Сугурност при Microsoft Windows фамилията от операционни системи I. Защо е нужна сигурност на обикновения потребител? - в частност, защото нормалния потребутел смята, че няма нужда от нея. - като пример - *случайно* изтриване на файловете в директория - когато един компютър се ползва от няколко потребители - вируси II. Обекти на ОС-а пряко свързани със сигурността. Основни обекти в NT базираните системи. 1. При Windows NT моделът на сигурност е базиран само на 5 обекта, които се използват да идентифицират, групират, такива, които индикират позволени операции и такива, които свързват или асоциират собственост (ownership) и права на системните обекти. Обектите за сигурност са следните: - The Security Identifier (SID) - The Access Control Entry (ACE) - The Access Control List (ACL) - The Security Descriptor - The Access Token Всеки един от тези обекти доизгражда предходните (както са по ред) с цел да се осигури напълно сигурен security модел на системата. 1.1 The Security Identifier Най-основният обект е Security Identifier, или още SID. SID е уникален идентификатор, който се използва да идентифицира потребител или група от потребители, които съществуват на локалния комютър или са в частност от домейн. Security Identifier се състои от две полета Account - име на акаунт :) Domain - име на домейна, към който евентуално принадлежи акаунта. NT ни предоставя две API функции, които се използват за намиране на съответсвие между SIDs и потребител и група от имена. Те са : LookupAccountName() - По зададено потребителско име , получаваме съответсвашия му SID. LookupSidAccount() По зададен SID намираме потребителското име и съответния му домейн. 1.2 The Access Control Entry Access Control Entry, или ACE е най-основната единицза за сигурност в NT. ACE се изразява в следните два типа - access allowed / разрешен достъп и access denied / отказан достъп, които се използват за даване или отнемане на права респективно. ACE съдържа SID, който показва кой потребител или група от потребители имат необходимите права, както и маска на правата указваща, кои точно права са дадени или отнети. Access Control Entry Type Security Identifier - връзка с потрбител и група Permissions Mask - дадени или отнети права Permission mask е разделена на части, които указват специални права, върху някой обект наречени - called specific rights и generic permissions (generic rights), които се прилагат върху всички обекти. Стандартните права, които контролират правото на достъп до всички обекти са: DELETE - The ability to delete the object. READ_CONTROL - The ability to inspect the object's security information. WRITE_DAC - The ability to change the object's list of permissions. WRITE_OWNER - The ability to change the owner of the object SYNCHRONIZE - Force mutual-exclusion of object accesses. Всеки обект си има собствен списък със специфични за него права. Като пример, най-често срещаните права в/у файловата система са следните: FILE_READ_DATA - The ability to read the file. FILE_LIST_DIRECTORY - The ability to list the contents of a directory. FILE_WRITE_DATA - The ability to modify the file's data. FILE_ADD_FILE - The ability to add a new file to a directory. FILE_APPEND_DATA - The ability to append data to a file. FILE_ADD_SUBDIRECTORY - The ability to add a subdirectory to a directory. FILE_READ_EA - The ability to read the extended attributes(2) of a file. FILE_WRITE_EA - The ability to change the extended attributes of a file. FILE_EXECUTE - The ability to run an executable. FILE_TRAVERSE - The ability to open a file or run an executable within a directory. FILE_DELETE_CHILD - The ability to delete a file or directory within a directory. FILE_READ_ATTRIBUTES - The ability to read a file's attributes (e.g. system or hidden). FILE_WRITE_ATTRIBUTES - The ability to change a file's attributes. 1.3 The Access Control List While an ACE is the basic unit of permission on NT, a single ACE is seldom enough to fully describe the accessibility of an object to different users or groups on the system. Consider, for example, a source code file. You need to be able to manipulate your source files in any way you like -- read them, modify them, delete them, etc. You would also like the members in your development group to be able to look at your source files, but not to change them since everyone else in your group is an incompetant dweeb who can barely understand your code, much less change it in any useful way. Lastly, you would like to keep your manager from even looking at your code lest he find out that you spent last week playing DOOM rather than working. To maintain multiple privilege levels for different users or groups of users in this way, ACEs are grouped into Access Control Lists, or ACLs. Simply put, an ACL describes all of the users and groups who are either allowed or denied some sort of access to a particular object. Access Control List ACE ACE ACE ... When a thread requests access to an object (by opening a file, for instance), the system performs two passes over the ACL. In the first pass the system inspects every "access denied" ACE in the list. If it finds an SID that matches the thread's SID, or an SID of a group that the thread's owner is a member of, access is immediately denied. Once all "access denied" ACEs have been inspected the system proceeds to check all "access allowed" ACEs. For each matching ACE, the permission mask in the ACE is added to a growing list of permissions granted to the thread's SID for access to the object. Once the list of permissions matches or exceeds the group of permissions that was requested permission is granted. If the end of the ACL is reached before enough permissions are accumulated access is denied. NT provides a number of functions for managing ACLs: AddAce() - Add a new ACE to the access control list. DeleteACE() - Remove an ACE from the access control list. InitializeAcl() - Create a new ACL structure. IsValidAcl() - Determine validity of an ACL structure. GetAclInformation() - Retrieve information about the ACL. SetAclInformation() - Set the ACL revision information. Въпреки, че имаме такъв набор от функции самата природа на ACL със променливата си дължина, ни съставя трудно и неудобно боравене с ACL функциите. :( 1.4 The Security Descriptor While an ACL describes the accessibility of an object, it does not completely describe the security attributes of an object. The complete group of security attributes is kept in an object called a security descriptor, which contains: - The owner SID - The SID of the user who owns this object - The object's primary group SID - The group of users to which this object belongs - The system ACL - The access control list used for auditing features - The discretionary ACL - The access control list that specifies which users or groups may access an object. View || Edit -> Security Descriptor When you want to view or change the security attributes of an object, you must do so through the object's security descriptor. The following functions are used to manage the security descriptor: IsValidSecurityDescriptor() - Determine the validity of a security descriptor InitializeSecurityDescriptor() - Create a new security descriptor GetSecurityDescriptorControl() - Retrieve control information about the security descriptor GetSecurityDescriptorDacl() - Retrieve the security descriptor's discretionary ACL SetSecurityDescriptorDacl() - Change the security descriptor's discretionary ACL GetSecurityDescriptorGroup() - Retrieve the security descriptor's primary group SetSecurityDescriptorGroup() - Change the security descriptor's primary group GetSecurityDescriptorOwner() - Retrieve the owner from the security descriptor SetSecurityDescriptorOwner() - Change the owner in the security descriptor GetSecurityDescriptorSacl(); - Retrieve the security descriptor's system ACL SetSecurityDescriptorSacl(); - Change the security descriptor's system ACL 1.5 The Access Token An access token is essentially NT's identification card for a user. Every process, and potentially every thread, has a related access token which identifies the user account that the process is running under and a lot of default values to be used when creating new objects. An access token contains a lot of security information about the user, including their SID, their primary group SID, their current privilege set, the SIDs that should be used to indicate the owner and group of new objects and files, and the default discretionary ACL used when creating new objects and files. Access tokens are created through login services (e.g. the login dialog or a network share login), through impersonation (temporary assumption of a user's security attributes by a service's thread), or through the NT login API(3,4). Neshto interesno mi hrumna :)) - Sypostavka na Windows impersonation i Unix setuid programi :)) Tips && Tricks: - WM_TIMER and administrative rights - McAfee Active Directory Windows 2000 Active Directory replaced Windows NT 4.0 Security Account Manager Database, providing not only increased functionality and scalability, but also enhanced security through more-granular levels of permissions, sophisticated encryption, and two-way, resilient authentication protocol (with Kerberos). With the Windows 2003 platform, Microsoft takes full advantage of these features by allowing more flexibility in the way Active Directory information is partitioned and replicated. Example attacks scenarios - Unicode attack - RPC attack - Printer attack http://victim/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ NTFS Permissions for IIS Web Servers Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access) - .printer ISAPI filter extension Example: GET /NULL.printer HTTP/1.0 Host: [buffer] Where [buffer] is aprox. 420 characters. msw3prt.dll 1. Microsoft Windows 3.1 / 3.11 for Workgoups + METALISTA PWL - password file cracker :) 2. Microsoft Windows 95/98/98se/me или Microsoft Windows 9x + Buffer Overrun In HTML Converter A security vulnerability exists in the in-built HTML conversion function in all versions of Microsoft Windows. The flaw could allow an attacker to run code of their choice on the system by sending a malformed e-mail. Issue All versions of Microsoft Windows contain support for file conversion within the operating system. This functionality allows users of Microsoft Windows to convert file formats from one to another. In particular, Microsoft Windows contains support for HTML conversion within the operating system. This functionality allows users to view, import, or save files as HTML. There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. This flaw causes a security vulnerability to exist.A specially crafted request to the HTML converter could cause the converter to fail in such a way that it could execute code in the context of the currently logged-in user. Because this functionality is used by Internet Explorer, an attacker could craft a specially formed Web page or HTML e-mail that would cause the HTML converter to run arbitrary code on a user's system. A user visiting an attacker’s Web site could allow the attacker to exploit the vulnerability without any other user action. To exploit this vulnerability, the attacker would have to create a specially-formed HTML e-mail and send it to the user. Alternatively, an attacker would have to host a malicious Web site that contains a Web page designed to exploit this vulnerability. The attacker would then have to persuade a user to visit that site. + Incomplete TCP/IP Packet Vulnerability + Share Level Password Vulnerability + Malformed IPX Ping Packet Vulnerability A security vulnerability exists in Microsoft® Windows 95, 98 and 98SE which could be used to cause an affected system to fail, and depending on the number of affected machines on a network, potentially could be used to flood the network with superfluous data. Issue The Microsoft IPX/SPX protocol implementation (NWLink) supports the IPX Ping command via the diagnostic port 0x456. Because of a flaw in the implementation of the protocol in Windows 95, Windows 98 and Windows 98 Second Edition, NWLink in these systems will respond to an IPX ping packet even when the source network address has been purposely modified to a broadcast address. This would give a malicious user an opportunity to launch an attack by broadcasting a single ping request - each affected machine that received the ping would respond to it, potentially resulting in a broadcast storm. In a large network, this could temporarily swamp the network's bandwidth. In addition, upon seeing its own response, each affected machine would attempt to process it, triggering a scenario that would culminate in the machine's failure. A machine that failed due to this vulnerability could be put back into service by rebooting. IPX is not installed by default in Windows 98 and 98 Second Edition, and is only installed by default in Windows 95 if there is a network card present in the machine at installation time. Even when IPX is installed, a malicious user's ability to exploit this vulnerability would depend on whether he could deliver a Ping packet to an affected machine. Routers frequently are configured to drop IPX packets, and if such a router lay between the malicious user and an affected machine, he could not attack it. Routers on the Internet, as a rule, do not forward IPX packets, and this would tend to protect intranets from outside attack, as well as protecting machines connected to the Internet via dial-up connections. + DOS Device in Path Name Vulnerability A security vulnerability exists in Windows 95, 98 and 98 SE which could cause a user’s system to crash, if they attempted to access a file or folder whose path contained certain reserved words. - DOS device names + Fragmented IGMP Packet Vulnerability A vulnerability exists in the TCP/IP stack implementations of Microsoft® Windows® 95, Windows 98® and Windows NT® 4.0. Fragmented IGMP packets can cause a variety of problems up to and including causing the machine to crash. 3. Microsoft Windows NT 3.0 / 4.0 + IIS 4.0 + RPC DCOM exploit 4. Microsoft Windows NT 5.0 / 5.1 / 5.2 (2000, XP, 2003) kernel version + IIS 5.0 + NTLM Authentication vulnerability + RPC DCOM exploit + IIS Unicode family of exploits + IIS Printer localsystem exploits + By default, the telnet client (telnet.exe) shipped with Microsoft Windows 2000 utilizes Windows NT Challenge/Response (NTLM) as an authentication method. When establishing a connection to a host, the telnet client will attempt authentication via NTLM, regardless of whether or not the host is a Windows telnet server or not. There is a possibility that the NTLM challenge/response authentication session could be monitored and subsequently cracked, which could lead to the disclosure of sensitive information such as usernames, passwords, domains, etc. The NTLM challenge/response protocol is known to be susceptible to brute-force cracking. Forcing a telnet session on a remote target is a trivial task because products such as Microsoft Internet Explorer, Outlook (Express), Netscape Navigator, etc. will automatically open URLs with a "telnet://" prefix in a default telnet client (which is normally telnet.exe). +