Common Security Exploit and Vulnerability Matrix

cfingerd a web document can execute Microsoft JET 3.5X commands on the client workstation /var/opt/SUNWconn/ldap/log/ IIS script can capture domain *.asp 80 tcp slapd.log remote buffer overflow - passwords via AUTH_PASSWORD variable local user can link .forward, execute arbitrary code .plan, or .project and fingerd Excel CALL statement can call any Stores cleartext passwords will read linked file as uid 0 DLL function buffer overflow in cookie Excel SIMS/SDS world readable (i.e., read /etc/shadow file, etc) Document *.xls Excel Scripting Engine asp dot bug tcp/ip Application Apache shows raw source asp interpreter /etc/shadow Excel Scripting Engine Uses Protocol user@host@host redirection cleartext .plan Excel Document *.xls 22 tcp passwords 4000 udp rpcbind .@host reveals users who have never logged in anyform cgi rusers files not in web root !(c:\inetpub\wwwroot\*) 1024- some versions of rpcbind will udp fingerd reveal logged on users GNU fingerd execute any command 2000 cachemgr.cgi from remote listen on ports other than RPC service will leak MDAC RDS unauthenticated remote user information asp pages can access files 0@ reveals users who have never send user#999999 111, and possibly defeat any Cmail 2.3 traffic ICQ\NewDB\uin#.dat cachemgr_passwd formmail cgi including source addresses user.db not in web root 110 tcp pop3 logged in overflow firewall port filtering pseudoencrypts DataFactory of remote users. (allow parent paths) password is sent in cleartext password is stored in passwords into object 112 tcp auth cleartext and file is will proxy port connections guestbook user.db file /winnt/system32/fm20.dll Wingate world readable can be used to find sgi_fam Eudora scripting ? udp Forms 2.0 Control can paste user stores cleartext password in vulnerable RPC services 53 dns script access permissions virtual site tunnel ODBC requests through IP Packet clipboard ICQ\NewDB\uin#.dat MDAC, bypass firewalls engine Active X can access other virtual sites content phf remote attacker can get What is a content based 79 tcp finger overflow filename window to give user (IIS 3.0 and misconfigured IIS 4.0 complete list of files & Dr. Watson Log File FileSystemObject sequence numbers ICQ can view any file on target directories on target invalid information about file ODBCJT32.DLL servers) (Scripting.FileSystemObject, attack? alter filesystem easily guessable OpenTextFile) rstatd can use shell() VBA command to execute 80 tcp http extension. Could be used to cause ConSeal PC trojan files to be executed. arbitrary commands from remote. Get root email attachment Servers may perform analysis of incoming data. leaks /winnt/system32/msdxm test-cgi access Dr. Watson on server. trojan a hostile applet or script Many times they will have interpreters that read 8080 80 tcp list files anywhere on machine information SSH tcp log File (may contain incoming data and perform tasks based upon Firewall log in without password by using about system ActiveMovie passwords/keys) keywords, symbols, and other data. Web servers do file:///aux more than 9 character password configuration some SSH installations will this with the URL. Sendmail does this with email DoS nph-test-cgi 65589 tcp dns buffer overflow in ICQ read any file overflow VRFY, denial of give potential attackers the Remote Control sdr headers. When the server analyzes the incoming flood overloads CIFS challenge Microsoft Scripting Runtime webserver causes crash. http://host/carbo. service, possible execute SSH version, Key sizes, data, it may misinterpret some symbols or symbol machine (http://XXX.XXX.XXX.XXX/...... dll?icatcommand code from remote if perl or any other and Encryption method combinations (sometimes called meta-characters or CIFS challenge perl escape-characters). When this happens, the server run as ..(and so on..../)) =..\..\*z command interpreter is used. encrypted with users /winnt/system32/sccrun.dll execute remote code as Execute remote code as will perform unintended tasks. An attacker can feed interactive Website Server directly located in /cgi-bin password hash 135 tcp download any file process (NT/Unix) through Carbon Copy process (NT/Unix) special commands into the server coaxing it to run loc-srv user execute arbitrary remote users can execute SunOS X.25 (http:///.html/...... /config.sys) numerous buffer overflows any command commands or alter files & databases. get ../../* commands via args.cmd 139 tcp netbios-ssn accounts registry key set world read any file ICQ packet leaks internal IP addresses read any file on the system 514 UDP packets with writable (HKLM\Software\Seattle X.25 gateways are often PIX on multi-homed machines ( sendmail -oEfilename_to_read ) strange options can IIS Lab\SLMail\Users) Bay Networks Annex targets of attack. X.25 25 tcp sendmail : ExchAuthenticate() called with udp cause reboot PADS should have access PC Anywhere Firewall fpcount.exe NTServerName:[KBJV_SRV1] /usr/lib/fs/ufs/ufsdump dictionary Terminal Server sendmail -d bug gets root controls. NTDomainName[KBJV_PERTH] ( sendmail -d3294967296 ) syslog FIN fragments can crack Seattle Labs buffer overflow adminMailbox:[xxxxxx] DoS by sending incomplete DoS over firewall (http://annex.www.server/ping?query=) rpc.ypupdated Allaire Forums Alibaba adminLoginName:[xxxxxx]password:[xxxxxx] sendmail send/vrfy/expn/mail from:/rcpt local user GECOS if DNS record doesn't exist for users allowed httpd GetFile.cfm to: commands buffer overflow in cgi- rtools overflow, get root declared host, syslogd crashes rpc.ypupdated /usr/lib/fs/ufs/ufsrestore to bind to read any file carbo.dll shl/win-c-sample.exe - remote user execute queue files privileged http://host/GetFile.cfm?FT=Text&FST=P inserting newlines into queue files causes execute code from remote commands as root ports lain&FilePath=C:\*.* arbitrary commands to be run groups are not set properly - Cheyenne upload and run any 11 stores cleartext link to a file another owns, get get remote root access execute commands as IP Header iCat Carbo Suite code via uploader.exe password in test.log local user gets root ArcServe EXPN can be used to targets groups root from remote 6050 tcp decode find destination udp 25 tcp addresses of aliases & pipe mail through REHUP attack causes any tcp lists Wizard mode backdoor gives root systat Livingston RADIUS 2080 tcp sendmail allows mail Guest user can change decode alias and create program to be run as root test.log relaying has default accounts: password Sendmail Linux Kernel monitor,monitor DEBUG mode allows remote execution of systat will give away system can sniff radius client/server 1031 tcp inetinfo can force max of 2 session to manager,manager aliases piped to programs ? Ascend Wingate has blank commands as root state information to an interaction and recover shared MIME buffer overflow - get root may allow common attacks stay open, will no longer admin, password Sendmail attacker, including which secret Screen Saver accept TCP connections rpc.cmsd 1029 security,security relaying allows software is running on the tcp File ../..* Any File Majordomo 'REPLY TO:' backtick Outlook What is a relative anonymous machine overflow reverse name invalid IP options access/execution Guest account has blank password VRFY can be if username is a filename, attack - execute arbitrary (*.scr) spamming lookup field - get root on cause seg fault 1038 tcp Password/session/audio/ used to identify can mail to file 98/Express path? commands execute remote code as root video/keystroke sniffing 3Com Wingate valid user target certain versions of NT run 23 tcp screensaver under (SunOS) Programs which do not fully qualify file 23 tcp telnet accounts mail can be overflow syslog() function and get Email send user#999999 overflow Sendmail relaying allows 253 byte password buffer copied SYSTEM account. Can paths (absolute path) can be tricked can list files forged from any root Header anonymous spamming into 128 byte stack buffer add normal user to admin into running trojan programs. If the invalid fragmentation * tcp Back Orifice from remote address (31337) Mail to program ( Windows group. original executable is running in an causes network stack to Port Redirection bounced mail with a piped FROM Can bounce TCP sessions RCPT TO: | elevated context (such as suid), the fail * tcp ( MAIL FROM: |/bin/sed'1,/^$/d|/bin/sh ) crash server through bogus (12345) read any file on system ) NT SNMP ipop3d trojan may be executed with the same ? link /var/tmp/dead.letter to any accounting messages privileges. Initialization files, shared (http://www.server.com:8010/c:/ - NT/Win9x filename field Netbus file, appends data (get root on libraries such as DLL's, and http://www.server.com:8010// - NT/Win9x Can connect to self causing DoS Third packet during setup contains overflow, execute 8010 tcp wingate ../..* Any File system locally via /etc/passwd) dump all usernames in If coredump, it has encrypted temporary files may all be subject to What is dictionary LogFile service http://www.server.com:8010/..../ - Win9x) cleartext username/password remote code domain passwords, if /core already exists, this type of attack. EHLO command will reveal what Cold Fusion Server cracking? X11R4 Cistron RADIUS permissions are retained 21 tcp extended SMTP commands are ftp SITE EXEC command allows send XXXXXX issue many PASV in AMaVIS accepted by the server. delete all WINS records A cryptographic hash can be obtained and cracked via PASV DoS - commands to executed from remote buffer overflow succession and use replace trusted relative brute force. Although it cannot be "decrypted", a consume all (~4000 chars) upload any file 20 tcp ftp-data IIS FTPd anonymous up all ports scanmails script path with Trojan, exec program can encrypt every word in the dictionary connections user can suid, get root against the hash, and if they match, the password has script will expand the subject heading of default 'public' write c:\winnt\* rename files insmod been found. This is computationally expensive, but is email and execute it. Malicious subject Citrix Winframe community Execute code as process (CWD using RNFR a very effective attack against encrypted passwords. winroute wu-ftpd headings could cause arbitrary 3129 tcp xxxxxxxxxxxx... [155 characters or more] ) /etc/shadow read or delete any file With faster processing available, programs can even admin commands to be run as root. //CFDOCS/ ftpd tar if a fully qualified path is not supplied, insmod will search the crack every possible character combination. stores psuedoencrypted password in exec chmod on ftp local and /lib/modules directories for the module - possibly FTP Bounce Attack - /usr/lib/ICAClient/config mode 777 or Serv-U FTP 2.5 root directory resulting in a non-root module being loaded into memory bounce TCP Dump core and in ~/.ICAClient mode 755 NTP read any file, bounce http requests, connections su //CFDOCS/expeval (user supplied trojan) see cached Real Media cause DoS incorrect messages cause DoS copy of QUOTE CWD command to get .cshrc NTP will leak internal system ICMP Microsoft /etc/shadow file actual filesystem path to ftp SITE EXEC the tar information to potential Server 161 udp core when su is successful, the shells dot /usr/sbin/crond SNMP directory command and execute Exchange LDAP Bind Request Buffer Overflow LIST command dump file (i.e., .cshrc) will be executed. If a attackers arbitrary commands core - core file has user can write to another users dot file dtappgather cleartext password stored in world readable file netbios name SNMP read community 'public', SNMP write community CWD ~root to get root shadowed password SIGINT then it is possible to get elevated /usr/local/rmserver/rmserver.cfg 137 udp Server /var/dt/appconfig/appmanager/generic-display-0 service 'write' by default access hashes privileges (even root) can 'cd ..' to unexported Local users can get root lack of trapping of SIGINT results Gauntlet parent filesystem Ascend can set the 'sysConfigTftp' variables to allow remote ftp incorrectly configured ftp servers will many FTP servers will open data ports in sequential order, in no logging of invalid su doesn't check whether Firewall 5.0 configuration, including download of telnet password, allow users write access to directories making it easier to hijack PASV connections attempts (must send ^C before /var/dt/appconfig/appmanager/generic- NFS enhanced access passwords, and RADIUS and OSPF syslog occurs) display-0 is a symlink and will chown() it to /dev/hd[abcd…] the user. - local user gets root. keys, and user's numbers/passwords disk devices world readable Exported .rhosts or .rc FTP password file may contain hashes 161 udp /usr/sbin/dip 8383 tcp GUEST account allows liberal access (get any file) feles ICMP_PARAMPROB packets can brute force passwords with out logging with invalid IP protocol & options 123 udp export lists create files with '/' slash in filename will cause firewall to hang 8181 tcp can lead to DoS (i.e., tmp file to be local users can get root via LDAP Buffer Overflow NULL password backdoor anonymous FTP Access larger than 256 ../..* Any File characters deleted is named /etc/passwd ) (dip -k -l ) 9 7 udp tcp cause everyone 143 tcp Imail 4.06 PASV Hijacking - steal files & Get Remote Root via to be able to can supply 32 bit UID to a 16 bit UID directory listings [AUTHENTICATE] overflow sdtcm_convert mount shared server, get root dip can read consoles in /dev (sniff passwords, Firewall-1 PIX Private Link directories 150 Cisco Resource etc) (i.e., port tty1.. Etc) tcp Any SNMP user can read the rpc.bootparamd 143 tcp community strings of other imapd Manager execute local code as root doesn't perform stateful users, therefore getting full 56 bit key VPN solution has only service can be tricked into 27 tcp (SunOS/Solaris) inspection on ICMP write access to the SNMP an effective 48 bit key giving out NIS domain name, SLMail 161 udp 1.0/1.1 Firewall-1 (attackers can inject ICMP Ascend Max Telnet to port 150 database. and attackers can use this to SLMail 3.1 buffer overflow on port 27 and reboot get NIS password maps FSP into target network) 389 tcp HELO/VRFY/EXPN commands /var/adm/CSCOpx/files/schedule/jo can overwrite /etc/shadow and get ? Session Agent 3Com HiPer b-id/swim_swd.log root (Solaris) rpc.admind FSP is a commonly used tool communications ICMP can be used to determine 180 tcp Can cause Max to reboot rpc.mountd in the underground to move internal netmasks Firewall-1 Arc cards What is denial of are not encrypted, Seattle Labs C:\Program illicit files. This is suspicious. protocol can be by default - all ICMP (except chargen 19 tcp chargen specially formed packet to UDP port 9 lack of authentication allows by analyzing error codes, Files\CSCOpx\files\schedule\job- service (DoS)? replayed - no redirect), RIP (UDP 520), and echo causes Ascend to lock up Remote Admin remote access to target attacker can enumerate files id\swim_swd.log authentication on read any file as SYSTEM account, including DNS (UDP/TCP 53) are Sometimes it is possible to exploit a buffer modules ICMP can be used to determine on the remote host 1024- router will identify it's symbolic name in SAM database, via setting users "finger file" to allowed over firewall ufsrestore overflow to crash a process. In other cases it the system time on a remote 1029 udp response to special probe point to target file local users can chmod /tmp/dbi_debug.log spoofed chargen source to is possible to fill up the work queue of a Cisco Catalyst machine portscanning will fill up arbitrary directories localhost's echo port causes process, such as making too many connection buffers DoS connections or requesting too many services. Switch nsd Execute local code pr_cancel buffer overflow - rpc.pcnfsd C:\Program 666 tcp nsd filesystem can be mounted via NFS. This effectively locks the process out from TCP packet This directory can leak passwords and state as root (Solaris) exec arbitrary commands Files\CSCOpx\temp\ legitimate users. DoS attacks are often the information about NIS requests. from remote remote users can execute dbi_debug.log easiest to perform, and the most common. B-DASH svgalib 109 tcp POP2 arbitrary commands as root sending CR causes bnc irc proxy bnc can be attacked from remote reboot to create shell /tmp/DPR_* Cisco arrayd.auth mapid() call reveals list of tcpip stack 111 tcp portmap by default, arrayd does not uses relative path: suid root users on system authenticate, allowing any remote rpc.rexd Gigabit Cisco IOS suid root, buffer overflow pseudo random file handles can be guessed, user to become root on the host. ipop2d C:\Program runs "undrv" as root 9099- tcp remote access gained 109 tcp Files\CSCOpx\temp\DPR_* Switch 9100 Irix arrayd can brute force passwords broken CHAP authentication, Syn Flooding remote use can get Remote Root via [FOLD] with out logging established unauthorized PPP UDP spoofing allows attacker to impersonate any user 6549 portmapper overflow connection udp register/unregister services from portmapper except root access-list parser does not ./undrv RIP fsdump can be used to change the permissions Stores logins/passwords in world readable file work - may allow all tcp portmapper can be used to find vulnerable on any file to that of a local user. Hence, get root traffic over firewall "service password-encryption" uses trivial via passwd file. (/var/rfindd/fsdump -L/etc/passwd rpc services Program Files/Microsoft encryption, can be decrypted /usr/lib/games/abuse/abuse.console HP -F/tmp/dump /) rpc.ttbdserver RIP will give up routing BackOffice/Reboot.ini rpc.rquotad tables to potential attackers. Printer pmap_call to bounce remove/add requests, bypass security ? long password string causes reload This information can be overflow stack and execute Cmail 2.3 used to design attacks. contains cleartext does not honor the nodev option for the quota service will give commands as root Powerchute multivariable snmp /var/rfindd/fsdump passwords What is pseudo- amd NFS file systems getnext request causes a potential attacker ? PLUS UPS crash information about NFS encryption & mounted file systems Cmail 2.3 pseudoencrypts repeated connection attempts lock out other What is brute force crash UPS with passwords into user.db file Cisco WCCP sessions cleartext? follows symlinks in invalid UDP rpc.ugidd midikeys is setuid and can be admin-v1.2 /tmp, munge any file password guessing? packets send raw postscript to printer - Although very unwise, software used to read any file on the rpc.selection_svc cause printing midikeys companies sometimes opt to store no authentication in web caching allows When there is no password lockout or invalid-password system passwords in cleartext (unencrypted). automountd can get usernames from remote intruder to intercept all HTTP requests logging, an attacker can simply try every possible Even if they obfuscate the password remote attacker can read any password. Often times this sort of attack works on (store it in a garbled form) it is still file on system easy to guess passwords - such as passwords that are cleartext because there is no real modification in transit/ bnc derived from the username - or easy to remember encryption. In either case, the password execute commands from bit flipping passcodes such as '1234' '4321' 'qwerty' etc etc. This is trivial to obtain. Passwords can be remote as root Citrix Winframe principle applies to hacking telephones, voicemail a buffer overflow in the font path can fdformat execute local code as root stored like this in files, or in the Windows PS1 environment variable systems, mailbox codes, login & email passwords, and .cshrc lead to a root compromise rpc.walld (SunOS) ../..* Any File Registry. even physical security mechanisms. dtappgather stores psuedoencrypted password in buffer overflow /usr/lib/ICAClient/config mode 777 or in remote attacker can flood users ~/.ICAClient mode 755 ff.core with messages Llocal user gets root bash autofs ? doesn't check whether /usr/bin/lpstat (lpstat -c ) ? rpc.sprayd ? /var/dt/appconfig/appmanager/ What is "no authentication" ? generic-display-0 is a symlink ffbconfig What is a race and will chown() it to the user. - What is a trojan horse? '\w' causes \377 serves as buffer overflow in Believe it or not, some programs do not even ask for a local user gets root. directory name can redirect rpc calls Sprayd will help an attacker build a gopher buffer overflow unintended command An attacker may be able to replace certain programs password before allowing someone to administer or condition? through rpc.statd and denial of service attack separator (defeat cgi and shared libraries. The replacement program is configure the system. Sometimes this is a blatant lack of filters) rpc.statd bypass security of other Programs which use & create temporary /var/dt/appconfig/app usually called a trojan horse. The trojan horse may security, and other times a bug allows the circumvention of some gopher servers will allow read rpc services files need to check whether the file manager/generic- emulate the original program so that the replacement the authentication mechanism. access to arbitrary files on the target ? already exists. If a user can pre-create display-0 goes undetected. The trojan may be able to sniff machine passwords, provide back door access, and even hide the file in question, the program can be dtprintinfo RASMAN.EXE other programs from the system. default no password on user rpc.pcnfsd fooled into using a trojaned file. If the What is a buffer system allows symbolic linking, the program can be tricked into writing to logon.scr local users can chmod arbitrary directories other files on the system, such as the overflow? ? remote users can execute arbitrary execute local code as root (Solaris) RAS API has several buffer Gauntlet password file. default password of 'NetICs' commands as root overruns. This can cause hostile Software bugs exist which allow user-supplied code to be executed. (post SP5 ? buffers to overwrite the process stack. In this this screensaver can be replaced What is spoofing? hotfix) case, the program either crashes, or executes with a trojan and it will run under cause reboot with invalid IP options What is a rootkit? code contained in the user's buffer. In the latter Login larger than 256 characters The TCP/IP protocol has no authentication mechanisms. What execute arbitrary code from remote eeprom the SYSTEM account. case it is possible to trick the computer into causes reboot this means is that anyone can create a 'fake' packet and Password/hash sniffing A rootkit is a set or trojan horse programs that can be executing arbitrary code and obtaining remote Bay Networks impersonate someone else. Specifically this means creating a installed on a computer. These programs allow the root access. This is perhaps the most common fake IP address. Many attacks can be executed using spoofed can redirect rpc calls through rpc.statd attacker to hide processes, files, and logins from the type of bug, and potentially the most deadly. /bin/eject packets. Even if a victim logs all of the packets and uses and bypass security of other rpc system administrator. Furthermore, these programs Buffer overflows are difficult to detect or prevent intrusion-detection software, the source of a spoofed packet is services tcsh bash L0phtcrack usually leave back doors within the system. It is during software design. While the demand for next to impossible to determine. This makes catching the attacker expreserve inetd important to use integrity assessment tools to make more and varied software is ever increasing, IP sequence numbers are easily very difficult. Additionally, some software relies upon the source execute local code sure that files have not been replaced, otherwise a the chance of software bugs also increases. sniffer guessed address of the IP packet for authentication. Because IP can be as root (SunOS) rootkit can be very hard to detect. spoofed, the program in question can sometimes be fooled into PS1 Environment variable had executes /bin/mail as root, change allowing access, running commands, etc. ? '\w', can be used to get local IFS environment variable (IFS=/) to SYN followed by RST causes inetd root cause your own file to be run to crash (/bin/mail becomes ./bin ./mail ) Microsoft ? Ascend Max What is audit suppression? ident ? In some cases an attacker can prevent the auditing system from JET 3.5X What is trust working. If auditing is maintained on a standalone server, the Ascend attacker may be able to block access to that server. In other /var/adm/SYSLOG /hw/tape /sbin/suid_exec a web document can attacker can use ident to exploitation? What is hijacking? cases, a log entry may only be performed under certain execute commands determine which account MAX4002, User can request any IP address, conditions. If an attacker can change those conditions or cause on the client processes are running under. will be rebroadcast into routing Because of the weaknesses of TCP/IP, it is vulnerable to spoofing an exceptional event to take place, the log entry may never be A lack of good file permissions and inter-server tape device under Irix will workstation table, can take out DNS server, and hijacking. Hijacking describes a special type of spoofed IP generated. Lastly, if the attacker knows what facilities are SYSLOG contains names of invalid suid_exec will execute shell dot trust will result in a total systemwide often be mode 666, enabling MAX4004, router, whatever. Also exploit IP attack. Normal TCP communications take place over a 'session'. monitoring the system, they may simply shut those facilities down. logins and is world readable. files (i.e., .cshrc), enabling user to any user to restore any file compromise if just one process or account is based trust relationships and if the session can be sniffed, or the sequence numbers can be get root on system from the tape (and possibly hacked. The problem arises from liberal trust MAX4048, and possibly cause the indirect guessed, the session can be 'hijacked'. The attacker can insert the /etc/shadow file) within the network. File permissions should be poisoning of BGP routing table. spoofed packets into the session stream and cause commands to midikeys netstat applied so that users have access to only what MAX4072 be run as the original user. they need. Furthermore, since processes usually execute within a user-context - this ? minimizes the chance that an attacker can midikeys is setuid and netstat will give away network state modify files on the system. Lastly, if an attacker can be used to read any information to an attacker. gets root on one system, they should not What is a excess privilege? file on the system automatically be root on all other systems. The more liberal the trust in the network - the easier Sometimes software will be installed or run with too much power. An it is to attack through a single entry-point or example might be a public server daemon running as 'root' (or ../..* Any File www.tripwiresecurity.com exploit. SYSTEM in the case of Windows NT). Since processes are complex and always have the potential of being exploited, administrators should 'close the window of trust' and give processes only the power that they need to function. Anything in excess only increases the risk of total system compromise if the process is exploited. Copyright© 1999 Tripwire® Security Systems, Inc. Tripwire is a Matrix Key Service or Application Information Exploit or weakness File trademark of the Purdue Research Foundation and is licensed ? exclusively to Tripwire Security Systems, Inc. All reference to brands or trademarks are the property of their respective owners.