Professional Documents
Culture Documents
Tripwire Exploit Poster 1618666280 PDF
Tripwire Exploit Poster 1618666280 PDF
fingerd reveal logged on users GNU fingerd cachemgr.cgi execute any command some versions of rpcbind will
!(c:\inetpub\wwwroot\*)
unauthenticated
1024-
2000 udp
from remote listen on ports other than RPC service will leak
remote user information
MDAC RDS asp pages can access files
traffic 110 tcp pop3
0@ reveals users who have never
logged in ICQ\NewDB\uin#.dat
send user#999999
overflow
cachemgr_passwd formmail cgi 111, and possibly defeat any
firewall port filtering including source addresses user.db Cmail 2.3
DataFactory not in web root
pseudoencrypts
of remote users. (allow parent paths)
112 tcp
udp
auth
/winnt/system32/fm20.dll
Forms 2.0 Control can paste user
password is sent in cleartext
Firewall
25 tcp sendmail
fpcount.exe <EXCH-VERIFY>: ExchAuthenticate() called with
Lab\SLMail\Users) udp cause reboot targets of attack. X.25
PC Anywhere /usr/lib/fs/ufs/ufsdump
dictionary NTServerName:[KBJV_SRV1] Terminal Server sendmail -d bug gets root
syslog
PADS should have access
? fail *
(12345) tcp
Netbus
read any file on system
(http://www.server.com:8010/c:/ - NT/Win9x
http://www.server.com:8010// - NT/Win9x
Can bounce TCP sessions RCPT TO: |
<program> )
link /var/tmp/dead.letter to any
file, appends data (get root on
( MAIL FROM: |/bin/sed'1,/^$/d|/bin/sh )
filename field
NT SNMP crash server through bogus
accounting messages
ipop3d elevated context (such as suid), the
trojan may be executed with the same
privileges. Initialization files, shared
libraries such as DLL's, and
Can connect to self causing DoS
What is dictionary 8010 tcp wingate
LogFile service http://www.server.com:8010/..../ - Win9x) ../..* Any File
Third packet during setup contains
cleartext username/password
system locally via /etc/passwd) overflow, execute
remote code
dump all usernames in
domain
If coredump, it has encrypted temporary files may all be subject to
passwords, if /core already exists, this type of attack.
cracking? EHLO command will reveal what X11R4 Cistron RADIUS Cold Fusion Server permissions are retained
9099-
pseudo random file handles can be guessed,
remote access gained
user to become root on the host.
109 tcp ipop2d C:\Program
Files\CSCOpx\temp\DPR_* Switch runs "undrv" as root
Syn Flooding
9100 tcp
Irix arrayd remote use can
can brute force passwords broken CHAP authentication,
get Remote Root via [FOLD] with out logging established unauthorized PPP
6549 udp
portmapper UDP spoofing allows attacker to
register/unregister services from portmapper overflow
impersonate any user
access-list parser does not connection
./undrv
RIP fsdump can be used to change the permissions
except root Stores logins/passwords in world readable file work - may allow all tcp
portmapper can be used to find vulnerable on any file to that of a local user. Hence, get root traffic over firewall "service password-encryption" uses trivial
HP rpc services via passwd file. (/var/rfindd/fsdump -L/etc/passwd
Program Files/Microsoft
rpc.ttbdserver
encryption, can be decrypted /usr/lib/games/abuse/abuse.console
?
-F/tmp/dump /)
RIP will give up routing
tables to potential attackers. Printer pmap_call to bounce remove/add requests,
BackOffice/Reboot.ini rpc.rquotad
bypass security long password string causes reload
This information can be
used to design attacks. contains cleartext overflow stack and execute Cmail 2.3
/var/rfindd/fsdump What is pseudo- amd does not honor the nodev option for
? Powerchute
PLUS UPS
multivariable snmp
getnext request causes
crash
passwords the quota service will give
a potential attacker
information about NFS
mounted file systems
commands as root
encryption &
NFS file systems
?
ff.core
/usr/bin/lpstat Llocal user gets root
(lpstat -c <buffer>)
? rpc.sprayd
with messages
? doesn't check whether
/var/dt/appconfig/appmanager/
~/.ICAClient mode 755
bash autofs
ffbconfig What is "no authentication" ? What is a race generic-display-0 is a symlink
What is a trojan horse? and will chown() it to the user. -
'\w' causes \377 serves as buffer overflow in
can redirect rpc calls
Believe it or not, some programs do not even ask for a
Sprayd will help an attacker build a
gopher condition? local user gets root.
buffer overflow unintended command directory name
An attacker may be able to replace certain programs password before allowing someone to administer or separator (defeat cgi
and shared libraries. The replacement program is rpc.statd through rpc.statd and
configure the system. Sometimes this is a blatant lack of
denial of service attack
/var/dt/appconfig/app filters)
?
bypass security of other Programs which use & create temporary
usually called a trojan horse. The trojan horse may security, and other times a bug allows the circumvention of some gopher servers will allow read manager/generic-
rpc services files need to check whether the file
emulate the original program so that the replacement the authentication mechanism. access to arbitrary files on the target display-0
goes undetected. The trojan may be able to sniff already exists. If a user can pre-create
machine
passwords, provide back door access, and even hide rpc.pcnfsd the file in question, the program can be
fooled into using a trojaned file. If the
dtprintinfo RASMAN.EXE
other programs from the system.
What is a buffer default no password on user
system allows symbolic linking, the
logon.scr
overflow? ? local users can chmod arbitrary directories
remote users can execute arbitrary Gauntlet
program can be tricked into writing to
other files on the system, such as the
execute local code as root (Solaris) RAS API has several buffer
? Ascend Max
?
What is audit suppression?
(/bin/mail becomes ./bin ./mail )
Microsoft
JET 3.5X
ident
In some cases an attacker can prevent the auditing system from
What is trust Ascend
working. If auditing is maintained on a standalone server, the
/var/adm/SYSLOG /sbin/suid_exec
What is hijacking?
attacker may be able to block access to that server. In other /hw/tape a web document can attacker can use ident to
determine which account
exploitation? MAX4002, User can request any IP address,
cases, a log entry may only be performed under certain
conditions. If an attacker can change those conditions or cause
execute commands
on the client processes are running under.
will be rebroadcast into routing Because of the weaknesses of TCP/IP, it is vulnerable to spoofing an exceptional event to take place, the log entry may never be workstation
A lack of good file permissions and inter-server tape device under Irix will suid_exec will execute shell dot
trust will result in a total systemwide MAX4004, table, can take out DNS server,
router, whatever. Also exploit IP
and hijacking. Hijacking describes a special type of spoofed IP
attack. Normal TCP communications take place over a 'session'.
generated. Lastly, if the attacker knows what facilities are
monitoring the system, they may simply shut those facilities down.
SYSLOG contains names of invalid
logins and is world readable.
often be mode 666, enabling files (i.e., .cshrc), enabling user to
compromise if just one process or account is any user to restore any file get root on system
hacked. The problem arises from liberal trust MAX4048, and based trust relationships and
possibly cause the indirect
if the session can be sniffed, or the sequence numbers can be
guessed, the session can be 'hijacked'. The attacker can insert
from the tape (and possibly
within the network. File permissions should be poisoning of BGP routing table. spoofed packets into the session stream and cause commands to
the /etc/shadow file) midikeys netstat
applied so that users have access to only what MAX4072
they need. Furthermore, since processes
usually execute within a user-context - this
minimizes the chance that an attacker can
be run as the original user.
? midikeys is setuid and
can be used to read any
netstat will give away network state
modify files on the system. Lastly, if an attacker information to an attacker.
gets root on one system, they should not
automatically be root on all other systems. The
What is a excess privilege? file on the system
more liberal the trust in the network - the easier Sometimes software will be installed or run with too much power. An
it is to attack through a single entry-point or
w w w . t r i p w i r e s e c u r i t y. c o m exploit.
example might be a public server daemon running as 'root' (or
SYSTEM in the case of Windows NT). Since processes are complex
../..* Any File