roshan newa saransh chauhan. about windows xperience first consumer oriented os built on windows nt...
TRANSCRIPT
SECURITY FLAWS IN WINDOWS XP
Roshan NewaSaransh Chauhan
About Windows XPerience
first consumer oriented OS built on Windows NT kernel
first released on 25 October 2001 Improved GUI, tight integration of
application such as IE and Windows Media player, firewall
much vaunted most secured Windows OS so far.
40 Million SLOC (Source lines of code)
UPnP
protocols that allow devices to connect and communicate seamlessly
dynamically join a network, obtain an IP address, announce its name, convey its capabilities upon request, and learn about the presence and capabilities of other devices
used in XP to detect and integrate with UPNP aware devices by providing a URL for automatic configuration
UPnP Flaw in XP
three separate exploits: a remote buffer overflow flaw, which can
load remote code into an XP system; Denial of Service (DoS) Distributed Denial of Service (DDoS)
flaws, which can let intruders use zombie XP systems to flood Internet servers with bogus requests
UPnP in XP : Buffer Overflow
The memory registers EAX and ECX are overwritten causing them to contain invalid addresses
svchost.exe process will access an invalid memory address at a 'mov' instruction
The SSDP service also listens on Multicast and Broadcast addresses
Gaining system access to an entire network of XP machines is possible with only one anonymous UDP SSDP attack session
UPnP in XP: DoS and DDoS
UPNP device sends out an advertisement Attacker:
sends a ,malicious spoofed UDP packet containing an SSDP advertisement
force the XP client to connect back to a specified IP address and pass on a specified HTTP/HTTPS request
specify a CHARGEN (Character Generator) service on a remote machine causing the XP client to connect and get caught in a tight read/malloc loop
UPnP in XP
Deliberate intention by Microsoft for UPnP to work that way.
Microsoft describes the flaw as "unprecedented" and "serious," and the company is providing a wide range of fixes
Microsoft Security Bulletin MS01-054
Escalation of Privilege (EOP) Permission against verification of
identity. exploiting a bug or design flaw to gain
access to resources result : the application performs
actions with more privileges than intended
Elevation of privilege," then, is not a class of attack, as much as it is the process of any attack.
EOP in XP
EOP: Vertical and Horizontal Identity demonstrated by tokens associated
user. software program obtain privileges
Installation/startup script tells your system what the software needs in order to run
system tracks privileges associated with each user and application
Applications not needing extensive permissions usually run with privileges of the current request.
Installing as administrator have access to more privileges needed
Attacking via EOP in XP
Run code on the victim's machine borrowing the privileges of one of his system-level apps.
find process that is running with higher privileges
Crash it so that you do something that makes it give its privileges to you
interrupt the program as it executes, and makes it run additional code supplied by the attacker
install a set of tools, referred to as a root kit
EOP in XP : Examples
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Flaw in Network Connection Manager (Microsoft Security Bulletin MS02-042)
Vulnerability in Plug and Play (Microsoft Security Bulletin MS05-055)
Vulnerability in Windows (Microsoft Security Bulletin MS06-075)
Vulnerability in Windows Kernel (Microsoft Security Bulletin MS06-049)
Vulnerability in Internet Information Services (Microsoft Security Bulletin MS08-005)
XP Recovery Console
perform a limited range of tasks using a CLI
enable administrators to recover from situations where Windows does not boot to GUI Use, copy, rename, or replace files and
folders Enable or disable service or device startup Repair the boot sector or (MBR) Create and format partitions on drives
Flaw in XP Recovery Console Win2k Boot Disc Can Bypass Windows XP
Passwords In Win2k password is mandatory, Under
Windows XP, this technique grants the user unrestricted access to the computer
physical access to a PC for a long enough period of time
install keystroke logging software to steal passwords or backdoor programs to grant themselves unrestricted remote access
Flaw in XP Recovery Console problem is unrelated to a registry
feature of XP that allows an Administrator to set up automatic logon when the Recovery
BIOS level password Encrypted file system put the PCs behind a locked door or
put a lock on the PCs themselves
Remote Code Execution
Feature of network enabled application.
ability to trigger any arbitrary command on the target machine or a target process without physical access to the target system
worst effect a bug can have because it allows an attacker to completely take over the vulnerable process
commonly exploited by malware to run on a computer without the owners consent
Remote Code Execution in XP Typically triggered by buffer overflow
and holes in applications: help and Support center feature:
remotely execute code on vulnerable systems because of the way the Help and Support Center handles HCP URL validation
triggered by visiting a malicious website or viewing a malicious email message
unregister the HCP protocol to block known attack vectors by deleting from the registry
Remote Code Execution in XP IGMPv3
vulnerability exists in the Internet Group Management Protocol Version 3 (IGMPv3) for IPv4 and the Multicast Listener Discovery (MLD) for IPv6
a remote, unauthenticated attacker, sending specially crafted packets, could run arbitrary code in the security context of SYSTEM
Zipped folders flaw could allow remote code execution
Serious AIM flaw allows remote code execution without user interaction
…change of guard
COMEDY OF
ERRORS
William Shakespeare
COMEDY OF
ERRORS(XP-SP2)
Bill Gates
Window’s URI Handling
Windows shell insufficiently handles invalid URIs
Attacker could gain the same user rights as the logged on user
What if the user is administrator? Attacker could take complete control
of an affected system
Window’s URI Handling
Modus Operandi Create a specially crafted URI Provide the URI as input to an
application The app attempts to access the
resource referred by the URI Processing specially crafted URI input
could allow arbitrary code to be executed
Remote Desktop DDoS attacks
Could let an attacker remotely crash computers
Affects the Windows Remote Desktop Service
Users experience errors ranging from inability to use certain services to small error messages
Nothing much serious, thankfully…link
Remote Desktop DDoS attacks
A version of the Win32 API - may allow a local user to elevate his privileges
Might allow a remote attacker to execute arbitrary code on this host
Attacker needs to find a way to misuse of Win32 API
Lure a user into visiting a specially crafted web page
Execute active content on a web page
Windows Explorer Vulnerability
Remote code execution risk Windows Explorer provides a GUI for
accessing file system Windows handling of COM objects
Windows Explorer Vulnerability
Modus Operandi Get user to click on a link to a
malicious website User prompted to perform several
actions needed to connect to a certain file server
File server causes Windows Explorer to fail and allow code execution
Activated with link in email message
and by the way…
How long do you think you would take to find a bug in your code?
What if your code exceeds millions of lines?
Don’t ask Bill Gates; he took seven years…
SMB Remote Code Execution(2001-2008)
SMB (Server Message Block) Windows Server service - connects
different network resources over a network File servers Print servers
Send malicious messages to a Windows machine using Windows Server - attempt to take control of the computer
SMB Remote Code Execution
MS blog says: "Public tools, including a Metasploit module, are available to perform this attack." Metasploit is an open-source toolkit used by hackers and security professionals to build attack code
SMB Remote Code Execution
Modus Operandi Victim sent a malicious e-mail message Message, when opened, would try to
connect to a server run by the attacker Steal network authentication credentials
from the victim, used to gain access to the victim's machine.
Attack cannot be made across the firewall, only the machines in your local LAN can exploit this flaw
Worms
Blaster - Win32/Msblast
First reported on August 11, 2003 Reverse engineered a Microsoft
patch Launched a DDoS attack on
windowsupdate.com - MS temporarily shut down the site
Blaster - Win32/Msblast
Modus Operandi Exploits a RPC Distributed Component
Object Model (DCOM) vulnerability Displays messages that Bill Gates might
not like…“billy gates why do you make this possible ?
Stop making money and fix your software!!”And“I just want to say LOVE YOU SAN!!”
Blaster - Win32/Msblast
• Detects internet connection and restarts
• Executes a fake batchfile to restarts the system
• Registry entry, launched every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = msblast.exe
Image Source : http://en.wikipedia.org/wiki/Image:Windows_XP_Emergency_Shutdown.png
Win32/Sasser
Started spreading on April 30, 2004 Exploits a Buffer Overflow in LSASS
(Local Security Authority Subsystem Service)
Scans IP addresses and connects to victims' computers primarily through TCP port 445 and 139
Win32/Sasser
Adds a file file C:\WIN.LOG or C:\WIN2.LOG on the PCs hard disk
Shutdown timer appears due to the worm crashing LSASS.exe
Can be checked by a firewall
SasserizationEffects of the Sasser Worm
News agency Agence France-Presse (AFP) had all its satellite communications blocked for hours
Delta Air Lines having to cancel several trans-atlantic flights
The British Coastguard had its electronic mapping service disabled for a few hours
…and finally…