OPERATING SYSTEM EXPLOITS ON WINDOWS AND LINUX PLATFORMS
Group 5Mervin Hamblin
Jing HuangJoseph Schneider
Chinmay Trivedi
Some Basic Exploits Why is there problems with OS ? Basic vulnerabilities existing in OS:
Invalidated InputRace Conditions
○Time of check – Time of use.○Inter-process communication
Buffer Overflows ○Stack Overflow○Heap Overflow
Schematic view of Stack Stack after Buffer overflow exploit
Linux Exploits Invalidated input causing Cross site
scripting attack:Linux kernel setroubleshoot Invalidated Input
vulnerability○ Input which is passed via process and file names are
not properly sanitized before being saved when an AVC denial event takes place. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious logs are viewed.
○ Explanation○ Impact
Buffer overflow vulnerabilities in Linux kernel causing Denial of Service attack:Linux Kernel kfree_skb Vulnerability.
○ Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count
○ Explanation○ Impact
Security Bypass:Linux kernel readv/writev Security Bypass
Vulnerability.○ Certain modifications to the Linux kernel
2.6.16 and earlier do not add the appropriate Linux Security Modules (LSM) file_permission hooks to the (1) readv and (2) writev functions, which might allow attackers to bypass intended access restrictions.
○ Explanation○ Impact
Exposure of sensitive system information:Linux kernel File offset pointer handling
Memory disclosure vulnerability.○ The vulnerability is caused due to race
conditions and conversion errors when handling 64-bit file offset pointers. Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.
○ Explanation○ Impact
Privilege Escalation:Linux kernel cups and cupsys Privilege
Escalation:○ pstopdf in CUPS 1.3.8 allows local users to
overwrite arbitrary files via a symlink attack on the /tmp/pstopdf.log temporary file which can be exploited by malicious, local users to perform certain actions with escalated privileges.
○ Explanation○ Impact
Attack against ASLR Address space layout randomization, or ASLR, is
an idea to introduce artificial diversity by randomizing the memory location of certain system components.
ASLR + DEP : Stronger Defense against memory manipulation vulnerabilities.
WX Pages and Return to libc attack:In this technique, the pages in heap, stack and other
memory segments are marked either writeable (W) or executable (X), but not both.
Impacts of using WX pages.Attack against this scheme - return to libc attack.
ATTACK IMPLEMENTATION Technology Exploited :
Apache (version 1.3.29) web server Linux OS with PaX ASLR and WX memory pagesOracle 9 PL/SQL Apache module
Key Technique : Return-to-libc technique
Flaw Exploited :PaX randomizes 24 bits of stack base addresses (on
x86) to prevent return-to-libc .But the STACK LAYOUT is not randomized.Also, NO PROTECTION against ACCESS to the data
on the top stack frame and the data in adjacent frames. So we can still locate addresses.
Repeatedly overflow the stack buffer exposed by Oracle hole and find delta mmapGuess address of usleep()Incorrect guess -> crashes Apache’ child process
& parent forks new child with same deltasCorrect guess -> hangs up connection for 16s
and delta mmap is deduced.Delta mmap provides locations of all libc
functions Mount a shell by executing return-to-libc
attack on the same buffer and invoke system() function.
Windows Market Share Vulnerability Process Windows Vulnerabilities Windows Exploits
Windows Windows has be biggest Market Share Windows has the most “Testers”
Vulnerabilities Discovery
From Data Sources○ SecurityFocus, Internet Security Systems, etc.
Assigned CVE IdentifiersCVE – Common Vulnerabilities & ExposuresCandidate Status
CVE Editorial Board discusses Candidate & Votes
If Accepted Status is Changed to Entry
Windows Vulnerabilities National Vulnerability Database 10 Most Recent Vulnerabilities
Must be Windows SpecificWindows XP and Windows Server 2003
Discuss Four Vulnerabilities
Windows Kernel Input Validation Vulnerability CVE-2009-0081 March 10, 2009 CVSS Severity: 9.3 (High) Microsoft Rating: Critical What is the Vulnerability & How can it be
Exploited
Explanation – Remote Code ExecutionThe Windows Kernel does not properly
validate input passed from user mode through the kernel component of GDI.
Mitigation – Apply Patch (MS09-006)Must be user invoked.
How Exploited?Use specially crafted image files
○ Website○ Email
No known Exploits Consequence
Attacker could install programs; view, change, delete data; or create user.
SMB Buffer Overflow Remote Code Execution Vulnerability CVE-2008-4834 January 13, 2009 CVSS Security: 10.0 (High) Microsoft Rating: Critical What is the Vulnerability & How can it be
Exploited
Explanation – Remote Code ExecutionThe vulnerability is caused by the Microsoft
Server Message Block (SMB) Protocol software insufficiently validating the buffer size before writing to it.
Mitigation – Apply Patch (MS09-01)Firewall best practicesUpgrade Windows (Vista, Server 2008)
How Exploited?Create specially crafted SMB messagesNo known exploits
ConsequenceDenial of Service
Use-After-Free Vulnerability CVE-2008-4844 December 11, 2008 CVSS Severity: 9.3 (High) Microsoft Rating: Critical What is the Vulnerability & How can it be
Exploited
Explanation – Remote Code ExecutionThe vulnerability exists as an invalid pointer
reference in the data binding function of Internet Explorer 6.
Mitigation – Apply Patch (MS08-078)Must be user invokedGains the same rights as local userUpgrade to Internet Explorer 7
How Exploited?Specially crafted web site to call functionThere are Exploits
ConsequenceAttacker could gain the same user rights as
the local user.
SMB Credential Reflection Vulnerability CVE-2008-4037 November 12, 2008 CVSS Severity: 9.3 (High) Microsoft Rating: Important What is the Vulnerability & How can it be
Exploited
Explanation – Remote Code ExecutionThe SMB protocol does not correctly opt-in
to NTLM credential-reflection protections. Mitigation – Apply Patch (MS08-068)
Firewall best practicesGains the same rights as local userUpgrade Windows (Vista, Server 2008)
How Exploited?Requires a user with affected SMB to
access a malicious server.No know Exploits
ConsequencesAttacker could gain the same user rights as
the local user.
Against OS Exploits A complementary investigation on the
practices toward a safer OS environmentWhat can PC users do?What are researchers doing?
Best practices for computer users Install all operating system patches. Verify user account security. Eliminate unnecessary applications and
network services. Install and configure necessary
applications and network services Configure system logging to record
significant events. Keep applications and operating system
patches up to date
Best practices for computer users Password Security Secure file transfer and remote login
SSH Software tools
Secure-It™ (Windows)Bastille Linux
Research on OS security Secure Auditing System in Linux Kernel
improve the original auditing mechanism of Linux and strengthen the security management of audit logs
Live Updating Operating Systems Using Virtualizationthrough which patches and upgrades can be
applied without rebooting Secure Virtual Architecture
provide a safe execution environment for an entire operating system and all its applications
Against OS Exploits Root: secure programming is not
establishedTheoryPracticeEducationTraining
Effective and fully practical protecting approaches still remain a challenge.
Demonstration