Dangers with Multi-tier Attacks
Attacking applications such as SharePoint is not always a toe-to-toe battle. Sometimes, it is fruitful to take the path of least resistance. Although the SharePoint application may be fully patched and all of the best security practices are being followed, the opportunity to compromise the data provided by SharePoint may still be vulnerable. The following scenarios will provide a detailed look at how an attack may look from the eyes of an attacker.
alt2 Epic Fail
Using advanced search operators in search engines can sometimes allow attackers to identify and index information that organizations may not always want to be made public. The following query can reveal sensitive information about a SharePoint Server, its configuration, and content.
The advanced search operator “site:.com” restricts the search results to only .com Web sites and the “all site content” identifies sites that have that exact string of words in the page content. SharePoint Servers have the string and thus many Web sites that may not have properly protected access to all of its resources can be accessed. In some cases, this is implemented by design and the information found may be harmless, but in many cases the search reveals interesting results.
Scenario 1: Leveraging Operating System Vulnerabilities
Our first scenario looks at how the data SharePoint Server that is hosting can be compromised by indirect attacks. Operating systems today are fairly complex compared with those developed back in the days of Windows NT 3.1. Millions of lines of code have been added to provide organizations the tools they need to continue expanding network services and provide solutions for complex business challenges.
New functionality may provide opportunities for attackers to leverage flaws found in the application. This will not be a lecture on secure coding habits, but let us be quickly reminded that no developer or development organization can account for all types of errors within applications. Many references that pinpoint the top programming flaws leading to system compromise, data loss, and degradation of service exist today; however, simple mistakes are still made during development efforts allowing attackers to continue taking advantage of unforeseen exceptions. One valuable resource available from the SysAdmin, Audit, Network, Security (SANS) Institute is the “CWE/SANS TOP 25 Most Dangerous Programming Errors.”[C]
Now that we have built the foundation for this attack scenario and we can understand how operating systems, databases, and almost any other applications flaws can be leveraged, let's take a look at what our attacker is up to now. Before attacking an application such as SharePoint, an attacker will first conduct an initial reconnaissance to identify the services running on a server to help determine the exploitability of the target and the supporting infrastructure. Figure 7.2 is the output from a port scanning session performed using Nmap.
FIGURE 7.2. Nmap Scan
As seen in Figure 7.2, the attacker's target has many services open and is awaiting interaction from users and applications. A skilled attacker will be able to review the list of open ports and identify further steps that can be taken to enumerate information from the services. Our target system has a variety of services running that provide multiple opportunities for the attacker.
Some of these services may not usually be available or visible from the attacker's perspective, if the attacks are Internet-based. Attacks sourced internally will typically yield similar results to what we see in our Nmap scan. Attacks sourced from within the trusted internal network could be the result of malicious employees and by attackers who have already gained access to internal resources. A good example of an internally sourced attack is described in Chapter 5, “Office – Macros and ActiveX.”
alt1 Note
A common tool used by attackers and penetration testers to identify open ports and services is Nmap.D This tool provides an attacker a very good idea of what type of services are running on a target system, and subsequently the types of attacks an attacker may want to consider based on the results of the scan. The tool also provides many options to assist attacker with evasion, operating system fingerprinting, and identifying applications.
The power of this tool lies in the many different types of scans that can be performed and its capability to scan very specific or very wide ranges of targets. Nmap is also very accurate in its output of information and has a very large community of users who share different scanning techniques, based on the goal of the scans that need to be done.
Some scanning techniques are used to limit the exposure of the attacker and run as silent as possible to avoid detection by firewall, intrusion detection system, and intrusion prevention systems. On the other hand, if there is no requirement to remain stealthy, Nmap can run fast and loud to get the job done very quickly.
Without question, Nmap is a must-have application for anyone who is responsible for assessing the security of networks. This tool should be a standard part of the Information Technology administrator's toolkit.
The Nmap scan might provides some results that are immediately interesting to the attacker. Some of the services have widely publicized vulnerabilities with stable exploit code available on Internet Web sites. An attacker will not only scan for open ports using tools such as Nmap, but they will also attempt to identify or “fingerprint” the services running on the ports. This process allows attackers to narrow down the possible attack vectors and determine what types of vulnerabilities may be leveraged.
alt1 Warning
Classifying vulnerabilities is beyond the scope of this chapter; however, several methods of vulnerability identification are available. Manual identification of vulnerabilities can be as simple as banner grabbing with tools, such as telnet and netcat, and cross-referencing application versions with vulnerability databases such as Secunia,E Open Source Vulnerability DataBase,F and SecurityFocus.G When assessing a large enterprise with a significant number of systems, however, this task may be overwhelming.
Ehttp://secunia.com/advisories/
Gwww.securityfocus.com/vulnerabilities
Automated scans can be performed using tools such as NessusH or services can be contracted by companies specializing in penetration testing and vulnerability assessment and identification. For larger organizations, this may be preferable due to the scope and number of systems that need to be assessed.
Once vulnerabilities are identified, the attacker can attempt leveraging the vulnerabilities using exploits. An exploit can be anything from a simple directory traversal using a standard Web browser to an exploit leveraging a stack or a heap buffer overflow allowing unrestricted access for the attacker. In our scenario, the attacker has chosen to leverage one of the many flaws against the Windows operating system to cause a stack-based buffer overflow and gain complete control of the operating system.
Now that our attacker has full control of the operating system, the attacker can access the SharePoint data previously protected only by a Web login page. The SharePoint Server and all of its contents have now been fully compromised and the attacker now holds all of the secrets previously protected by the system.
The attacker may decide to add users to the system or connect to the database to steal proprietary information. If an attacker wanted to conduct further attacks against the organization, he may modify documents by placing malicious code in them and upload them to the SharePoint site. When users log into the SharePoint site and access the malicious documents, the payload may execute allowing the attacker additional access. The loss of confidentiality and integrity of the data stored in the SharePoint can cost organizations a lot of money depending on the sensitivity of the data stored on the server.
Now that we have looked at this scenario and have identified how attackers can use multi-tiered attacks against the operating system platform to compromise SharePoint and other services, seriously consider what important data may be stored in your particular implementation of SharePoint. Possible examples include financial information and intellectual property contained in document libraries, contact information that could be considered private, and application defects stored in SharePoint lists, which could potentially identify vulnerabilities that could be exploited by would-be attackers, among many, many others. Security of the data within your SharePoint implementation should include all of the tiers identified earlier in Figure 7.1.
Scenario 2: Indirect Attacks
Another venue of attack is to leverage vulnerabilities present in other softwares residing on hosts, which are trusted within the same network as our SharePoint Server. In the earlier scenario, the platform (operating system) was attacked with the goal of compromising the SharePoint installation. In this scenario, other applications are attacked in order to reach SharePoint. A poorly supported patch management program can sometimes allow application flaws to be leveraged to gain access to operating system resources. Even applications that are installed to protect systems, such as antivirus and firewall software, can be used by attackers to take control of systems and data residing on them.
This following attack scenario focuses on the attacker gaining administrative control of server hosting the SharePoint database by leveraging an application flaw. This scenario involves the deployment of the SharePoint front end and IIS hosted on one server and the SQL Server database storing all of the SharePoint data on a separate server.
After the attacker has finished port scanning and identifying services running on the target, he learns the target is running popular antivirus software with a well-known vulnerability. The software has been identified as Symantec Antivirus 10.1, and the attacker was able to identify the vulnerability by using the Nessus vulnerability scanner. The description of the vulnerability can be found in several vulnerability databases as well as on the Nessus Web site.[I]
Iwww.nessus.org/plugins/index.php?view=single&id=24236
After the attacker confirms the version of the software is vulnerable and susceptible to exploitation, and he feels he will be successful, he launches an attack using an exploit included in the Metasploit Framework. Upon successful exploitation of the vulnerability, the attacker has complete control of the system working under the context of the SYSTEM[J] account as described in information provided on the Nessus Web site.
Jhttp://support.microsoft.com/kb/120929
While the attacker is working under the context of the SYSTEM account, he gains access to the SQL Server that stores all of the data stored by the SharePoint application. Even though the SharePoint application itself may reside on a separate server, the attacker has been able to gain access to important data stored in the database.
In addition, if the attack is successful and the payload sent to the target has opened a remote shell, the attacker can obtain the systems password hashes and crack them offline for later use. Cracking the password hashes obtained from the system may provide the attacker with passwords that may be used on other systems within the network.
How Multi-tier Attacks Will Be Used in the Future
The earlier examples have provided an overview of how multi-tier attacks may be used to gain unauthorized access to SharePoint resources. These attacks provide valuable insight into how multi-tier attacks have been a valuable attack methodology used by attackers for many years with great success. What does the future hold for attackers and system administrators who need to defend against them?
Over the last several years, Microsoft and other vendors have started to slowly implement controls to reduce the exposure to some multi-tiered attacks; however, multi-tier attacks will continue to be a standard attack methodology for gaining access to resources. The multilayered approach to developing and deploying applications will ensure the longevity of these attack patterns.
It is important to make sure implementation efforts do not hamper security efforts. The necessary steps should be taken to ensure that deployment of newly commissioned systems follows best practices and that proper system maintenance procedures are followed and enforced. Future attacks can be minimized by learning from the mistakes of the past (of which many are documented). An extensive list of configuration and security guides for SharePoint 2007 server can be found at the Microsoft SharePoint Server TechCenter.[K]