Lecture 10. Windows 95/NT Vulnerabilities

10.1 Holes in general

A hole is any feature of hardware or software that allows unauthorized users to gain access or increase their level of access without authorization. So a hole is nothing more than some form of vulnerability. There are different types of holes, including

Holes that allow denial of service (class C)

SYN Flooding attack on TCP

ICMP Unreachable attack

Java applets spawning Navigator Windows

CHARGEN attack on Windows 95

Holes that allow local users with limited privileges to increase those privileges without authorization (class B)

sendmail bugs

buffer overflow

SetUID, SetGID holes

Holes that allow outside parties (on remote hosts) unauthorized access to the network (class A)

Bugs in FTP, Gopher, Telnet, Sendmail, NFS, ARP, Portmap, finger, ...

10.2 Windows 95/NT Vulnerabilities

Password protection of Windows 95 workstation: doesn't seem to work; even if it does it can be easily compromised by Registry editor, which can be freely invoked in a Safe mode.

Windows 95/NT Applications: Word macro viruses, ActiveX, ...

SMB (Server Message Blocks) file sharing protocol bug + MS IE: reveals user passwords (see Windows 95 and MSIE Security Hole -- http://www.security.org.il/msnetbreak/)

IE + PPT: may allow execution of local programs

Hacking tools on File Sharing

Legion

SMB Scanner

Shareview

Mirror21

Nat10bin

Direct access on NTFS (without user authentication)

NTFSDOS from DOS

Linux mounting NTFS

Denial of Service Attacks

Land attack on Win 95: use packets with same source and destination address, causing TCP loopback

Win 95/NT IP fragment overlap

Win 95/NT OutOfBand (OOB) Data Attack

Attacks to become SYSTEM/admin

Sechole

Back doors

Back Orifice

Netbus

Netcat

Windows NT Security Resources (http://www.disastercenter.com/ntos.htm)

PLUSÀÇ Back Orifice ÀÚ·á

Back Orifice¶õ
- 1998³â 8¿ù Cult of Dead Cow¶ó´Â ÇØÄ¿±×·ì¿¡¼ ³»¾î ³õÀº Windows Trojan program
- Back Orifice ´Â ÀÏ´Ü Windows 95/98¿¡ ±ò¸®±â¸¸ ÇÏ¸é ¾ðÁ¦°í ±× ½Ã½ºÅÛÀ» Á¶ÀÛÇÏ°Å³ª, Æ÷¸äÇÏ°Å³ª ÇÒ ¼ö ÀÖ´Â °·ÂÇÑ ÇÁ·Î±×·¥
- Back Orifice´Â tcp/ip connection°ú °£´ÜÇÑ consol, GUI applicationÀ» ÀÌ¿ëÇÏ¿© ¿ø°Å¸® ÄÄÇ»ÅÍÀÇ Á¦¾î¸¦ °¡´ÉÇÏ°Ô ÇÏ´Â ¿ø°Ý administration ½Ã½ºÅÛÀÌ´Ù. Áö¿ª LANÀÌ³ª È¤Àº ÀÎÅÍ³Ý¿¡¼ Back OrificeÀÇ »ç¿ëÀÚ´Â ´ë»ó ÄÄÇ»ÅÍÀÇ º»·¡ »ç¿ëÀÚº¸´Ù ´õ ¸¹Àº Windows ½Ã½ºÅÛ Á¦¾î±ÇÀ» Á¦°ø¹Þ°Ô µÈ´Ù.
Back Orifice ÀÇ ±¸¼º
¾ÐÃàÀ» Ç®¸é ´ÙÀ½°ú °°Àº ÆÄÀÏÀÌ ³ª¿Â´Ù.
- Boserve.exe - BO ¼¹ö(°ø°Ý ´çÇÒ ½Ã½ºÅÛ¿¡ ¼³Ä¡µÊ)
- bogui.exe - BO Å¬¶óÀÌ¾ðÆ®(GUI ½ºÅ¸ÀÏ)
- boclient.exe - BO Å¬¶óÀÌ¾ðÆ®(ÅØ½ºÆ® º£ÀÌ½ºÀÇ ÄÜ¼Ö¿ë)
- boconfig.exe - BOÀÇ °¢Á¾ ¼³Á¤À» À§ÇÑ ÇÁ·Î±×·¥ (¼û°Ü ³õÀ» ÇÁ·Î±×·¥ÀÇ ÀÌ¸§ ÆÐ½º¿öµå, »ç¿ëÇÒ Æ÷Æ®(port)µîÀ» ¼³Á¤
- bo.txt - BO ¼³¸í¼
- melt.exe - freeze·Î ¾ÐÃàÇÑ ÆÄÀÏÀÇ ¾ÐÃà ÇØÁ¦
- freeze.exe - ÆÄÀÏÀÇ ¾ÐÃà
- plugin.txt - ÇÃ·¯±ä ¸¸µé±â¿¡ ´ëÇÑ ¼³¸í
- Unix ¿ë Å¬¶óÀÌ¾ðÆ®
BO(Back Orifice)ÀÇ ¼³Ä¡
- ÇÑ Windows ½Ã½ºÅÛ¿¡¼ ´Ü¼øÈ÷ ½ÇÇà¸¸ µÇ¸é BO ¼¹ö°¡ ÀåÂøµÈ´Ù.
- BO´Â ¾ÆÁÖ ÀÛ°í, ½º½º·Î ÀåÂøµÇ´Â Æ¯¼ºÀ» °®°í ÀÖ´Ù.
- º¸±ÞÀ» µ½±â À§ÇØ BO´Â ÀÓÀÇÀÇ Windows application ½ÇÇà ÆÄÀÏ¿¡ µ¡ºÙ¿©Á®µµ µÇµµ·Ï ¸¸µé¾îÁ³´Ù.
- BO °¡ µ¡ºÙ¿©Áø applicationÀº BO ¼¹öÀÇ ÀåÂø ÀÌÈÄ¿¡ Á¤»óÀûÀ¸·Î °¡µ¿µÈ´Ù.
- ½ÇÇà¸¸ µÇ¸é, BO´Â Å×½ºÅ© ¸®½ºÆ®¿¡µµ, Ctrl-alt-del ¸®½ºÆ®¿¡µµ ³ªÅ¸³ªÁö ¾Ê°ÔµÇ¸ç, ÄÄÇ»ÅÍ°¡ ºÎÆÃµÇ¸é ¸Å¹ø Àç½ÇÇàµÈ´Ù. BO ½ÇÇà½Ã °®°Ô µÇ´Â ÆÄÀÏ ÀÌ¸§Àº ¼¹ö ¼³Ä¡ ÀÌÀü¿¡ º¯°æÀÌ °¡´ÉÇÏ´Ù.
Back OrificeÀÇ ±â´É
- ½Ã½ºÅÛ Á¦¾î
  - ÀÌ ÇÁ·Î±×·¥ÀÇ »ç¿ëÀÚ°¡ ¿øÇÏ´Â ³»¿ëÀ» °¡Áø ´ÙÀÌ¾ó·Î±× ¹Ú½º¸¦ ¸¸µé ¼ö ÀÖ½À´Ï´Ù. ´çÇÏ´Â ÂÊ »ç¿ëÀÚ°¡ ÀÔ·ÂÇÏ´Â Å°º¸µå ÀÔ·ÂÀ» ±â·ÏÇÒ ¼ö ÀÖ½À´Ï´Ù.
  - ½Ã½ºÅÛÀ» ÀçºÎÆÃÇÒ ¼ö ÀÖ½À´Ï´Ù.
  - ´ÙÀ½°ú °°Àº ½Ã½ºÅÛ Á¤º¸¸¦ ¼öÁýÇÒ ¼ö ÀÖ½À´Ï´Ù.
    - ÇöÀç »ç¿ëÀÚ
    - CPU Å¸ÀÔ
    - Windows ¹öÀü
    - ¸Þ¸ð¸® »ç¿ëÇöÈ²
    - ÀåÂøµÈ µð½ºÅ©( ÇÏµåµð½ºÅ©, CDRoms, ÂøÅ»½Ä µð½ºÅ© ¿Ü ¿ø°Ý ³×Æ®¿öÅ© Æ÷ÇÔ)
    - È¸é º¸È£±â ¾ÏÈ£
    - »ç¿ëÀÚ¿¡ ÀÇÇØ Ä³½¬µÈ ÆÐ½º¿öµå( ÀüÈÁ¢¼Ó ÆÐ½º¿öµå, À¥ ÆäÀÌÁö¿Í ³×Æ®¿öÅ© µî OS °¡ Ä³½¬ÇÑ ¸ðµç ÆÐ½º¿öµå)
- ÆÄÀÏ ½Ã½ºÅÛ Á¦¾î
  º¹»ç, ÀÌ¸§º¯°æ, »èÁ¦, º¸±â, ÆÄÀÏ°ú µð·ºÅä¸® Å½»ö, ±×¸®°í ¾ÐÃà°ú ±× ÇØÁ¦µµ °¡´É
- ÇÁ·Î¼¼½º Á¦¾î
  ¸®½ºÆÃ, Á¦°Å, ½ºÆù ÇÁ·Î¼¼¼
- ·¹Áö½ºÆ®¸® Á¦¾î
  ·¹Áö½ºÆ®¸®ÀÇ ¸®½ºÆÃ, »ý¼º, »èÁ¦, ¼¼Æ® Å°¿Í ±× °ª º¯°æ
- ³×Æ®¿öÅ© Á¦¾î
  »ç¿ë °¡´ÉÇÑ ¸ðµç ³×Æ®¿öÅ© ÀÚ¿øÀ» º¸¿©ÁÖ°í, ¶Ç ¸ðµç connectionÀÇ Á¢¼Ó, ÇØÁ¦¸¦ ¾Ë·ÁÁØ´Ù. ³×Æ®¿öÅ© connectionÀÇ »ý¼º°ú »èÁ¦, ±×¸®°í exportµÈ ¸ðµç ÀÚ¿ø°ú ±× ÆÐ½º¿öµå, exportÀÇ »ý¼º°ú »èÁ¦ ¶ÇÇÑ °¡´ÉÇÏ´Ù.
- ¸ÖÆ¼¹Ìµð¾î Á¦¾î
  wav ÆÄÀÏ Àç»ý, ½ºÅ©¸° ¼¦ Ä¸Ãç, ºñµð¿À Ä¸Ãç¿Í ºñµð¿À ÀÔ·Â±â±â(¿¹:Quickcam µî)ÀÇ ºñµð¿À¿Í Á¤ÁöÈ¸é Ä¸Ãç
- ÆÐÅ¶ ¸®´ÙÀÌ·º¼Ç
  TCP È¤Àº UDP Æ÷Æ®ÀÇ ¸ðµç ÀÎÄ¿¹ÖÀ» ´Ù¸¥ ÁÖ¼Ò¿Í Æ÷Æ®·Î ¸®´ÙÀÌ·ºÆ®
- Application ¸®´ÙÀÌ·º¼Ç
  ÄÜ¼Ö application(command.com µî)ÀÇ ´Ù¸¥ TCP Æ÷Æ®·ÎÀÇ ½ºÆùÀ¸·Î ÅÚ³Ý¼¼¼ÇÀ» ÅëÇÑ application Á¦¾î°¡ °¡´ÉÇÏ´Ù.
- HTTP ¼¹ö
  ÀÓÀÇÀÇ Æ÷Æ®¸¦ ÅëÇØ NetscapeµîÀÇ wwwÅ¬¶óÀÌ¾ðÆ®¸¦ ÀÌ¿ëÇÑ ÆÄÀÏ ¾÷·Îµå¿Í ´Ù¿î ·Îµå
- ³»Àå ÆÐÅ¶ ½º´ÏÆÛ
  ³×Æ®¿öÅ© ÆÐÅ¶ÀÇ °¨½Ã¿Í, Åë°úÇÏ´Â ¸ðµç ÅØ½ºÆ® ÆÐ½º¿öµå ·Î±ë.
- ÇÃ·¯±×ÀÎ ÀÎÅÍÆäÀÌ½º
  plugin ÀÛ¼º °¡´É, BOÀÇ ¼û°ÜÁø ½Ã½ºÅÛ ÇÁ·Î¼¼½º¿¡ ±× ÄÚµå ½ÇÇàÀÌ °¡´É