Sample NVA Report 243
to access these devices. Two of the devices are the boundary router interfaces
for CLIENT.
Recommendations
Disable accepting Telnet from all hosts except those who should have access
to make configuration changes and consider some type of Identification and
Authentication (I&A) service to further protect the boundary devices.
Finding 4: Firewall, DMZ, and Proxying
CLIENT does not have a traditional DMZ. Its DMZ is defined as a set of IP
addresses mapped from behind the firewall to be accessible from the Internet.
This configuration places the externally reachable servers inside the perimeter
with the internal network. CLIENT also does not have any application-level
proxying done to inspect inbound or outbound traffic. The firewall does
possess some level of application-level proxying for certain command sets
such as SMTP and FTP commands. Additionally, without a proxy, the IIS
servers are susceptible to malformed IIS API calls, as was demonstrated by PA.
Urgency Rating***
Risk
In this configuration, a compromise of any externally available server would
give an attacker access to the entire internal network. Also, without application-
level proxying, invalid or inappropriate commands on protocols such as HTTP
are not blocked.
Recommendations
The following are recommended for consideration:
Consider the creation of a true DMZ and place all externally available
servers there.
Install proxies to act as an inbound and outbound gateways.
Finding 5: Anomalous Network Events
During Your Company’s test of the network, two anomalous events occurred.
The first was a series of SYN floods that were detected by the IDS system
Your Company uses to verify its findings during the network scans. These
SYN floods came from various IP addresses on the Internet. Detailed capture
files are included on the CD-ROM for CLIENT review. The second event
involved a SYN flood followed by a port scan from inside the CLIENT network
to various hosts. Your Company determined that it could be one of the custom
244 Managing Network Vulnerability Assessment
CLIENT applications, but the capture files from that event as well as a light
scan to determine the identity of the machine are included in the reports on
the Supplemental CD.
Urgency Rating**
Risk
These events may be an indication that activity is occurring that CLIENT had
no prior knowledge about.
Recommendations
Deploy an IDS and I&A services to track incidents and determine the identity
of the originator if the incident originates from the internal network.
Applications and Systems Security
Finding 1: Developer Access to Production Systems
Interviews with the system administrators indicated that developers had access
to the production systems and that they can still have access through other
vulnerabilities discussed in this report, such as the XXX Admin account and
the NFS vulnerabilities.
Urgency Rating*****
Risk
Developers should not have access to production systems or data. This is one
of the underlying principles of information security codified in the concept
of “separation of duties.” The concerns are due to the fact that because
developers produce the applications that run on systems, they should not
have access to production systems so that any malicious code included in the
applications can be detected by the system operator. If developers have access
to the production system, they may be able to alter the system in such a way
as to hide their malicious activities.
Recommendations
Install an intrusion detection system (IDS) and an Identification and Authen-
tication (I&A) service to monitor the actions of users, including developers.
Additionally, an “authenticity” product such as Tripwire to ensure that files
have not been modified should also be installed.
Sample NVA Report 245
Finding 2: Sun Development Cluster
Several critical problems were found with the Sun Development Cluster. Many
of these problems individually would not be critical, but combined they allow
for compromises of the Sun Development Cluster. If these same vulnerabilities
exist on the Production Sun Cluster, then that cluster is also at risk.
The vulnerabilities found included:
CDE rpc.ttdbserver (ToolTalk). The ToolTalk server is vulnerable to a series
of buffer overflow exploits that can allow a user to elevate their privilege
level to root.
FingerBomb. The FingerBomb is a denial-of-service (DoS) attack against
the Finger daemon, which can result in a reboot, restart of network services,
or a crash of the protocol stack.
NFS issues. NFS shares are mountable, writeable, and exportable outside
their domain. The test machine was able to mount shares used by all users
to store code and other files, thereby allowing a Trojan horse to be installed.
RPCstatd remote file access. The RPCstatd exploit allows a remote user to
remotely add, list, or delete files. This process can be used to replace
telnetd with a trojaned file and then, through FingerBomb, cause the new
telnetd to be run. This exploit was recently used successfully to hijack
machines to cause the DDoS attacks on the Internet
Rsh allowed from scanning machine. The Sun cluster allowed the scanning
machine to Rsh into it. Combined with the NFS vulnerabilities, this would
allow an arbitrary user to gain root access.
admind/sadmind. Solaris admind and sadmind are, by default, insecure
and can be exploited to gain root access to the server.
Trusted hosts and authentication vulnerabilities. Several of the above vul-
nerabilities could be exploited to then allow an attacker to gain control
over any host that trusted the compromised machine. Likewise, several
NIS vulnerabilities were found that, combined with the NFS exportable
beyond domain vulnerability, would allow an attacker, once root was
gained, to redefine NIS relationships.
Information gathering. Several services were running on the Development
Sun Cluster that revealed all usernames on the box and all home directories,
as well as disk space and usage and operating system patch levels and
installed packages.
RHOST log-in. Several DBA accounts allow log-ins through rhosts from any
system, without specifying a password.
Urgency Rating*****
Risk
The combination of these risks would allow an attacker to gain root access
on the Development Cluster. Scripts exist on the Internet to exploit several
vulnerabilities.
246 Managing Network Vulnerability Assessment
Recommendations
Update all patch levels, examine all services running and justify their existence,
install an IDS and I&A service to verify all access to the servers, and consider
the addition of a firewall to separate the Sun Clusters from the rest of the network.
Finding 3: Mail Server
Several problems were found with the mail server that would allow an attacker
to gain administrator access to the system by sending binary data to either
IIS or Exchange.
These vulnerabilities were:
Using IIS to run arbitrary code
Using IIS to gain ODBC access with RDS
Using IIS to create remote files
Using IIS to view the directory server
SMTP allows remote commands execution through the recipient and
bounce filters
Urgency Rating*****
Risk
All of the above vulnerabilities would allow an attacker to gain domain
administrator privileges on the mail server and grant them complete control
of the machine.
Recommendations
Update the mail server to the proper patch levels and remove all sample IIS
applications from the server.
Finding 4: Production Web Server ISAPI Vulnerability
Your Company discovered during its external scans across the PIX firewall that
the production IIS servers could be shut down by sending repeated ISAPI calls
for services that did not exist, such as Cold Fusion. The cause of this is in the
way IIS handles ISAPI calls. IIS receives the binary and attempts to execute it;
if it cannot, it then sends the binary data to the ISAPI handler. It is the job of
this handler to communicate to the various ISAPI services running, or activate
the appropriate one if it is not running. In this case, the service does not exist,
so the handle returns an error and the data is dropped. The effect of multiple
requests was to cause the handler to crash into an uncontrollable state where
the operating system could not remove the process. This caused IIS to lock up,
which then locked up or, in several cases, crashed the Web server.
Sample NVA Report 247
Urgency Rating*****
Risk
The risk is that someone on the Internet could flood the CLIENT network
with bogus ISAPI calls and shut down the Web servers.
Recommendations
Proxy servers are designed to handle this type of a situation. By placing a
proxy server in front of the Web server and instructing it as to what type of
ISAPI calls are acceptable to the Web server, the buffer overflow condition
should not occur. Additionally, a DMZ can be set up with either the Web
server or the proxy server on the DMZ to provide further isolation.
Finding 5: Development Web Server
The development Web server has several vulnerabilities in it that would
allow an attacker to gain administrator privileges. Assuming that the pro-
duction servers are configured the same, they would also suffer these
vulnerabilities.
The vulnerabilities are:
Netscape enterprise buffer overflow. Several buffer overflow exploits exist
for Netscape Enterprise. Most of them allow an elevated privilege level.
FTPD arguments DoS/FTP PASV DoS. The server is vulnerable to a denial-
of-service (DoS) attack from the FTP server that it is running.
RPCstatd. Although the server is running Windows NT, RPCstatd has been
added to the machine, either as a stand-alone or through Netscape Enter-
prise Server. The machine is now vulnerable to the RPCstatd exploit
mentioned with the Development Sun Cluster.
LDAP Access. LDAP is installed on the server, and anonymous access is
granted to view and modify data in the directory.
Urgency Rating*****
Risk
These vulnerabilities would allow an attacker to gain full administrative rights
to the server. Assuming that the production devices are configured the same,
this would also imply that the production devices are similarly vulnerable.
Recommendations
Update all software to the current patch levels and examine all services running
on the system. Any services not justified should be removed.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.