Most Web servers are populated with additional programs implemented using the Common Gateway Interface (CGI) or some other extensible environment, such as the Lotus Notes API. Two well-known Web hacks are the test.cgi hack and the phf hack. The details of these attacks are similar to those found during the early days of UNIX. Briefly, a programmer forgets to check for delimiter characters when accepting input from a user keying values or from another program. The input data values are to be used as parameters to another program. The programmer’s code takes this input, concatenates the values with the command to be run, and passes this combination to the operating system for execution. Abstractly, this attack is shown in Figure 5.2.

Figure 5.2  Command-driven attack enabled when delimiters are not filtered out.

In UNIX the semicolon can be used to separate multiple commands entered on a single line such as the following:

command-1 parameter-1; command-2 parameter-2;...;command-n parameter-n

NT relies on the & character for a similar capability. What happens if embedded in parameter-1 is the semicolon itself? For example, if parameter-1 is composed of the string “112 222 332; rm *,” then the UNIX operating system will run the following:

command-1 112 222 332
rm *
command-2 parameter-2

This attack remains one of the most common attacks against Web servers, even though the general problem has been known in the UNIX community for more than a decade.

Both the test.cgi and phf hacks resulted from the way input data from HTML forms was processed by a CGI program. The user was asked to enter a name or some other text string. When the CGI script processed the data, it did not check for special delimiters. By appending a substring such as “;rm *” to the input field in the HTML form, the hacker could trick the CGI into removing all the files in the current working directory of the Web server.

Your Web server might be configured as securely as possible with all unnecessary network protocols disabled. There also could be a screening router in front of it blocking denial of service attacks as in the preceding figures. Yet, these defenses will not eliminate the weak CGI threat. If you have installed CGI scripts or other programs that have latent bugs, your site will get hacked. The amount of damage done depends on several factors.

If the Web server is running as root when this happens, all bets are off. For starters, the attacker can continue to execute one program at a time until the desired outcome is achieved. For example, the shadow password file can be changed so that a root password is not needed to log in. If the Web server daemon is running with some other credentials, the hacker will be able to access any resources that the Web server can access. In other words, the UID and GIDs identifying the Web server determine the consequences of the command executed with the CGI attack. Because the Web server’s UID can access the Web site content, trashing is possible unless the entire Web site has been configured as read only for all users.

Programming errors are not limited to operating systems. Often vendor applications that you add to your systems introduce weaknesses, too. In UNIX these applications probably contain SUID or SGID programs. Even vendors who have a history of delivering quality software can make mistakes. In early 1998, a notice was posted in BUGTRAQ showing how a popular game, when played across a network, allowed remote users to penetrate participating nodes.

The list of potential configuration errors is extensive. UNIX and NT operating systems are delivered out-of-the-box with fairly open configurations today. The reasons for this are historical. Customers preferred easy to run, or load-and-go configurations. Security was not as important as ease of use to the marketplace. Now that more people are security conscious, this situation probably will change. At least there might be an option that allows someone to order the locked down version of a UNIX or NT system.

Like software errors, operating system configurations are not the sole source of problems. Configuration defaults in applications have been exploited to gain access to systems. The test.cgi bug affected a number of sites because it shipped as a default CGI for testing a popular Web server. By now almost everyone knows that Internet browsers also have endured their share of public humiliation for containing security bugs.

The Role of Intrusion Detection

You should know that almost every day there is a new attack that shows up in a newsgroup or somewhere else on the Internet. Checking some of the links given in the Appendix will help you to stay abreast of the latest developments. Investing in an intrusion detection product, or perhaps a few products, will narrow the window of opportunity for someone trying to blast your systems. By now you should have a good idea of the relative value of traditional security products and how they are complemented by IDSs. The next few sections spell out the advantages in detail.

Beyond I&A

What role does I&A play in your environment? I&A is needed in local and distributed systems because:

•  I&A establishes your identity for subsequent activities on the system. Various reference monitors that decide what to do with your access requests need to know who you are to enforce access control.

•  I&A blocks initial access to the computer until the requester has passed the authentication test. In addition to proving identity, this step is preventative because you cannot log in if you do not authenticate properly.

•  I&A verifies the identity of noninteractive entities such as background processes, daemons, and devices in order to regulate access control for these entities.

•  I&A assigns accountability for activities that occur in the environment. This is not important to everyone, but when accountability has consequences, knowing who did what is only possible with appropriate I&A.