In this report, I am going to investigate the exploit MS04_007 against the weakness of an unchecked buffer in the Microsoft 2000 ASN.1 library using the Metasploit software found within the Kali Linux operating system. This report will investigate this in detail by separating the process into the four-key phases of carrying out an attack; reconnaissance, scanning, exploitation and post exploitation. The report will also recommend suggestions for preventing the attack and the correct software to use to accomplish this.
Description of the vulnerability, exploit, and attack software
This exploit allows an attacker, through execution of arbitrary code on a system, to gain elevated privileges on a system. The vulnerability found within multiple Microsoft systems is caused by a buffer overflow in an unchecked buffer in the Microsoft ASN.1 Library. By sending a long message to a vulnerable system the buffer becomes overflowed, as a result the attacker can gain control of the target and causes further damage such as a Denial of service attack (IBM, 2006).
C Runtime Library was generated 25 years ago, a time when computers worked and were connected differently. Subsets of CRT must be a minimised form of newer code and eventually eradicated from older code however, with outdated functions it can be very easy to get the code wrong. The 2003-0818 vulnerability could have been prevented if the application programming interfaces which are now banned, had been removed from the code (Howard, 2006). It is thought to be an older method of communication between windows programs that run on different computers within a network (CSBS, 2003). However, the main reason for this vulnerability is down to the unchecked buffer in the Microsoft ASN.1 library.
The ASN.1 (Abstract Syntax Notation One) is Microsoft’s standardised method of describing data which is sent and received within a network (Larmouth, 2017, p. 1). ASN.1 can be split into two parts; the rules for labelling the contents of the data, and how data is encoded within the message. ISO standards define the standards required for the OSI framework (ITU, 1988). It is the ISO 8824/ITU X.208 that specifies the composition of syntax within the data. Also, it is ISO 8825/ITU X.209 which specifies how the data should be coded. For example: Report ::= SEQUENCE { author OCTET STRING, title OCTET STRING, body OCTET STRING, biblio Bibliography }. This message called Report, includes the data coded as sequence and Octet string. Sequence simply means that the data is a series of data entries. Octet string means each of the data entries is a string of eight-bit bites as it is assumed that not all computers use eight bits in a bite, as a result octet was used instead of byte (Minaev, 2009).
As different applications are running, the ASN.1 library identifies the various data types being passed back and forth to allow each system to interpret the data received (Maiffret, 2009). However, if the ASN.1 library extension fails to verify the length of the data strings before it copies the message into finite buffers; particularly long messages can cause the system to completely fail, so it can cause a denial of service. A denial of service indeterminately disrupts the services of a machine, from there, an attacker could remotely execute code that passes parameters to the vulnerable component in order to establish elevation of user privileges (Heasman, 2005). This can allow an attacker to carry out further attacks such as deleting files and demanding ransom from the user to allow them to recover their files (“Impersonation and Elevation of Privilege,” 2018). This exploit of the buffer overflow vulnerability can be executed locally or remotely.
The Common Vulnerability Scoring System (CVSS) version 3.0 is a standardised scoring system produced to capture the fundamental features of a vulnerability (CVSS-SIG, 2018). The score ranging from low, medium to high, allows companies and organisations to evaluate and prioritise their management of any vulnerabilities as they arise (SIG, 2018). According to the National Vulnerability Database, the 2003-0818 cvss score is 7.5 (NVD, 2004).
The score is calculated through 6 base metrics:
Access Vector: Network – Attack is remotely exploitable. Access Complexity: Low – There are no special conditions for the vulnerability to exploited.
Authentication: Not Required – No requirement for the attacker to authenticate. Confidentiality: Partial- Considerable information disclosure, providing access to all data on the system.
Integrity: Partial – Ability to modify some data.
Availability: Partial- There is a reduced loss of availability of the attacked resource.
The vulnerability types of the vulnerability are Execute Code, Buffer Overflow and Gain privileges (MITRE, 2018).
These systems are affected by this vulnerability:
and Windows XP SP0-SP1, Windows 2000 SP2-SP4, Windows 2003 and windows NT SP1-SP6.
This report will focus on exploiting the 2003-0818 vulnerability using bash command line Metasploit, but will also require Nmap.
Reconnaissance
The first stage of an attack is to carry out reconnaissance. Before a hacker commences an attack, they will identify a target using Nmap. Nmap reduces the potentially vast list of IP address ranges to a condensed list of active hosts. Nmap is a tool which offers an attacker a wide variety of methods of probing a network (Lyon, 2011). To increase chances of bypassing any firewalls –p is a command which sends many probes using various TCP ports and ICMP flags. If an attacker was to use the –sL command, they would be ensuring that they have collected proper IP addresses for the targets.
However, in this example, the target IP address is already established as it is the single machine on the network used by the testing environment. By running the command, ifconfig on both machines the IP address is established. The IP address of the windows 2000 Virtual machine, as seen in Figure.1 is 10. 37.129.3. It is assumed that as both virtual machines are using the same local area network, therefore the first three octets of the IP address are the same. In figure 2, you can see the Kali Linux VM, IP address is 10.37.129.4. The IP address will be used to run a detailed scan on the target’s machine to establish which software is being run. This is vital information for an attacker as it allows them to choose exploits which may be exploitable on the operating system of the target. In order to carry out this investigation into the Vitim’s machine, the attacker must run the command msfconsole, which opens the interface for Metasploit (OffensiveSecurity, 2013a) as shown in figure 3.
Scanning
Scanning is an essential step in discovering communication channels which can be exploited. Nmap, Network mapper, is a tool used for investigation of networks, finding open ports and discovering potential targets. It works by firing out raw payload packets to system ports and filtering out responses by determining which ports are open, closed or filtered (Lyon, 2011). After establishing the correct Metasploit interface, the attacker is able to run a complete scan of the users IP address by using the command –Pn _sS 10.37.129.3 –A. In figure 4, it shows the command –Pn _sS 10.37.129.3 -A is run. This command can be split into 3 separate search results;
• –Pn tells Nmap to skip the ping test and to scan every possible target.
• –sS performs a stealth TCP SYN scan to allow clear differentiation between the three states of ports; open, closed and filtered.
• –A provides traceroutes, this is where probes are performed in parallel and
Nmap uses the scan results to establish a preferred probe type, in this example, TCP Packets to port 80 (Vidyapeetham, 2018). The overall result shows the attacker that the IP address is running Microsoft windows 2000 SP 0-4 and port 445 is open.
To further investigate this is vital information as the attacker now knows that the exploit ms04_007 will run against the vulnerabilities within windows 2000.
Exploitation:
The next step taken by an attacker wanting to exploit a target’s machine vulnerability is to set up the attack using the Msfconsole within the Metasploit open source tool. An advantage of using this tool is that it is open source and automates the exploitation process within vulnerable software. Msfconsole allows an attacker to tailor a chosen exploit by attaching a chosen payload specific to the system being exploited (Beaver, 2004). As a result of the scanning stages, the attacker knows that the ms04_007 exploit is the best chance to target the vulnerability within the windows 2000 SP3 operating system. They can search the Msfconsole database, an archive of all public exploit modules. In figure 6, they use the command search platform:” windows 2000” type: exploit. The search command triggers the extensive regular-expression based search function within msfconsole which filters the database to locate the searched string for all the modules affecting windows 2000 that are exploits. They can also search by author, type and name (OffensiveSecurity, 2013a).
use command alters the command line to load the meterpreter extension. In figure 7, the exploit is loaded to the use command, this set up at the beginning of establishing the exploit. Next, they can use the show options command to investigate the exploit further. The results show which RHOST and LHOST should be set.
RHOST (remote host) is the IP address of the target system. LHOST (local host) is the IP address of the target IP address. Within show options results, it also shows the attacker the listening port which is used to attack the target machine. In this case, it is 4444. In the Nmap scan results, it can be seen that the UDP port 4444 is up which allows the attacker to use this port to establish a connection to the target machine and forward the exploit (Greer, 2017).
Now the attacker has setup the exploit; a payload needs to be attached to it which is triggered by the exploit. Attacks performed some years ago had the exploit and payload bundled together in the same code. As a result, attackers were forced to use complex machine language adjustments, to take a payload from one attack to execute it with a different payload. To resolve this complexity, exploit frameworks are now separate to the payloads, which allows an attacker to elect an appropriate payload to the chosen exploit for the best results for an attack. Metasploit includes vast amounts of payloads for an attacker to choose from, these can be accessed by using the command show payloads in figure 10..
In this attack, the windows/meterpreter/bind_tcp is attached. In the source code, it is established that if the payload fails to execute the LSASS system will crash and the target system will reboot, therefore, it is imperative the correct payload is chosen (Hoodie, 2018). This payload is a self-contained library injection technique used to perform the insertion of a library from memory into a host process, which is the exploit (Rapid7, 2018, p. 7). The bind tcp opens up a port on the target’s machine and waits for the incoming connection, the attacker can then connect to the target’s machine listener and the code can be executed arbitrarily.
The exploit and payload is pointed at the target IP address and the code is run. In figure 12, the bind handler is started and a meterpreter session is opened. A bind handler attempts to connect to the RHOST to see if the payload has started listening. The machine’s buffer is overflowed by a long message and returns “STATUS_ACCESS_VIOLATION”(Tarhini, 2012) . The return address sent by the payload causes the programme to jump to an unidentifiable address which in turn causes the programme to crash and the vulnerability has been exploited. Therefore, the meterpreter session is opened. The attacker can now begin post-exploitation as they are inside the vulnerable system.
Post-exploitation:
After the exploitation has been completed, the attacker now has access to the target system. From here, many methods can be used to carry out further attacks. An attacker can easily exploit the system further by first gaining admin access to the user. he first step in post exploitation is to check that the attacker has gained access to the correct machine. To ensure this, the attacker can run the command execute –f cmd.exe (OffensiveSecurity, 2013). This executes the
file cmd.exe on the target host. The file cmd.exe opens the command prompt, this is the command line interpreter within the windows system. The .exe extension shows that the file is executable, through which the attacker is able to search through the targets system and perform administrative functions. From there, the attacker can use ipconfig to establish the IP address of the user which has been exploited, thus ensuring the correct system has been exploited. Figure 14 proves that the attacker has gained access to the widows 2k victim machine.
Now the attacker can begin the post exploitation methods in order to gain admin rights. Firstly, it must be established which user privileges the attacker has gained. Running the command getuid returns the current admin rights. In this case, the admin rights are NT AUTHORITY/SYSTEM or localsystem, which is a built-in windows account that has access to most system objects (StackExchange, 2017). However, the attacker must elevate the privileges to further carry out post exploitation methods. This is done by running getsystem -h in an attempt to own the system. The –h switch displays all the available options available which can be singularly run as seen in figure 15, however, by running the command getsystem on its own, Metasploit attempts every
Now the system is owned by the attacker, the process list can be itemised by running ps. By running the process list, the attacker can establish the running processes including which path they are running on (OccupyTheWeb, 2013). The attacker can then migrate to explorer.exe for precaution in case the user notices the exploited service is no longer running and kills it, this is done by running the command migrate 688 *Process ID of explorer.exe*(OffensiveSecurity, 2017). All shown in figure 17.
From here, the attacker can easily create a backdoor using one command, run metsvc. This automatically starts a multi/handler which connects to the metsvc.exe. It creates a temporary instal
Now the backdoor has been created, the attacker can continue to ensure that access is maintained by creating a new admin user and deleting the current admin user from the system. This is done by running execute -f cmd –c. This creates a channel so that an attacker can further run a command interact channel 1. Channel 1 refers to the channel name created when the first command was run. This in turn generates a command shell where the attacker is able to call the commands net user newusername password /add and net localgroup administrators newusername /add. This creates an account on the target system including admin rights (Tekjournal, 2006). All shown in figure 20.
The attacker can now view the admins on the target machine by running net localgroup administrators. Figure 21, shows the newly added user “newusername” created earlier. They can complete the steps in maintaining access, by deleting the main admin user “fun” by using the command net localgroup administrators fun /delete. The target user can no longer gain access to their machine and also cannot stop the process from running on their machine by closing the port that was open when used to exploit the target.
The attacker can also view and modify the user’s files. To do this, the attacker must first search for an important file to modify. This is done by running the command search –f .txt; searching a whole computer system can take a long time. Therefore by pointing the command to a .txt file extension, the search will be carried out much quicker. This search will output every .txt file on the system, shown in figure 22. Once the attacker selects an important file, in this case, passwords.txt the command edits passwords.txt can be run, a popup terminal will open, showing the details within the file. By typing the letter L, the file will enter insert mode and the attacker is now able to modify this file, shown in figure 23 (vidsploit.com, 2013).
The final steps an attacker must take, are to cover their tracks before leaving the compromised system. By doing this, the target is unable to find evidence on their machine that they have been hacked, therefore unable to take action. By their covering tracks, it ensures it is very difficult for a system admin or any law enforcement to track and create evidence from the attack (NullByte, 2013). Within Metasploit, there is a command which an attacker can run called clearev (figure 24) which points to the event logs on a windows system and clears out every log. It removes any existence of the connection from the attacker’s machine to the target from the log files (figure 25).
Recommendations for preventing the attack
When the operating system was updated to the latest known version of Windows, to Windows 10, the exploit failed to work anymore, this is due to the update modifying the handling of the malformed data by the ASN.1 library (BetaFred, 2004). Figure 26, shows in Windows 10, the exploit is unable to execute. Any users still using Windows 2000 should update their systems immediately thus eradicating the possibility of an attacker being able to carry out this exploit on their machine.
If Microsoft had not released a patch against the MS04_007 vulnerability, a company could also use an Intrusion Prevention module. This can identify traffic from malicious software and increase control over applications which may be accessing the network; this acts as a first defence against the attacks whilst the patch is released (MicroTrend, 2018). For a more permanent and lasting effect, companies or organisations at risk of the threat of an exploit should institute a firewall; a firewall can prevent any unauthorised access to services at a network level before an attacker is able to exploit them.
Frequent reviews should also be carried out on access control process, auditing can track a log-on attempt, including successful and unsuccessful logins. Intrusion prevention software (IPS) can monitor these logs closely and trigger notifications, should there be a log-on prompt attack (CISSP, 2018).
If a company using Windows 2000 had IPS and Firewalls installed, the MS04_007 would have been flagged as a failed attempt at entry; the firewall would have tightened its security around the exploit’s access, then the attacker would be unable to access any of the targets files or data. As a result, the exploit would fail and the prevention methods would sustain the security of the system until the patch became available for the weakness being exploited.
Related software
The software used in this report has been Metasploit. It is the most renowned open-source framework tool, used by industry experts to execute code using an exploit and payload against a target machine. It is an automated method of exploiting software vulnerabilities but it can also be used as a tool to discover vulnerabilities rather than known exploits. This tool, known as the Fuzzing tool, provides random data which is valid and invalid into software. The Fuzzing tool monitors for memory leaks and buffer overflows. This could be used on Windows 2000 to highlight the impact of random long data messages, causing a weakness which can be therefore exploited as investigated above.
Critical reflection (L6)
It is in fact, the ANS.1 failure to parse and decode malformed data, leading to an incorrect authentication request, that exposes this weakness in the Windows 2000 server. This is made worse by ANS.1 being the standard for most Windows devices, consequently, the attack holds a threat to any organisation. When successfully exploited, the attacker can take extreme action against an organisation’s machines demonstrated above. For example, modifying and deleting data, as well as creating admin rights and deleting current admins to maintain access once gained.
Conclusion
This report has demonstrated the four key phases of carrying out the exploit MS04_007 against the weakness of an unchecked buffer in the Microsoft 2000 ASN.1 library using the Metasploit software. An attacker is able to exploit this weakness with very little skill if the payload attached is successful. This attack was published by Microsoft as an urgent patch, suggesting that the implications on an organisation would be huge, considering the high levels of damage that can be achieved, shown in post exploitation
...(download the rest of the essay above)