CSG254: Network Security

Practical Systems Security Lab
Assignment 4
Due date: March 21, 2005

This week we explore remote to local and privilege escalation exploits used to gain or elevate attacker access to systems. Throughout this assignment we’ll see these exploits used at both the operating system as well as the application level, learn about how they happen and how we can prevent them (both as developers as well as system administrators).

As always, any tool mentioned here will be available via ftp from Dastun in the /pub/lab4 directory. Tools you will need to install for this assignment include:

  1. Windows Remote to Local: IIS Vulnerabilities
    1. Download the IIS-koei exploit from Dastun and use it to retrieve a directory listing outside of the wwwroot on your Windows system. Do this from Dominus, the Windows system at the end of the bar area. Include the output of your session in the homework. Password for user test on that system is ‘judg3d’.
    2. Explain how this particular type of exploit works (HINT: use Ethereal to do a TCP stream analysis on the packets exchanged between the two systems).
    3. How this vulnerability could be patched on the vulnerable system.
  2. Exploit Research: Linux Remote to Local
    1. Choose a Linux remote to local vulnerability from the last 3 years that allows a remote attacker to gain local user (or local superuser in some cases) privileges. It may involve an application not installed on your system at this time (but please describe the specific package and configuration environment that it would affect). Write a short summary of the problem, when and how it was fixed, and provide links to the sources you used to discover the information.
    2. How would you suggest an administrator running a current version of the application from above (we’re assuming the vulnerability was patched in latter versions!) would mitigate the damage that might be caused if a 0-day exploit for a previously undiscovered vulnerability in the code was suddenly published? Suggest a couple (more than one) low-maintenance ways to stay on top of current information security issues with the product.
  3. Rootkits and Backdoors
    1. As a defensive measure, install Tripwire and configure it to detect backdoor installations or modifications to system binaries (etc). Include a description of how you did this and the tripwire configuration tuned to your system.
    2. Install the backdoored ssh version on your Linux system as if you were an intruder that just gained access through exploiting a local service. Describe what this tool achieves for the malicious party and demonstrate how Tripwire could be used to detect the event. Include any relevant output.
    3. Instead of installing a backdoored version of an existing application, an intruder might instead choose to install their own program that would listen on a port and receive rootshell connections from a foreign IP for them. How would an attacker hide the presence of this listener (say, on port 4504) from an observant system administrator using the trojaned system binaries in a typical “rootkit”? Would tripwire help in this case?
    4. Install and configure a SubSeven server on your local Windows system and describe how an attacker would use this tool. Connect to it from outside your network using Dominus (use the SubSeven client installed at c:\sub7\). Describe this process. In particular, discuss the inclusion of the keylogger, retrieval of cached passwords, irc channel notification, and local process/window management from the remote controller. Describe how these work and also choose one other capability that you find particularly interesting/useful/scary.
    5. Suggest a way to detect the presence of active SubSeven servers on Windows installations.
Note: In order to log into the Dominus use the username of 
 test
The password of 
 judg3d