A Real World Attack: wu-ftp
1
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
There have many intrusion accident happened
in day. Do you know what technique that
crackers can intrude your web server, mail
server and ftp server.
Today, this exercise will guide you through the
process of discovering a vulnerable system,
exploiting the vulnerability, and installing
software to cover your tracks.
2
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
Located a vulnerable system
Exploit that vulnerability to gain a root shell
Installed a RootKit
Access the system via the RootKit
3
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study (I)
CERT Advisory CA-1999-13
Multiple Vulnerabilities in WU-FTPD
1. MAPPING_CHDIR Buffer Overflow
2. Message File Buffer Overflow
3. SITE NEWER Consumes Memory
http://www.cert.org/advisories/CA-1999-13.html
4
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-Study (II)
What is Buffer overflow?
2003 Top Ten Vulnerability Threat (Symantec)
1 Microsoft of programmaticInternetthat is due to
A type Windows DCOM RPC flaw Buffer Overrun a programmer
2 allowing for DCOM Interface Long Filename Heap Corruption
Microsoft RPCSS an unbounded operation on data.
3 Microsoft Windows ntdll.dll Buffer Overflow
4 Sun Solaris Sadmin Client Credentials Remote Administrative Access
5 Sendmail Address Prescan Memory Corruption
6 Multiple Microsoft Internet Explorer Script Execution
7 Microsoft Windows Workstation Service Remote Buffer Overflow
8 Samba ‘call_trans2open” Remote Buffer Overflow
9 Microsoft Windows Locator Service Buffer Overflow
10 Cisco IOS Malicious IPV4 Packet Sequence Denial of Service
5
Information Networking Security and Assurance Lab
National Chung Cheng University
Required Facilities
WARNING:
This process of cracking a system is only tested in
internal network.
Do not actual exploit on unprivileve host
Hardware
PC or Workstation with UNIX-like system
Software
Wu-ftp 6.2.0
RootKits and Buffer Overflow Program
6
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): reconnaissance and scanning
Use “nmap” for
system scanning
Test the account
of anonymous
7
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (II): exploit the target
Decompress the buffer overflow file
and compile it
List the usage of this
tool
8
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): cracking
Execute the
buffer
overflow on
target host
Got the root
right
9
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (IV)
Download the rootkit from outside and install it
checking the login user
Download the tool from
another victim
Decompress the rootkit
Execute the rootkit
10
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (V): auto-patch the victim
the default login password
change the system command
open the telnet port
Report the system information
close the system filewall
11
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (IV)
try the rootkit if it works
The Telnet daemon has been
replaced
Input the ID and the Password
Which predefine by us
We have got a root shell now
Now you can do anything
12
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
Checking the OS and applications’
vulnerability periodically.
Catch the idea of “Defense in Depth.”
13
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
CERT
http://www.cert.org/
Nmap
http://incsecure.org/
Buffer Overflow and RootKits download site
http://www.flatline.org.uk/~pete/ids/
14
Information Networking Security and Assurance Lab
National Chung Cheng University