Operating System Exploits on Windows and Linux Platforms
description
Transcript of Operating System Exploits on Windows and Linux Platforms
![Page 1: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/1.jpg)
OPERATING SYSTEM EXPLOITS ON WINDOWS AND LINUX PLATFORMS
Group 5Mervin Hamblin
Jing HuangJoseph Schneider
Chinmay Trivedi
![Page 2: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/2.jpg)
Some Basic Exploits Why is there problems with OS ? Basic vulnerabilities existing in OS:
Invalidated InputRace Conditions
○Time of check – Time of use.○Inter-process communication
Buffer Overflows ○Stack Overflow○Heap Overflow
![Page 3: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/3.jpg)
Schematic view of Stack Stack after Buffer overflow exploit
![Page 4: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/4.jpg)
Linux Exploits Invalidated input causing Cross site
scripting attack:Linux kernel setroubleshoot Invalidated Input
vulnerability○ Input which is passed via process and file names are
not properly sanitized before being saved when an AVC denial event takes place. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious logs are viewed.
○ Explanation○ Impact
![Page 5: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/5.jpg)
Buffer overflow vulnerabilities in Linux kernel causing Denial of Service attack:Linux Kernel kfree_skb Vulnerability.
○ Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count
○ Explanation○ Impact
![Page 6: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/6.jpg)
Security Bypass:Linux kernel readv/writev Security Bypass
Vulnerability.○ Certain modifications to the Linux kernel
2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions.
○ Explanation○ Impact
![Page 7: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/7.jpg)
Exposure of sensitive system information:Linux kernel File offset pointer handling
Memory disclosure vulnerability.○ The vulnerability is caused due to race
conditions and conversion errors when handling 64-bit file offset pointers. Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.
○ Explanation○ Impact
![Page 8: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/8.jpg)
Privilege Escalation:Linux kernel cups and cupsys Privilege
Escalation:○ pstopdf in CUPS 1.3.8 allows local users to
overwrite arbitrary files via a symlink attack on the /tmp/pstopdf.log temporary file which can be exploited by malicious, local users to perform certain actions with escalated privileges.
○ Explanation○ Impact
![Page 9: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/9.jpg)
Attack against ASLR Address space layout randomization, or ASLR, is
an idea to introduce artificial diversity by randomizing the memory location of certain system components.
ASLR + DEP : Stronger Defense against memory manipulation vulnerabilities.
WX Pages and Return to libc attack:In this technique, the pages in heap, stack and other
memory segments are marked either writeable (W) or executable (X), but not both.
Impacts of using WX pages.Attack against this scheme - return to libc attack.
![Page 10: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/10.jpg)
ATTACK IMPLEMENTATION Technology Exploited :
Apache (version 1.3.29) web server Linux OS with PaX ASLR and WX memory pagesOracle 9 PL/SQL Apache module
Key Technique : Return-to-libc technique
Flaw Exploited :PaX randomizes 24 bits of stack base addresses (on
x86) to prevent return-to-libc .But the STACK LAYOUT is not randomized.Also, NO PROTECTION against ACCESS to the data
on the top stack frame and the data in adjacent frames. So we can still locate addresses.
![Page 11: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/11.jpg)
Repeatedly overflow the stack buffer exposed by Oracle hole and find delta mmapGuess address of usleep()Incorrect guess -> crashes Apache’ child process
& parent forks new child with same deltasCorrect guess -> hangs up connection for 16s
and delta mmap is deduced.Delta mmap provides locations of all libc
functions Mount a shell by executing return-to-libc
attack on the same buffer and invoke system() function.
![Page 12: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/12.jpg)
Windows Market Share Vulnerability Process Windows Vulnerabilities Windows Exploits
![Page 13: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/13.jpg)
Windows Windows has be biggest Market Share Windows has the most “Testers”
![Page 14: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/14.jpg)
Vulnerabilities Discovery
From Data Sources○ SecurityFocus, Internet Security Systems, etc.
Assigned CVE IdentifiersCVE – Common Vulnerabilities & ExposuresCandidate Status
CVE Editorial Board discusses Candidate & Votes
If Accepted Status is Changed to Entry
![Page 15: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/15.jpg)
Windows Vulnerabilities National Vulnerability Database 10 Most Recent Vulnerabilities
Must be Windows SpecificWindows XP and Windows Server 2003
Discuss Four Vulnerabilities
![Page 16: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/16.jpg)
Windows Kernel Input Validation Vulnerability CVE-2009-0081 March 10, 2009 CVSS Severity: 9.3 (High) Microsoft Rating: Critical What is the Vulnerability & How can it be
Exploited
![Page 17: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/17.jpg)
Explanation – Remote Code ExecutionThe Windows Kernel does not properly
validate input passed from user mode through the kernel component of GDI.
Mitigation – Apply Patch (MS09-006)Must be user invoked.
How Exploited?Use specially crafted image files
○ Website○ Email
No known Exploits Consequence
Attacker could install programs; view, change, delete data; or create user.
![Page 18: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/18.jpg)
SMB Buffer Overflow Remote Code Execution Vulnerability CVE-2008-4834 January 13, 2009 CVSS Security: 10.0 (High) Microsoft Rating: Critical What is the Vulnerability & How can it be
Exploited
![Page 19: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/19.jpg)
Explanation – Remote Code ExecutionThe vulnerability is caused by the Microsoft
Server Message Block (SMB) Protocol software insufficiently validating the buffer size before writing to it.
Mitigation – Apply Patch (MS09-01)Firewall best practicesUpgrade Windows (Vista, Server 2008)
How Exploited?Create specially crafted SMB messagesNo known exploits
ConsequenceDenial of Service
![Page 20: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/20.jpg)
Use-After-Free Vulnerability CVE-2008-4844 December 11, 2008 CVSS Severity: 9.3 (High) Microsoft Rating: Critical What is the Vulnerability & How can it be
Exploited
![Page 21: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/21.jpg)
Explanation – Remote Code ExecutionThe vulnerability exists as an invalid pointer
reference in the data binding function of Internet Explorer 6.
Mitigation – Apply Patch (MS08-078)Must be user invokedGains the same rights as local userUpgrade to Internet Explorer 7
How Exploited?Specially crafted web site to call functionThere are Exploits
ConsequenceAttacker could gain the same user rights as
the local user.
![Page 22: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/22.jpg)
SMB Credential Reflection Vulnerability CVE-2008-4037 November 12, 2008 CVSS Severity: 9.3 (High) Microsoft Rating: Important What is the Vulnerability & How can it be
Exploited
![Page 23: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/23.jpg)
Explanation – Remote Code ExecutionThe SMB protocol does not correctly opt-in
to NTLM credential-reflection protections. Mitigation – Apply Patch (MS08-068)
Firewall best practicesGains the same rights as local userUpgrade Windows (Vista, Server 2008)
How Exploited?Requires a user with affected SMB to
access a malicious server.No know Exploits
ConsequencesAttacker could gain the same user rights as
the local user.
![Page 24: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/24.jpg)
Against OS Exploits A complementary investigation on the
practices toward a safer OS environmentWhat can PC users do?What are researchers doing?
![Page 25: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/25.jpg)
Best practices for computer users Install all operating system patches. Verify user account security. Eliminate unnecessary applications and
network services. Install and configure necessary
applications and network services Configure system logging to record
significant events. Keep applications and operating system
patches up to date
![Page 26: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/26.jpg)
Best practices for computer users Password Security Secure file transfer and remote login
SSH Software tools
Secure-It™ (Windows)Bastille Linux
![Page 27: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/27.jpg)
Research on OS security Secure Auditing System in Linux Kernel
improve the original auditing mechanism of Linux and strengthen the security management of audit logs
Live Updating Operating Systems Using Virtualizationthrough which patches and upgrades can be
applied without rebooting Secure Virtual Architecture
provide a safe execution environment for an entire operating system and all its applications
![Page 28: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/28.jpg)
Against OS Exploits Root: secure programming is not
establishedTheoryPracticeEducationTraining
Effective and fully practical protecting approaches still remain a challenge.
![Page 29: Operating System Exploits on Windows and Linux Platforms](https://reader035.fdocuments.us/reader035/viewer/2022062302/568166ee550346895ddb424f/html5/thumbnails/29.jpg)
Demonstration