Questions about this topic? Sign up to ask in the talk tab.

Design Flaws

From NetSec
Jump to: navigation, search

Designs flaws are a serious issue not just due to the severity of some flaws but also the broadness of the subject. This is not limited to just buffer overflows as technically every security hole is considered a design flaw.

An early example of a design flaw can be found in Microsoft’s Windows 95 operating system. People often count on screensaver passwords to protect their computer from peers with physical access. In Windows 95, the screensaver could actually be circumvented using the “alt + tab” hotkey combination, which is used in windows to navigate between open windows from the keyboard. An attacker with physical access could merely alt-tab out of the screensaver and do whatever they wanted.

Some current design flaws reside in the ‘at’ command on Windows NT through Windows XP Service Pack 2, and on the ‘attrib’ command, the flaw affecting all known versions of windows, including Vista.

To access the command line environment in any windows setting, go to:

 Start --> Run and type cmd.exe and hit enter. 

The ‘at’ flaw is considered a privilege escalation vulnerability.

Because the ‘at’ command runs all applications from the schedule with system privileges, an attacker could use it to escalate beyond normal user restrictions, bypassing escalation to administrator and escalating directly to “NT Authority\SYSTEM”. The ‘at’ command takes the following syntax:

 at [military time] /interactive [application to execute]

If an attacker wanted to “at up” a task manager application in order to turn off commonly used anti-exploitation frameworks and permission guarding frameworks (Like CSA, Symantec and Norton Security, and other firewalls), s/he might use the following command:

 at [military timestamp one minute from now] /interactive taskmgr.exe

This will spawn a task manager application in one minute using system credentials. Assume the time is 2:01 PM, the actual command string may look like:

 at 14:02:00 /interactive taskmgr.exe

Attackers use this tool to bypass local operating system restrictions as well as to escalate privileges far beyond necessary. This is also a design flaw vector that several windows rootkits use on execution for privilege escalation.

The attrib flaw is a bit different. It allows not only for arbitrary permissions settings but also for escalation to system credentials. Using attrib for privilege escalation is done by setting attributes of a .dll file to make it a system file, after which using dll injection to inject arbitrary code into another system owned dll file. Because of the complexity of this design flaw exploitation, using attrib to escalate privileges will not be covered in this document. Attrib can also be used to assign arbitrary permissions sets to files and directories.

Using attrib to assign arbitrary permissions is a dangerous way to insert system files and hide files completely from the windows UI, and mostly from MS-DOS as the “dir” command cannot list files hidden by the attrib command.

Start by creating a text document located at C:\ with some text in it. The text inside the document does not matter. Save the document as “tohide.txt”. Then, open up the command line environment. In other versions of windows, can be used in the event that cmd.exe is not available. Type “cd \” to go directly to the C:\ directory. Now go to “My Computer”, and do33uble click on the C drive, so the “tohide.txt” file can be seen. Go to Tools ? Folder Options and click on the View tab. Make sure that showing hidden and system files is enabled. In the command line, type:

 attrib +s +r +h tohide.txt

Now click on the window that has the C drive up. Hit “F5”, which refreshes the view of the files. Notice the tohide.txt file disappears. Now click back to the console window. Type:

 dir /p

Notice that the dir command does not reveal the tohide.txt file either. This hides files even from the administrator. To unhide the file, in the command line type:

 attrib –h -r –s tohide.txt

Notice the file magically appears in the window displaying the contents of the C drive as well as is now listed by the “dir” command. Because of the nature of this flaw, it cannot exactly be easily patched. The attrib command is what protects file access from files like the SAM file and the pagefile during installation and on boot. This flaw is not documented on any web sites and is a serious vulnerability that spans all current windows versions. The authors of this wiki consider this a “Critical” vulnerability.

Another flaw in permissions handling in windows resides in managed group policy. This is a flaw in windows Vista. Using the cacls command in the command line interface, one can remove the ability for a file to be seen by the administrator or by the system entirely. The flaw resides in allowing a user to actually specify that the administrator is not allowed any access to the file and nor is “SYSTEM”. Vista allows the ability to assign NO permissions whatsoever, and using this technique a Vista virus or rootkit could completely hide from both the kernel and all known anti-viruses. Continuing with “tohide.txt”, the text file to hide, type the following in the command line:

 cacls C:\tohide.txt /P SYSTEM:N
 cacls C:\tohide.txt /P Administrators:N
 cacls C:\tohide.txt /P [your_account]:F

This will completely disallow list, read, write, and execute permissions from all users in the Administrators group as well as all System owned processes. To repair, simply type:

 cacls C:\tohide.txt /P SYSTEM:F
 cacls C:\tohide.txt /P Administrators:F
 cacls C:\tohide.txt /P [your_account]:F

This flaw is not widely documented and is considered by this wiki to be a “critical” vulnerability.

Another vulnerability in windows may no longer be applicable, however on older versions of XP and some copies of XP SP2 it is possible to gain system level permissions via file renaming. The login handler application for windows is called “login.scr”. Login.scr is the file that greets a user with the login prompt and asks them to press CTRL+ALT+DELETE to log in. If an attacker renames this file to “login.bak”, and then renames or cmd.exe to login.scr and then double clicks on login.scr, the command line is loaded with system level permissions. This is not widely documented and is also considered a critical vulnerability.

An older vulnerability in Windows XP which is no longer applicable entails shared printers. All printers were shared by default and NetBIOS was also enabled by default. This would allow virtually anyone on the internet to NetBIOS into a victim machine and print anything they like off of the victim’s printer. To access a machine over NetBIOS, the attacker need only enter \\victim-IP-address into their address bar in “My Computer” and viola, the shared printers on the victim machine were in an easily accessible folder to double click on. This vulnerability is no longer applicable because most of the ISP's in the United States have begun jamming of port 139 for security reasons, and Microsoft has moved to make all netBIOS sessions authenticated.

A large design flaw in all current implementations of windows resides in the Operating System restrictions that administrators are able to use to restrict users from accessing things like the command line and the run dialogue from the start menu for publicly used machines. At the library, administrators lock down the system as much as possible yet allow users free reign over applications like Microsoft Word. Microsoft Word can be the undoing of all of these local operating system restrictions. A large flaw in the OS restrictions that windows offers is that the command line environment can be accessed whether it is disabled for the user or not. Even if the command line is disabled, it only disables access to cmd.exe without disabling access to

Operating system restrictions can be circumvented through MS-Word’s macro engine. To access this engine, first open MS-Word, then press ALT+F11. This hotkey combination will open Word’s Visual Basic Script Editor. Attackers can use Word to create their own run dialogue boxes, a process detailed below. In the Script Editor, there should be a pane that says "ThisDocument" with a word doc icon by it on the left. Double click. Now there should be an open window that appears somewhat to be a text editor. Now would be a good time to switch over to MS-Word, and then go to Tools ? Security ? Macros in the tools menu (a few down from the "File" menu) and enable macros.

Its time to explain a little bit about data types, for those who haven't had this type of lesson yet. The most standard data types are double, integer, and string. Less common types include but are not limited to long, boolean, etc.

Data Types and their uses :

Type, Use, Example Integer, Whole Numbers, 192 String, Multiple Characters, "qwerty" Double, Rational Numbers, 9.2 Boolean, True or False, False

Declaring a variable is more or less like making a variable in an equation. The most important part of declaring variables A and B is defining A and B as values taken from user input. A standard method of naming variables in VBScript is prefixing the variable name with its data type (int for integer, str for string, etc). To make a Run Prompt, an attacker will have to declare variables as follows :

<syntaxhighlight lang="vb">

 Dim lngShell As Long
 Dim strShell As String


Now with the variables declared, the attacker needs to make use of a few functions to define the variables according to user input. It is the assumption of the author that the reader understands the basics of at least Algebra-two based mathematics, or geometry. Knowledge of Functions is required. A function in programming is like a function in math. If f(x) = x + 5, then f(19) = 24.

The InputBox() function: The InputBox() function is an important function. The InputBox() function prompts the user for input and returns with a string value. The InputBox() function also takes certain arguments, such as title, prompt, and windowstyle. The attacker need only use the "prompt" and the "title" arguments.

 Syntax : strStringVariable = InputBox(Prompt As String, Title As String)

strStringVariable will then be equal to anything that the user types in.

The Shell() function: The Shell() function returns a double and executes a system call. It takes two arguments which will be covered here. Usually an attacker would use a long instead of a double because it is allocated more memory space.

 Syntax : LngLongVar = Shell(PathName As String, vbWindowStyle as vbWindowStyle)

The vbWindowStyle argument controls if the window created by shell() function is minimized, maximized, focused on, or hidden. A window has focus when it is selected by the user or a program for use. While a user is surfing the net on a windows computer, IE/Firefox has focus, while a user is chatting on AIM, the message window for whoever the user is talking to is said to have "focus".

The following vbWindowStyle arguments are supported by most versions of MS-Word:

   * vbHide
   * vbMaximizedFocus
   * vbMinimizedFocus
   * vbNormalFocus
   * vbMinimizedNoFocus
   * vbNormalNoFocus

The function defaults to vbNormalFocus. So the attacker’s run prompt will need to include the following:

<syntaxhighlight lang="vb"> strShell = InputBox("Please enter a program to run...", "Run...") lngShell = Shell(strShell, vbMinimizedNoFocus) </syntaxhighlight>

vbMinimizedNoFocus is used by the attacker to prevent anyone looking over his or her shoulder from realizing what is going on in the background. The entire code should look something like:

<syntaxhighlight lang="vb"> Private Sub Document_Open() Dim lngShell As Long Dim strShell As String strShell = InputBox("Please enter a program to run...", "Run...") lngShell = Shell(strShell, vbMinimizedNoFocus) End Sub </syntaxhighlight>

To execute the code, open the VB editor, place the cursor inside the "Private Sub" block, click once, then press F5 on the keyboard. If macros are enabled, etc, the new run prompt is now ready for use.

There are multiple other design flaws in windows, concerning the TCP/IP stack, the Session Exception Handler, and the Thread Environment Block. The TCP/IP stack makes each socket file descriptor re-usable, meaning an attacker can craft malicious shellcode to use during a remote buffer overflow exploitation to re-use the socket file descriptor of the socket used to perform the exploitation and turn that connection into something malicious, like a bindshell or data pipe. It is also possible to maliciously use the TEB’s static relative offset in order to find the location of certain system API’s like kernel32.dll in memory. The SEH frame is vulnerable because of a way to implant memory addresses into registers, and also allows for creation of an application’s own SEH which could allow an attacker to create a custom SEH frame for anti-heuristic purposes. The TEB is always 0x18 bytes away from fs:[0], and then as long as a 64 kb boundary is set, using the relative offset of 0x1c an attacker can always find the base address of kernel32.dll. This can’t be easily patched and is considered by the author a critical vulnerability.

Another critical windows design flaw is exploited by Cain from Cain & Abel. Under the network tab, an attacker is able to input an IP address to add to the “quick list”. The drop down menu has a “users and groups” section, similar to MMC.exe. When the users and groups section is clicked on, Cain prompts the attacker to begin remote users enumeration. If the attacker clicks “Yes”, Cain then enumerates users via commonly used CLSID’s for user authentication. This enables the attacker to remotely obtain a list of usernames for further penetration and exploitation techniques.

The windows API also has a few undocumented functions, such as LsarOpenSecret() and LsarQuerySecret() from LSASRV.dll. These functions are not documented, however when used maliciously by an attacker the functions will reveal all plaintext passwords stored in memory decrypted from the LSA Secrets algorithm. These are serious and critical vulnerabilities because they can be used by viruses and other malware to escalate privileges with ease.