Practical UNIX Security - Assignment Example

?Introduction The widespread use of computing technology has facilitated small, medium and corporate organizations to achieve goals in an efficient way. The revolution of Information Technology has created new trends of doing business and communication. Moreover, the technology has provided a new approach of operating businesses during the past several years, and continues to provide many benefits as it spreads all over the globe. However, with its widespread adoption, threats and vulnerabilities are also rising. Organizations spent enormous funds to secure their data and network environment. Moreover, hardware security modules taken into consideration for securing highly classified data. However, these modules require frequent updates for virus definitions and new threats, which may affect the network anytime. Every now and then, new threats are designed and developed by hackers or cyber criminals. In spite of securing the networks and data centers, with the most updated and advanced security modules, there is still a probability of a new threat to intrude into the network. In addition, hackers and cyber criminals are exploring efficient codes day by day to improve the hacking software, in order to breach in to classified information, banks, online websites etc. As the threats and vulnerabilities are infinite, no one can memorize them in order to take a measured approach, the initial step is to identify the vulnerability type. An organization named as CVE (Common Vulnerabilities and Exposure) provides a database to search for a particular public known vulnerability. The sponsors for CVE are US-CERT and managed by MITRE Corporation. The goal is to provide common names for all publicly known security threats and exposures. In order to extract information from CVE, access of National Vulnerability Database is mandatory (NVD) (Cve. 2011). (CVE) The Standard A comprehensive definition is available on the CVE website, which states as “Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities, while its Common Configuration Enumeration (CCE™) provides identifiers for security configuration issues and exposures. CVE’s common identifiers make it easier to share data across separate network security”. One more definition available in network dictionary states it as “common vulnerabilities and exposure is an emerging refers industry standard for identifying and naming vulnerabilities and various other information security exposures” (Common Vulnerabilities and Exposures. 2007). The primary objective of CVE is to provide a separate database accessible, in order to find out all the known threats and vulnerabilities currently, with the help of tools and services. What is CVE 3872 ? As CVE 3872 is a threat that operates on web technologies, before understanding CVE 3872, it is vital to focus on some of the web technologies that are associated with CVE 3872. Common Gateway Interface A newly developed website providing information must possess a database to store information, which is published on the website. In general, many people on the Internet will visit the website and access information, which is extracted from the database. This is where the importance of Common Gateway Interface (CGI) becomes useful. Dave Chaffy defines it as “A method of processing information on a web server in response to a customer’s request. Typically, a user will fill in a Web-based form and a CGI script (application) will process the results. Active Server Pages (ASP) are an alternative to a CGI script” (Chaffey 2006). Moreover, if the users query the database of the website, the CGI script will transmit the queries to the database and retrieves results on the website. It has become a standard for synchronizing information servers from external web applications. CGI is eminent in the form of a plain HTML file which his static, while CGI operates in a real time environment to display dynamic contents on a website. An executable program is incorporated in order to execute CGI, the inputs are the request of the users from the website. Consequently, CGI displays the required contents on the website. CGI provides many advantages for the web developers as well as web users. It is convenient and executable on wide assortment of web servers. Moreover, CGI is language independent, which is a plus for web developers. It is best recommended for E commerce applications due to its interaction with the database and the web server. CGI is not too expensive and at the same time it is useful for organizations to minimize their development and maintenance cost. Fast Common Gateway Interface The extended version of CGI, which is implemented commonly today, is called Fast Common Gateway Interface (FCGI). Likewise, Fast CGI is not bound to any application of the web server, and it becomes unchanged whenever technological development is conducted for the web server. Consequently, Fast CGI is slightly above the normal CGI due to its distributed computing features that provides organizations to operate Fast CGI from separate machines. Furthermore, distributed computing provides methodologies for scaling systems from more than one, resulting in high availability and reliability of web services. Furthermore, Fast CGI supports modular authentication, authorization checks and performs translation of data from one type to another (, FastCGI). Description of the threat associated with CVE 3872 is available on www.cvedetails.com as “The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytewise pointer arithmetic in certain circumstances, which has unknown impact and attack vectors related to ‘untrusted FastCGI applications’ and a ‘stack buffer overwrite’. The primary goal of this vulnerability is to attack websites with un-trusted Fast CGI based applications and stack buffer overwrite. The threat hits module named as ‘fcgid_module’ with a source file named as ‘mod_fcgid.c’, developed for executing Fast CGI applications. Evaluating ‘mod_fcgid’ ‘Mod_fcgid’ was created by Ryan Pan in 2004 (, mod_fcgid - FastCGI interface module for Apache 2 - The Apache HTTP Server Project).Fast CGI protocol process any application allocated to ‘fcgid-script’ handler. In order to handle concurrent request, ‘mod_fcgid’ initializes adequate number of instances of the application and continuous to operate for handling incoming request that are coming from time to time. Moreover, this process is efficient as compared to the default ‘mod_cgi’ or ‘mod_cgid’ modules, which are operational to initialize the program on each request. This will result in high consumption of CPU and the processes will me much slower. However, on the other hand the efficient ‘mod_fcgid’ continue to consume possessions, proving the administrator to configure setting by evaluating the impact of invalidating each specific application, individual per request adjacent to the resources required. This will allow sufficient instances operating on continuous basis. Furthermore, all the ‘httpd’ workers acquire the pool of invoked programs associated with ‘fcgid’. The two configuration directives allow the administrators to configure the program’s instances that are executed concurrently. The two directives are named as ‘AddHandler’ and ‘SetHandler’. Particular executives are associated to ‘AddHandler’ by allocating a name with an extension, and the override executives, by utilizing the ‘SetHandler’ directives (, mod_fcgid - Apache HTTP Server). CVE 3872 Impact and Functionality The 3872 attacks on the products associated with apache HTTP server. Up till now, there are five releases available, consisting of apache: mod_fcgid 2.3.1, apache: mod_fcgid 2.3.2, apache: mod_fcgid 2.3.3, apache: mod_fcgid 2.3.4, apache: mod_fcgid 2.3.5. As per the National Vulnerability Database, the impact of this threat is ranked to 7.2 (High), Impact sub-score is 10.0 and exploitability sub-score is 3.9. Moreover, the access vector is locally exploitable along with low access convolution and the authentication factor is not required to exploit. Accordingly, the impact type permits unauthorized confession of data. In addition, the impact includes unauthorized modification along with disruption of services (, National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-3872)). The platforms that are vulnerable to this threat are Apache HTTP Server 2.0, Apache HTTP Server 2.2, Apache Software Foundation mod_fcgid 2.3. Furthermore, the products that are vulnerable to this threat are as follows (, Apache 'mod_fcgid' Module Unspecified Stack Buffer Overflow Vulnerability): Red Hat Fedora 14 Red Hat Fedora 13 Red Hat Fedora 12 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0, Furthermore, IBM website illustrates the following impacts related to this threat, which are as follows (, ISS X-Force Database: apache-fcgid-bo(63303): Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow ): Base Score: 4.4 Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial Temporal Score: 3.3 Consequences: Gain Access The threat attacks on mod_fcgid and vulnerable to stack buffer overflow, which is stated as: “The Apache mod_fcgid module is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the fcgid_header_bucket_read() function. By sending specially-crafted FastCGO data, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash” (, ISS X-Force Database: apache-fcgid-bo (63303): Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow ). According to www.CVEdetails.com, vulnerability statistics for CVE 3872 are as follows: Confidentiality Impact Complete There is total information disclosure, resulting in all system files being revealed Integrity Impact Complete There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised Availability Impact Complete There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable Access Complexity Low Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. Authentication Not required Authentication is not required to exploit the vulnerability Gained Access None (, CVE-2010-3872 : The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytew ) Impact on Windows Network / Domain The threat hits initially to the Apache HTTP server that contains the module named as ‘mod_fcgid’. If apache server is installed on a Microsoft based server that is configured on the network, the threat may easily allow unauthorized access of an intruder who can modify unauthorized data along with disruption of services. Moreover, the Microsoft domain server is also vulnerable to ‘mod_fcgid’ stack based buffer overflow attacks that are caused by reprehensible bounds inspection from the module named as ‘fcgid_header_bucket_read()’. A hacker may send a uniquely constructed Fast CGO data, in order to execute the arbitrary code on the apache server running on a windows based server. Consequently, the application will crash (, ISS X-Force Database: apache-fcgid-bo(63303): Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow ). Remedial Action In order to eliminate this threat, whether in windows environment or Linux/Unix environment, Apache HTTP server must be updated to the latest version of ‘mod_fcgid’ 2.3.6 or later. Moreover, for Debian GNU/Linux lenny, administrator must upgrade the module with libapache2-mod-fcgid version 2.2-1+lenny1, for Debian GNU/Linux sid administrator must upgrade the module with libapache2-mod-fcgid version 2.3.6-1 and for Debian GNU/Linux squeeze administrator must upgrade the module with libapache2-mod-fcgid version 2.3.6-1(, VUPEN - Debian Security Update Fixes mod_fcgid Buffer Overflow Vulnerability / Exploit (Security Advisories - VUPEN/ADV-2011-0031) ). Metasploit Tool It is an open-source network security project. Due to its strong penetration testing features, it is considered to analyze the current and potential networks threats and vulnerabilities. A Metasploit Framework contains “both a penetration testing system and a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers worldwide” (, Metasploit Penetration Testing Framework ). Moreover, the framework includes tools, libraries, modules and interfaces for users. The primary objective of the framework is the module launcher that allows a tester to install an exploit module and execute it on the target workstation. If the threat is victorious, the target receives a consignment and the user gets the access to configure the consignment. This tool is recommended for analyzing and removing CVE 3872 at the early stage. Conclusion The CVE 2010-3872 affects on different flavors of Linux/ Unix. Moreover, Apache HTTP server is the first point of contact where the module of apache server, named as ‘mod_fcgid’ is bypassed. The threat also affects windows domain network environments, if apache server is installed on Microsoft products. The threat permits unauthorized confession of data, unauthorized modification, and disruption of services. However, the threat can be eliminated by updating the ‘mod_fcgid’ by 2.3.6 or later. Furthermore, in order to conduct penetration testing on the existing network, metasploit framework is recommended. It helps to exploit existing and potential breaches in terms of network security and CVE 2010-3872. References Cve. 2011. Computer Desktop Encyclopedia, , pp. 1. , security definition . Available: http://www.businessdictionary.com/definition/security.html [3/9/2011, 2011]. Common Vulnerabilities and Exposures. 2007. Network Dictionary, , pp. 111-111. CHAFFEY, D., 2006. Internet marketing: strategy, implementation and practice Harlow: Financial Times Prentice Hall. , FastCGI | FastCGI - . Available: http://www.fastcgi.com/drupal/ [3/10/2011, 2011]. , mod_fcgid - Apache HTTP Server . Available: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html [3/10/2011, 2011]. , mod_fcgid - FastCGI interface module for Apache 2 - The Apache HTTP Server Project . Available: http://httpd.apache.org/mod_fcgid/ [3/10/2011, 2011]. , CVE-2010-3872: Apache mod_fcgid Buffer Overflow « xorl %eax, %eax . Available: http://xorl.wordpress.com/2011/01/06/cve-2010-3872-apache-mod_fcgid-buffer-overflow/ [3/11/2011, 2011]. , National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-3872) . Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3872 [3/10/2011, 2011]. , Apache 'mod_fcgid' Module Unspecified Stack Buffer Overflow Vulnerability . Available: http://www.securityfocus.com/bid/44900/info [3/10/2011, 2011]. , ISS X-Force Database: apache-fcgid-bo(63303): Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow . Available: http://xforce.iss.net/xforce/xfdb/63303 [3/10/2011, 2011]. , CVE-2010-3872 : The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytew . Available: http://www.cvedetails.com/cve/CVE-2010-3872/ [3/10/2011, 2011]. , VUPEN - Debian Security Update Fixes mod_fcgid Buffer Overflow Vulnerability / Exploit (Security Advisories - VUPEN/ADV-2011-0031) . Available: http://www.vupen.com/english/advisories/2011/0031 [3/10/2011, 2011]. , Metasploit Penetration Testing Framework . Available: http://www.metasploit.com/framework/ [3/10/2011, 2011]. Read More