ch15.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 15 -- The Hole</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch14/ch14.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch16/ch16.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">15</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">The Hole</FONT></H1>
</CENTER>
<P>This chapter amounts to easy reading. Its purpose is to familiarize you with holes:
where they come from, what they are, and how they affect Internet security. This
is important information because throughout the remainder of this book, I will be
examining many holes.
<H2><FONT COLOR="#000077"><B>The Concept of the Hole</B></FONT></H2>
<P>Before I examine different types of holes, I'd like to define the term <I>hole</I>.
A hole is any feature of hardware or software that allows unauthorized users to gain
access or increase their level of access without authorization. I realize this is
a broad definition, but it is accurate. A hole could be virtually anything. For example,
many peculiarities of hardware or software commonly known to all users qualify as
holes. One such peculiarity (perhaps the most well known)is that CMOS passwords on
IBM compatibles are lost when the CMOS battery is shorted, disabled, or removed.
Even the ability to boot into single-user mode on a workstation could be classified
as a hole. This is so because it will allow a malicious user to begin entering interactive
command mode, perhaps seizing control of the machine.</P>
<P>So a hole is nothing more than some form of vulnerability. Every platform has
holes, whether in hardware or software. In short, nothing is absolutely safe.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Only two computer-related items
	have ever been deemed completely hole free (at least by national security standards).
	One is the Gemini processor, manufactured by Gemini Computers. It has been evaluated
	as in the A1 class on the NSA's Evaluated Products List. It is accompanied by only
	one other product in that class: the Boeing MLS LAN (Version 2.1). Check out both
	products at <A HREF="http://www.radium.ncsc.mil/tpep/epl/"><TT>http://www.radium.ncsc.mil/tpep/epl/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>You might draw the conclusion that no computer system is safe and that the entire
Net is nothing but one big hole. That is incorrect. Under the circumstances, you
should be wondering why there aren't more holes. Consider that the end-user never
takes much time to ponder what has gone into making his system work. Computer systems
(taken holistically) are absolute wonders of manufacturing. Thousands of people are
involved in getting a computer (regardless of platform) to a retail location. Programmers
all over the world are working on applications for any given platform at any given
time. Everyone from the person who codes your calendar program to the dozen or so
folks who design your firewall are all working independently. Under these circumstances,
holes should be everywhere; but they aren't. In fact, excluding holes that arise
from poor system administration, security is pretty good. The problem is that crackers
are also good.
<H2><FONT COLOR="#000077"><B>The Vulnerability Scale</B></FONT></H2>
<P>There are different types of holes, including

<UL>
	<LI>Holes that allow denial of service<BR>
	<BR>
	
	<LI>Holes that allow local users with limited privileges to increase those privileges
	without authorization<BR>
	<BR>
	
	<LI>Holes that allow outside parties (on remote hosts) unauthorized access to the
	network
</UL>

<P>These types of holes and attacks can be rated according to the danger they pose
to the victim host. Some represent significant dangers that can destroy the target;
others are less serious, qualifying only as nuisances. Figure 15.1 shows a sort of
&quot;Internet Richter scale&quot; by which to measure the dangers of different types
of holes.</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>FIGURE 15.1.</B></A> <I><BR>
The holes index: dangers that holes can pose.</I>
<H3><FONT COLOR="#000077"><B>Holes That Allow Denial of Service</B></FONT></H3>
<P>Holes that allow denial of service are in category C, and are of low priority.
These attacks are almost always operating-system based. That is, these holes exist
within the <I>networking portions of the operating system</I> itself. When such holes
exist, they must generally be corrected by the authors of the software or by patches
from the vendor.</P>
<P>For large networks or sites, a denial-of-service attack is of only limited significance.
It amounts to a nuisance and no more. Smaller sites, however, may suffer in a denial-of-service
attack. This is especially so if the site maintains only a single machine (and therefore,
a single mail or news server). Chapters 3, &quot;Hackers and Crackers,&quot; and
8, &quot;Internet Warfare,&quot; provide examples of denial-of-service attacks. These
occur most often in the form of attacks like syn_flooding. An excellent definition
of denial-of-service attacks is given in a popular paper called &quot;Protecting
Against TCP SYN Denial of Service Attacks&quot;:

<DL>
	<DD>Denial of Service attacks are a class of attack in which an individual or individuals
	exploit aspects of the Internet Protocol suite to deny other users of legitimate
	access to systems and information. The TCP SYN attack is one in which connection
	requests are sent to a server in high volume, causing it to become overwhelmed with
	requests. The result is a slow or unreachable server, and upset customers.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Check out &quot;Protecting
	against TCP SYN Denial of Service Attacks&quot; online at <A HREF="http://www.proteon.com/docs/security/tcp_syn.htm"><TT>http://www.proteon.com/docs/security/tcp_syn.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The syn_flooder attack is instigated by creating a high number of half-open connections.
Because each connection opened must be processed to its ultimate conclusion (in this
case, a time-out), the system is temporarily bogged down. This appears to be a problem
inherent in the design of the TCP/IP suite, and something that is not easily remedied.
As a CERT advisory on this subject notes:

<DL>
	<DD>There is, as yet, no generally accepted solution to this problem with the current
	IP protocol technology. However, proper router configuration can reduce the likelihood
	that your site will be the source of one of these attacks.
</DL>

<P>This hole, then, exists within the heart of the networking services of the UNIX
operating system (or nearly any operating system running full-fledged TCP/IP over
the Internet). Thus, although efforts are underway for fixes, I would not classify
this as a high priority. This is because in almost all cases, denial-of-service attacks
represent no risk of penetration. That is, crackers cannot harm data or gain unauthorized
levels of privilege through these means; they can just make themselves nuisances.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Good papers available
	on the Net can give you a clearer picture of what such a denial-of-service attack
	entails. One is &quot;Security Problems in the TCP/IP Protocol Suite&quot; by Steve
	Bellovin, which appeared in <I>Computer Communication Review</I> in April 1989. Find
	it at <A HREF="ftp://research.att.com/dist/internet_security/ipext.ps.Z"><TT>ftp://research.att.com/dist/internet_security/ipext.ps.Z</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Although UNIX is notorious for being vulnerable to denial-of-service attacks,
other platforms are not immune. For example, as I will discuss in Chapter 16, &quot;Microsoft,&quot;
it is possible to bring certain NT distributions to a halt simply by Telnetting to
a particular port and issuing a few simple characters. This forces the CPU to race
to 100 percent utilization, thus incapacitating the machine altogether.</P>
<P>There are other forms of denial-of-service attacks. Certain denial-of-service
attacks can be implemented against the individual user as opposed to a network of
users. These types of attacks do not really involve any bug or hole per se; rather,
these attacks take advantage of the basic design of the WWW.</P>
<P>For example, suppose I harbored ill feelings toward users of Netscape Navigator.
(Don't laugh. There are such people. If you ever land on their pages, you will know
it.) Using either Java or JavaScript, I could effectively undertake the following
actions:

<DL>
	<DD><B>1. </B>Configure an inline or a compiled program to execute on load, identifying
	the type of browser used by the user.<BR>
	<BR>
	<B>2. </B>If the browser is Netscape Navigator, the program could spawn multiple
	windows, each requesting connections to different servers, all of which start Java
	applets on load.
</DL>

<P>In fewer than 40 seconds, the target machine would come to a grinding halt. (Oh,
those with more than 64MB of RAM might survive long enough for the user to shut down
the processes. Nonetheless, the average user would be forced to reboot.) This would
cause what we technically classify as a denial-of-service attack.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>One good reference about
	denial-of-service attacks is &quot;Hostile Applets on the Horizon&quot; by Mark D.
	LaDue. That document is available at <A HREF="http://www.math.gatech.edu/~mladue/HostileArticle.html"><TT>http://www.math.gatech.edu/~mladue/HostileArticle.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>These types of denial-of-service attacks are generally lumped into the category
of malicious code. However, they do constitute a type of DoS attack, so I thought
they were worth mentioning here.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Not every denial-of-service attack
	need be launched over the Internet. There are many types of denial-of-service attacks
	that occur at a local level, perhaps not even in a network environment. A good example
	is a well known <I>file locking</I> denial-of-service attack that works on the Microsoft
	Windows NT platform. Sample code for this attack has been widely distributed on security
	mailing lists. The code (when compiled) results in a program that will take any file
	or program as a command-line argument. This command-line argument is the target file
	that you wish to lock. For example, it might be <TT>WINWORD.EXE </TT>or even a DLL
	file. The file will remain completely locked (inaccessible to any user) for the length
	of time specified by the cracker. During that period, no one--not even the administrator--can
	use the file. If the cracker sets the time period to indefinite (or rather, the equivalent
	thereof), the only way to subvert the lock is to completely kill that user's session.
	Such locking programs also work over shared out drives. 
<HR>


</BLOCKQUOTE>

<P>One particularly irritating denial-of-service attack (which is being incorporated
into many Windows 95 cracking programs) is the dreaded CHARGEN attack. CHARGEN is
a service that runs on port 19. It is a character generator (hence the name) used
primarily in debugging. Many administrators use this service to determine whether
packets are being inexplicably dropped or where these packets disappear before the
completion of a given TCP/IP transaction. In any event, by initiating multiple requests
to port 19, an attacker can cause a denial-of-service attack, hanging the machine.
<H3><FONT COLOR="#000077"><B>Holes That Allow Local Users Unauthorized Access</B></FONT></H3>
<P>Still higher in the hole hierarchy (class B) are those holes that allow local
users to gain increased and unauthorized access. These types of holes are typically
found within applications<I> </I>on this or that platform.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>In Figure 15.1, I point to an unshadowed
	<TT>passwd</TT> file as a possible class B problem, and in truth, it is. Nonetheless,
	this is not an <I>application</I> problem. Many such nonapplication problems exist,
	but these differ from hard-line class B holes. Here, hard-line class B holes are
	those that occur within the actual code of a particular application. The following
	example will help illustrate the difference. 
<HR>


</BLOCKQUOTE>

<P>A<I> local user</I> is someone who has an account on the target machine or network.
A typical example of a local user is someone with shell access to his ISP's box.
If he has an e-mail address on a box and that account also allows shell access, that
&quot;local&quot; user could be thousands of miles away. In this context, <I>local</I>
refers to the user's account privileges, not his geographical location.
<H4><FONT COLOR="#000077"><B>sendmail</B></FONT></H4>
<P>A fine example of a hole that allows local users increased and unauthorized access
is a well-known sendmail problem. sendmail is perhaps the world's most popular method
of transmitting electronic mail. It is the heart of the Internet's e-mail system.
Typically, this program is initiated as a daemon at boot time and remains active
as long as the machine is active. In its active state, sendmail listens (on port
25) for deliveries or other requests from the void.</P>
<P>When sendmail is started, it normally queries to determine the identity of the
user because only root is authorized to perform the startup and maintenance of the
sendmail program. Other users with equivalent privileges may do so, but that is the
extent of it. However, according to the CERT advisory titled &quot;Sendmail Daemon
Mode Vulnerability&quot;:

<DL>
	<DD>Unfortunately, due to a coding error, sendmail can be invoked in daemon mode
	in a way that bypasses the built-in check. When the check is bypassed, any local
	user is able to start sendmail in daemon mode. In addition, as of version 8.7, sendmail
	will restart itself when it receives a SIGHUP signal. It does this restarting operation
	by re-executing itself using the exec(2) system call. Re-executing is done as the
	root user. By manipulating the sendmail environment, the user can then have sendmail
	execute an arbitrary program with root privileges.
</DL>

<P>Thus, a local user can gain a form of root access. These holes are quite common.
One surfaces every month or so. sendmail is actually renowned for such holes, but
has no monopoly on the phenomenon (nor is the problem indigenous to UNIX).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For information about
	some commonly known sendmail holes, check out <A HREF="http://info.pitt.edu/HOME/Security/pitt-advisories/95-05-sendmail-vulnerabilities.html">http://info.pitt.edu/HOME/Security/pitt-advisories/95-05-sendmail-vulnerabilities.html</A><FONT
	COLOR="#000000"> and </FONT><A HREF="http://www.crossroads.fi/~tkantola/hack/unix/sendmail.txt">http://www.crossroads.fi/~tkantola/hack/unix/sendmail.txt</A><FONT