Remote Attacks

Because NT supports TCP/IP, NT is vulnerable to the protocol attacks mentioned earlier in the book—Ping of Death, SYN Flood, session hijacking, and address impersonation. Some vulnerabilities specifically are found in the IP implementation on NT. The Teardrop UDP attack is a Microsoft-specific bug found in the way NT handles UDP packets. Large datagrams can cause the receiving system to hang. Different variations on this attack have surfaced often in the last few months.

The SMB protocol begins with a challenge-response authentication phase, but like I&A servers, it is still open to impostor-in-middle packet attacks. Other attacks specific to NT itself have been publicized during the last several years. Summaries are provided in the next few paragraphs.

The Anonymous vulnerability was one of the first widely announced weaknesses. The problem arose from an undocumented user in the operating system known as the anonymous user. Machine-to-machine communications relied on this anonymous user for exchanging information. Because the anonymous user was still a user to the operating system, it was able to access resources available to the Everyone group. A remote user could read registry entries, list users, and obtain other data that could reduce the time it takes to crack a system. Microsoft fixed the problem with a patch.

The DNS query ID attack also gives remote users an opportunity to spoof responses from the DNS server. The query IDs were generated from a predictable sequence giving hackers a chance to forge DNS responses and to cause the victim to carry out conversations with an impostor host. This sounds much like the TCP session number guessing attack discussed in Chapter 4, “Traditional Network Security Approaches.” Microsoft also fixed this bug in a patch.

Shared resources from NT are exported to other network users using NetBIOS. A share with weak permissions gives remote users access to data they should not have. Although this is not a program bug, it is an administrator configuration error that can lead to intrusions. No patch is available for this—you need to be diligent about permissions for exported and shared resources. The corollary in UNIX is the set of permissions for exported NFS file systems. Several variations of the problem exist. Any user with legitimate access to the system can by default have full access to a share. For this reason, it is important to explicitly set permission when a share is created. Another variation allows anyone who can access the system as Guest to also have full permissions on the share. Shares also can be protected with a password. Scanners attempt brute force attacks against share passwords to look for openings.

Microsoft’s IIS was at one time vulnerable to a rather nasty problem. Arbitrary remote browsers could run any accessible command on the Web server. Two flavors of this problem were called the “.bat” and the “.cmd” bugs. A new release of IIS has since fixed the problem, but scanners look for back-level versions of the program. In the summer of 1998, a few more variations on this attack were discovered, too.

The NBSTAT command can probe remote NT systems for important information, such as the names of logged in users (similar to rwho on UNIX). A hacker now can try cracking attacks against the accounts and possibly cause denial-of-service if failed login thresholds are set.

One of the early problems encountered by NT administrators was the ntfsdos.exe attack. A normal user could run ntfsdos.exe from a floppy and bypass all of the ACLs set for the NT file system. This hack is listed here because a perpetrator did not even need an account on the system to threaten the system. A patch was released shortly after the problem was reported.

Attacks are not always directed at servers. A L0pht Security Advisory (L0pht, 1997) showed that Microsoft’s Internet Explorer experienced a buffer overflow condition when processing URLs. A malicious Web server could trick your NT workstation into executing arbitrary commands. In general, browsing the Internet is difficult without risking attacks such as these. Connections are inherently anonymous, and therefore access control is minimal. Also, attacks such as the Internet Explorer URL bug point to the importance of personal intrusion detection products. When browsing the Web, wouldn’t it be good to know if some process or thread launched by the Web browser suddenly is deleting files from your disk?