Some background In May (or so) of 1995, I was discussing potential attacks against the key generation processes used in PGPand the issue came up of how good the pseudo-random number generator (PRNG) was and whether it could be exploited to break PGP encrypted or signed documents. I got a lot of E-mail abuse and was called many names for bringing this issue up, but as a side effect, people in the cyphefpunks Internet mailing list started to look into this class of attacks. By September, it was discovered that Netscape’s SSL protocol implementation was based on a poor PRNG, and that Netscape’s so-called secure messages could be broken in a minute or two on a PC. In September or October of 1995, in that same list, I was engaged in a heated debate about the dangers of Sun’s new Java system for permitting Web browsers to automatically run programs provided to them by untrusted servers. I have serious concerns about systems that allow users, at the push of a button that’s not even differentiable from any other button, to run programs specified by unknown third parties. As the debate heated up, I posted a half-humorous article titled something like ‘50 ways to attack your Java’. The name was a take-off on Paul Simon’s song ‘50 Ways to Leave Your Lover’. The content had some serious scenarios, most with results I thought to be somewhat humorous (e.g. displaying a Mickey Mouse watch on the screen with the wrong time). As a result of this posting, I got a lot of electronic abuse. List members cast aspersions on everything from my character to my sex life, including but not 01995 Elsevier Science Ltd 7

Upload: fred-cohen

Post on 26-Jun-2016

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Internet holes — Part 5a: 50 ways to attack your web systems

December I995 Network Security

Exportable encryption policy found ‘unacceptable’

Erin English

An effort by the US government to create an acceptable data encryption standard has promptly been shot down by a coalition of top US computer, online and software companies. The Clinton administration, hoping to satisfy the requirements of the US National Security Agency, the electronic commerce industry, as well as other federal entities, offered up a compromise proposal that would provide for a slightly stronger level of exportable encryption, but still allows the US government to have in its possession a spare copy of the encryption key.

Unsatisfied with the proposal, a group of 37 companies has announced it will In the next six months, come up with its own policy proposal and present it to the White House as well as Congress. Among the companies involved are Lotus Development Corp., America Online, Apple Computer, AT&T, Oracle, Microsoft, Tandem Computers and Sybase. John Pescatore, pnalyst with research firm International Data Corp. said that while the government has made an effort to provide for higher bit encryption schemes, what is important is whether the government will be able to have m back door access” a Companies are pleased with 128-bit encryption schemes where they are tough to break, but those are currently not exportable.

“The Clinton proposal took a baby step that’s trying to make everyone happy: make the industry happy make the intelligence community happy make law enforcement happy - but there Is no chance of making all three happy” he said.

“The Clinton administration said we will allow up to 64 bits, which is a nice hefty level of security.. . but only if it includes this key escrow feature”, he continued. Industry analysts predict it will be three years at least until a viable solution will be agreed upon by all parties; banter has been going on for all of 1995 and will continue into 1996.

Internet Holes - Part 5a: 50 Ways to Attack Your Web Systems Fred Cohen

The Internet is now the world’s most popular network and it is full of potential vulnerablities. In this series of articles, we explore the vulnerabilities of the Internet and what you can do to mitigate them. This is the ftrst of a two-part subsection in the Internet Holes series which considers a large number of ways to attack a system connected to the World Wide Web.

Some background

In May (or so) of 1995, I was discussing potential attacks against the key generation processes used in PGPand the issue came up of how good the pseudo-random number generator (PRNG) was and whether it could be exploited to break PGP encrypted or signed documents. I got a lot of E-mail abuse and was

called many names for bringing this issue up, but as a side effect, people in the cyphefpunks Internet mailing list started to look into this class of attacks. By September, it was discovered that Netscape’s SSL protocol implementation was based on a poor PRNG, and that Netscape’s so-called secure messages could be broken in a minute or two on a PC.

In September or October of 1995, in that same list, I was engaged in a heated debate about the dangers of Sun’s new Java system for permitting Web browsers to automatically run programs provided to them by untrusted servers. I have serious concerns about systems that allow users, at the push of a button that’s not even differentiable from any other button, to run programs specified by unknown third parties. As the debate heated up, I posted a half-humorous article titled something like ‘50 ways to attack your Java’. The name was a take-off on Paul Simon’s song ‘50 Ways to Leave Your Lover’. The content had some serious scenarios, most with results I thought to be somewhat humorous (e.g. displaying a Mickey Mouse watch on the screen with the wrong time).

As a result of this posting, I got a lot of electronic abuse. List members cast aspersions on everything from my character to my sex life, including but not

01995 Elsevier Science Ltd 7

Page 2: Internet holes — Part 5a: 50 ways to attack your web systems

Network Security December I995

limited to, claiming that I knew requests per day. The Web is nothing about security, that my comprised of a highly doctorate came from a mail distributed set of tens of order house, and probably that thousands of information my mother wore army boots. I servers, an unknown number of recalled a line from a movie (I freely available browsers, and think it was from ‘Heaven Can the Internet which facilitates its Wait’) that went something like: operation.

“The likelihood of being right is directly proportional to the vigour with which other people claim you are wrong.”

Figuring that I was on the right track, I pressed on. It was several weeks later that I was contacted by the Computer Security Institute and asked to give a presentation on Web security in a plenary session at their semi-annual conference in Washington, DC. It seems that they had a lot of interest in Web security, that one of their editors had seen my 50 Ways posting, and that they wanted me to give a presentation on 50 ways to attack the Web. With only a week before the conference and other work to do, I was now faced with coming up with 50 real attacks that could be used against the Web.

Nobody owns the Web. Individual servers and browsers are owned by anyone who wants to make them available or use them. There is no central coordinating body but there are some standards committees that try to augment existing protocols with highly flexible protocols to enhance function (usually at the cost of everything else). Information in the Web comes in many forms, but it is primarily in the form of Hyper-Text Markup Language (HTML) documents. The way it all works is:

Having accepted the invitation and just having finished my draft version of slides late last night, I awakened this morning to the realization that the conference will make it impossible to finish my ‘Internet Holes’ article at my regularly scheduled time (which should be next week). So I decided to move the other article I was working on to January and make this month’s article coincide with the ‘50 Ways’ talk. Here we go.

l Browsers interpret HTML documents and display them on the screen as formatted text, included graphics, included audio, included movie, and included other things. When HTML documents provide pointers (called Uniform Resource Locators - URLs) to other documents, the pointers are presented as highlighted items. If the user wants to retrieve a document referenced by a URL, the item on the screen corresponding to the URL is selected (usually with a mouse click) and the browser attempts to get the new document from the Web.

Some Web and Web security basics

The World Wide Web (a.k.a. the Web, WWW or W3) may be the most widely used information system ever. There are claims of about ten million regular users, and many sites now claim to process more than 100 000

l Servers await requests (normally on TCP Port 80) that consist (about 99% of the time) of ‘Get’ requests naming a particular document to be retrieved. When a request is made, the server either provides the document or sends back an appropriate error response.

8

l The net effect is a giant database that can be moved through by pressing buttons. This all works because URLs identify the name of the server (by Internet name or IP address) and the name of the document on that server (usually by a partial pathname of the file on the server). The trick to getting people to access your Web site is getting other Web sites to point to your URLs and to advertise your URLs to the network through whatever means,

If this seems overly simple, it’s not. We implemented a secure Get-only server in a few hours, and an insecure one can be implemented in a minute or two. Here’s an example Unix shell script that (sort 09 works (but it’s VERY insecure):

read a b c cat \$b

To use it, you have to make this the listener on port 80 (via the inetd program under Unix). It takes a few minutes - but don’t do it. It’s really very risky

To make a minimal browser, the following Unix shell script will get the information if you provide the URL HOST and PORT:

(echo "get URL http"; sleep 10) 1 telnet HOST PORT

Try ‘/“for the URL, “allnet” for the HOST and ‘80” for the PORT as an example.

General classes of vulnerabllltles

Vulnerabilities of the Web, as a system, can be considered in terms of three different classes of attacks:

l Browsers: Attacks can be launched against the

01995 Elsevier Science Ltd

Page 3: Internet holes — Part 5a: 50 ways to attack your web systems

December 1995 Network Securify

browsers used to retrieve and view information.

l Servers: Attacks can be launched against the servers that provide information on request.

l The Network: Attacks can be launched against the network infrastructure used to communicate between browser and server.

Another perspective on vulnerabilities of the Web considers four different sorts of harm, several of which may be active in any particular attack:

Corruption: Neither browsers, servers, or the Internet infrastructure are designed to provide protection against corruption. As a result, it is fairly easy to corrupt information throughout the Web.

Denial: Neither browsers, servers, or the Internet infrastructure are designed to provide protection against denial of services. As a result, it is almost always possible to deny services on a selective basis, and often possible to deny services on a larger scale.

Leakage: Neither browsers, servers, or the Internet infrastructure are designed to provide protection against leakage of information. As a result, it is often possible to capture confidential information and usage patterns.

Liability: Because of the weaknesses in the overall structure of the Web, it is often possible to use an attacked site as a launch-point for other attacks. This introduces potential lidbility to parties that are successfully attacked.

Yet a third perspective looks at interpreter), and might the fundamental issues of the result in arbitrary design of the Web: undesirable side effects.

l Distributed untrusted computation: As a basic premise, the Web provides a means for information provided by arbitrary servers at unknown locations operated by unknown organizations to be interpreted by any of a large number of different browsers at unknown locations operated by unknown organizations. The idea of interpreting unknown information from unknown sources seems inherently risky.

l Remote execution of untrusted software: Many Web extensions are designed to provide added function making the Web more than just a massive uncontrolled distributed database. These extensions, such as Postscript, Java and Mime essentially allow for remote execution of untrusted software. For the browser, the risk is that the computer running the browser will be taken over, while for a server, the same risk extends to the server and any subsequent browsers that get information from that server once it is attacked.

In summary. the Web is a system that was never designed for protection and that is being implemented in the most hostile of environments with a completely untrained and unaware user base as a basis for a global system for distributed computation and electronic commerce. It has inadequate protection for integrity, availability, and confidentiality, it may introduce large liabilities to both providers and users, it is vulnerable in each of the three aspects of its operation (browsers, servers and networks), it has fundamental design flaws that make it inherently difficult to protect, and it is being implemented on an unprecedented scale in a very short time frame almost entirely by people who do not understand the protection issues.

The 50 ways

l Remote interpretation of unstructured and unverified content: In essence, most browsers and servers assume that the incoming information follows the HTTP protocol, but there is inadequate enforcement of this by servers and browsers. The result is that any incoming information might not conform, might be interpreted using an undefined method (corresponding to a don’t care condition in the

These example attacks come in three types. Attacks marked with a ’ have been demonstrated. Attacks marked with a *+ have caused real-world incidents. Unmarked attacks are theoretical but are very likely to work. Since the goal is 50 attacks and some of the theoretical attacks may not be active today. we have provided 60 attacks under the assumption that this redundancy will cover any attacks that are never demonstrated.

Browser-side attacks

These al-tacks work against browsers, the user programs that present information and allow the selection of new URLs.

01995 Elsevier Science Ltd 9

Page 4: Internet holes — Part 5a: 50 ways to attack your web systems

Network Security December 1995

Postscript interpreters

Postscript is an interpreted language originally designed to provide a printer- independent language for printing complex documents. Because it is a general purpose programming language with input and output, any Postscript document acts like a program when interpreted. This leads to any number of possibilities, a few of which are listed here.

1.

2.

3.

Postscript file overwrites key files*: Postscript files can contain commands to open, create, copy delete, or rename files. If you are using a browser that displays Postscript files and you view a postscript file, it could overwrite any tiles on your system, including configuration files used to open your system to other attacks.

Postscript file introduces Trojan+: A more advanced form of a Postscript-based attack could be used to introduce a Trojan horse or virus into the computer running the browser.

Postscript file transmits secrets over port 80*: A still more advanced Postscript-based attack would use port 80 (the HTTP port) to transmit internal information to the attacker. This can be done even through a firewall because firewalls that allow HTTP to pass have no secure way to determine the difference between a legitimate HTTP message and an illegitimate one.

Dirty pit tures

Dirty pictures aren’t a very important threat against most businesses from a standpoint of lost revenue or competitive advantage, but they are a potential source of liability, they are potentially demeaning to the group to which the pictured persons belong, and

they are usually not part of a legitimate business function, In cases where under aged recipients are involved, they are often also illegal.

4.

5.

Postscript file has dirty pictures*+: Since Postscript is a general purpose language, it can be used to display dirty pictures.

GIF file has dirty pictures.‘+: A far more direct route is to use the GIF format which almost all Web browsers support. Since, in many browsers, GIF files are simply displayed by default as they show up, you never know what the next button-push might produce.

Undesired traffic

A common complaint of clients is that users use the Web in many ways that are counterproductive. Some examples may help to clarify this.

6,

7.

8.

HTML file describes how to make money by leaking secrets: Many people offer money in exchange for trade secrets, but unless you are looking for ways to sell trade secrets, you are unlikely to come across them - except on the Web. Either as jokes or as real solicitations, several Web sites have openly stated that they provide cash for confidential information.

Inbound information is false and misleading*+: Many users trust information retrieved from the Web in the same way as they trust information on the evening news or in the library. It is quite common to find false and misleading information throughout the Internet, and the Web is no exception.

Users waste all day looking at Web stuff’+: A common event in many organizations that have

10.

11

12.

Introduce Trojan Horses*: A Java aplet may be advertised as one thing but actually be something else. For example, an aplet that claims to be a search engine for electronics products from the whole Internet may only provide products distributed through one distributor.

Introduce viruses: A Java aplet is capable of reproducing itself and sending itself back out over the network. This makes network-based viruses with Java a real possibility.

Send your information out: Since aplets are general

recently introduced the Web is its extensive use at the expense of employees fullTIling other job functions.

9. New executables loaded via the browser*: Programs loaded from over the Web are no more safe than programs loaded from the local bulletin board. In fact, they may be far more dangerous, and in some cases, have been specially designed to compromise security,

Downloaded aplets

Aplets are the names for Java programs that can be automatically loaded onto your computer and run at the push of a button when you use a Java-based application, Since selections that run aplets look like any other browser selection, you cannot tell whether any particular button push will run an aplet or not. Since Java is a general purpose language, aplets can potentially do almost anything. There are some security features in the language meant to prevent certain types of threats, but they have not been demonstrated to be effective in any current implementations and, perhaps more importantly, they only address a small portion of the threats we consider,

10 01995 Elsevier Science Ltd

Page 5: Internet holes — Part 5a: 50 ways to attack your web systems

December 7 995 Network Security

purpose and linked into standard libraries, they may fool your users into selecting filenames which are then transmitted out of the company,

13. Redirect request through attacker*: Aplets can also be used to redirect requests so that they go through the attacker rather than to normal locations they appear to point to. This allows the attacker to watch and modify all traffic in both directions as long as the user is pressing buttons within the display area of the screen.

14. Consume bandwidth with big downloads*+: While the user is looking at the screen, an aplet can be silently sending large amounts of information between the server and the browser. This can be done without interfering with the display, and can result in a lot of bandwidth being consumed.

15. Trick the browser into 17. Get usage statistics*: It routing into your network: If you can get the user or the browser to output to a file on the browser’s computer, you could overwrite a configuration tile that would route all traffic through the attacker’s computer. This would give the attacker unlimited control over access and content.

16. Forge look and feel of internal machines and gather information*: By making an external server appear to the an internal server, a user could be fooled into doing internal work (such as entering information into confidential databases) through an external system.

would be simple to gather usage statistics to see how much you use the Web, which sites you tend to visit, and what you usage pattern is like.

18. See what you are investigating today*: A more detailed investigation attacking many browsers could be used to get intelligence on what your company is researching using the Web. A more active attacker could modify information provided to you in order to manipulate your actions.

19.

One of the attacks listed above was to cause HTML information to be redirected through attacker’s computer.’ This could have many implications:

Take credit card numbers: If you use credit card or charge numbers through a Web server, redirected requests could give away this information to an attacker who could exploit it for financial advantage.

Internet Hacking Resources Bill Hancock

Part of being able to hack a network is the need to figure out how or gain access to technical tools to properly access n8hfOrk

components. On the Internet, there are, quite literally, thousands of locations with network hacking information on them which include very speciftc instructions on how to attack almost any type of protocol, operating system or hardware environment that exists.

Using a web browser, such as NetScape or Mosaic, and accessing an Internet indexing facility such as Yahoo, it is pretty easy to find sites with hacking tools and information. With the browser, go to Yahoo and put in a query for the word ‘hack’ and watch what happens. (Wahoo is located at URL http://www.yahoo.com.)

As an example, consider the following list of locations, by subject, on where to gain hacking information on the Internet. This was extracted via searching tools and personal knowledge of where to look. (Note: HPA stands for Hack-Phreak-Anarchy)

Top 10 HPA underground sites

Cold Fire’s Web Page (HPA)

I ead I t’s (CoTNO) Underground Zine Archive

HavocWare is VERY well done

The /e Home Page

The IOpht Heavy Industries

OCP - Operation Cyber Prometheus

paranoiacorn

The OFFICIAL - Phrack Inc. - Home Page

Voyager’s #aii?P6OO/#hack faq Hypertext Version

HPA Web sites

l 2600 Magazine

01995 Elsevier Science Ltd 11