Petri Virkkula
pvirkkul@iki.fi
Department of Computer Science and Engineering
Helsinki University of Technology
and
Jari Peräkylä
Jari.Perakyla@ntc.nokia.com
Department of Information Technology
Tampere University of Technology
Abstract
In this paper we analyse three different attack targeted to Windows NT 4.0 systems. The objectives are to understand how NT can be attacked and find methods for protection against such attacks. Another goal was to take a superficial look at the security system in Windows NT.
Computer security solutions addresses attacks that can categorised into disclosure, integrity and denial of service threat types. The goal is to prevent unauthorised access to a sensitive data, unauthorised modification of data and to ensure availability of service. [1]
Windows NT was designed to be a secure operating system, specifically to meet the C2 evaluation criteria [2,3]. Two different hardware configurations running Windows NT 3.5 with Service Pack 3 have received certification of compliance with C2 requirements [4]. The certification does not apply to other hardware and software configurations.
Windows NT is very young operating system when comparing it for example with UNIX. First version of Windows NT was released 1992 [3], only six years ago. Question about NT's maturity is often raised among security specialists.
In-depth documentation on NT or its internal working is hard to find, especially in the area of security. The biggest problem is that the documentation is both very vague and misleading of internal workings of NT, in some cases it even contains errors. Especially Microsoft's own documentation seems to be targeted for marketing rather than technical use.
A well-known security analysis is the C2 evaluation and the corresponding report issued by the National Computer Security Centre. Even this report contains errors. For example, the evaluation report says that passwords are stored in hashed and then encrypted form in the Security Accounts Manager (SAM) [4]. In a footnote it is then said that "The hash algorithm is the Secure Hash Algorithm developed by the National Institute of Standards and Technology as published in FIPS PUB 180 (1993)." [4]. That is not however true. In the reality: the hash algorithm is MD4 according to Microsoft's own documentation [5].
In this paper, we examine three different attacks against Windows NT and an application running on top of it. All attacks can be done remotely, for example from the Internet if the target machine is connected to it.
The attacks demonstrate the main problems with NT's security:
However, none of the vulnerabilities manifests serious architectural problems in NT.
Some background information about Windows NT is presented in the section 2. The analyses of the attacks are in sections 3-5 and the section 6 contains our conclusions.
Applications and the operating system are separated in Windows NT just like in any other modern operating system. The separate parts are called User Mode and Kernel Mode in Window NT's terminology. Only the Kernel Mode software has full access to underlying hardware.
The Kernel Mode contains so-called Executive that is a collection of software components. The Executive contains following components: I/O Manager, Object Manager, Security Reference Monitor, Process Manager, Local Procedure Call Facility, Virtual Memory Manager, Window Manager, Graphics Device Interface and Graphics Device Drivers. [2]
The Executive contains also components named Microkernel and HAL. They are at the lowest level of the operating system. They provide an additional abstraction layer inside the operating system. The component named as Microkernel inside the Executive is not a microkernel as defined in operating system textbooks [6]. The naming is perhaps just there for marketing reasons, or because NT was originally planned to be microkernel-based operating system.
On top of the Executive running in the User Mode are various protected subsystems. There are two kinds of subsystems: integral and environment. Integral subsystems are servers that perform important operating system functions. One integral subsystem is e.g. Security Subsystem. An environment subsystem provides support for various operating system environments, like Posix, OS/2 and Win32. [2]
The Executive additionally includes layer called Executive Services which main purpose is to provide well-defined interface between User Mode program and the Executive.
It must be noted that the operating system architecture was different prior version 4.0 of the operating system. The Graphics Device Interface and Graphics Device Drivers used to be in the User Mode, but they were moved into the Kernel Mode and became part of the Executive. The result of the move was speed improvement especially in graphics insensitive applications.
The Windows NT security model includes following components [2, 4]:
Together above components are known as the Security Subsystem. The security model was designed for C2-level security, as defined by the U.S. Department of Defence [2].
Interface to the security management in the Windows NT is very unified. All resources can be thought to be objects that application programs reference with handles. Security attributes of the objects can be accessed with uniform Application Programming Interface (API). Validation checks are done in one place, in the Security Reference Monitor (SRM). [3]
In NT system a process with one or more threads is a Subject. All resources, including processes and threads, are Objects. Every process has holds an access token. The privileges, user identification information and so on are stored in the token. The Local Security Authority (LSA) creates the token when an user logs in. [3,7]
Every object in system has an Access Control List (ACL). When a Subject opens an Object, the Security Reference Monitor compares information stored in ACL and in an access token. Privileges are only added during logon into an access token. [3]
The threat type of this attack is disclosure and integrity. An attacker can execute any program installed into the target system or any shell's internal command from network without leaving a trace of the attack.
The target system must be running Windows NT 4.0 Server and Microsoft Internet Information Server version 1.0 must have been installed on the machine. The IIS must be in its default configuration.
In default installation of the IIS /scripts directory is configured to be a CGI directory. IIS has also mapping for files ending .bat or .cmd will be run by a command processor with three arguments: C:\WINNT\System32\cmd.exe /c %s %s. The two percentages followed by s letter are are replaced with strings derived from HTTP request. [8]
When the IIS receives a request which includes path /scripts/*.bat it tries to run the command processor even when the CGI script is not present in the /scripts directory. Additionally the mapping setting is insecure. A command processor typically try to divide the argument line into multiple commands separated with command processor specific separator. An attacker can take advanatage of that and embed multiple commands into a single HTTP request.
Similar attacks have existed in other operating systems/WWW-servers [9,10]. The attack is not new, it has many similarities with old UNIX security bugs. Also other suffix mapping problems have afterwards emerged in WWW-clients under Windows 95/NT.
An attacker can put a command expecting user input into the last in the command sequence. This prevents any logging at the server side because IIS thinks the process was not successfully terminated [8].
Tracing of the attack is impossible because IIS does not do any log entry if an execution fails. Detection of the attacker is possible only by using special detection outside IIS.
IIS should be upgraded to a newer version to get protection against the attack. Our tests against IIS version 2.0 indicated that it is secure against this attack.
Another way of securing IIS is to remove the file suffix mapping from /scripts/ and other directories or to make the mapping more secure. We could not however test this because of lack of IIS server.
Our test was done against IIS version 2.0. The test failed, thus we could not validate the claim that IIS version 1.0 is vulnerable against this attack. We however got knowledge that IIS version 2.0 is secure against the attack.
The threat type of this attack is denial of service. An attacker can crash the whole NT system from the network.
Any current Windows NT server or client listing TCP/IP port 139 is vulnerable to this attack.
According to [11] it is also possible to apply this attack against port 53, if the system is running DNS service in conjunction with the WINS service (Windows NT). This is, however, unconfirmed. [12] mentions also Identd in port 113 and generally any application that is listing for OOB data.
Attack is done by establishing a connection to TCP/IP port 139 and by sending out-of-band (OOB) data to the port. Out-of-band data is also known as "TCP Urgent data" and it is typically used for transmitting urgent control information related to actual TCP connection. Port 139 is listened by NetBIOS.
Apparently, Windows does not know how to handle OOB data and unpredictable things may happen. In Windows NT consequence is total system crash with so-called "Blue Screen of Death".
As all denial of service attacks, OOB is easy to detect: system crashes and shows blue screen of death indicating TCPIP.SYS as a reason.
Because attacked system crashes, it is hard to get any information for tracing the attacker. Only way is basically to use sniffer in your network, filter all connections to given port (139, 53, 113...) and picking up source address from packets destined to said port.
The primary protection is to apply patches from Microsoft that correct the problem.
Another solution is to block all incoming connections to port 139. The drawback with this that you cannot share printers or directories any more. In addition, standard Windows NT TCP/IP filtering software can be used to block all non-local network access to port 139.
It is a good idea to block port 139 in your firewall - if it is still open.
The OOB attack was tried to all mentioned ports (53, 139 and 113) in windows NT 4.0 work station. Attack to port 139 was successful resulting system crash, others failed.
The threat type of this attack is disclosure and integrity. An attacker is capable to log into system and extract information from Windows NT registry and possibly from file system.
"Everyone" group, where attacker is assigned, has also write access to some parts of the registry, thus giving attacker opportunity to install e.g. Trojan horses to collect more user rights.
Windows NT 3.5x and 4.0 workstation and Windows 4.0 server prior service pack 3. NETBIOS over TCP/IP must be enabled in target computer.
Attack is based on following facts:
Attack is done in two phases: first log in to the system without presenting username or password and then gain access to all resources available to Everyone (actually this is automation after first phase...).
The Actual attack can be continued by creating a reference into registry that points to Trojan horse program in attacker's computer and that will be executed when some legal user logs the system.
In our test Windows NT 4.0 workstation audit system did not detect unauthorised login! Access to e.g. registry and file resources should be noticed, however.
An attack was tested against Windows NT 4.0 workstation with "Red Button" software available from the network. Red Button demonstrates unauthorised login and reveals some information from the work station thus breaking disclosure.
We did not find any architectural flaws in the security system of Windows NT. However, our knowledge was limited to very high level architecture because of missing in-depth documentation.
Lack of good security administration documentation big flaw in Windows NT. The "RedButton" attack is a good demonstration of that fact. It takes time before enough knowledge about NT's security is in general use.
The attacks clearly show that NT is not mature enough and there is need for more studies.
| [1] | Amoroso, Edward. Fundamentals of Computer Security Technology, Prentice-Hall International, Inc., 1994 |
| [2] | Microsoft Corporation. "Microsoft Windows NT Server Resource: Windows NT Server Networking Guide" Microsoft Developer Network Library - January 1997, January 1997 |
| [3] | Hedbom, Hans and Lindskog, Stefan and Jonsson, Erland. "A Preliminary Evaluation of the Security of a Non-Distributed Version of Windows NT" in Proceedings of the Second Nordic Workshop on Secure Computer Systems. Ed. Arto Karila and Timo Aalto. Espoo: Helsinki University of Technology, 1997 |
| [4] | National Computer Science Center. FINAL EVALUATION REPORT Microsoft, Inc.: Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3. National Computer Security Center, 1996. |
| [5] | Microsoft Corporation.
User Authentication with Windows NT,
Knowledge Base Article Q102716, Last reviewed April 10, 1997. <URL:http://support.microsoft.com/support/kb/articles/q102/7/16.asp> |
| [6] | Tanenbaum, Andrew S. Modern Operating Systems. Prentice-Hall International, Inc., 1992 |
| [7] | Ward, Richard. "Windows NT Security: Replaceable Winlogon User Interface Specification 1.0" in Microsoft Developer Network Library - January 1997, Microsoft Corporation, January 1997. |
| [8] | Baron, Andy.
Microsoft Internet Information Server v 1.0 "BAT/CMD" Security Bug,
Part I.
MWC Inc. <URL:http://www.omna.com/iis-bug.html> |
| [9] | CERT Coordination Center.
CERT Advisory CA-96.06; Topic: Vulnerability in NCSA/Apache CGI example code.
CERT Coordinator Center, May 1996 <URL:http://www.cert.org/pub/advisories/CA-96.06.cgi_example_code.html> |
| [10] | CERT Coordination Center.
CERT Advisory CA-96.11; Topic: Interpreters in CGI bin Directories.
CERT Coordinator Center, March 1996 <URL:http://www.cert.org/pub/advisories/CA-96.11.interpreters_in_cgi_bin_dir.html> |
| [11] | MJE, Ltd.
OUT OF BAND ATTACK.
MJE, Ltd.,
May 1997 <URL:http://www.ntsecurity.net/security/oob.htm> |
| [12] | Coppola, Ken.
Out-of-Band error.
Cornell University
<URL:http://www.cit.cornell.edu/helpdesk/pcteam/messages/148.html> |
| [11] | MWC, Inc.
The RedButton.
Midwestern Commerce, Inc.
April 1997 <URL:http://www.ntsecurity.com/RedButton/default.htm> |
| [12] | MWC, Inc.
RedButton Frequently Asked Questions.
Midwestern Commerce, Inc. <URL:http://www.ntsecurity.com/RedButton/faq.htm> |