Hi
I am a Ph.D. student studying network security at Princeton
University. I am trying to see if attacker can use a series of
vulnerabilities to take over a particular resource. Has there been prior
work on this topic earlier? Can someone give me a real example where the
adversary actually uses a series of vulnerabilities to break into a
resource?

May be he uses the webserver in DMZ and then uses it to get access
to fileserver and then uses it to compromise something else?


thanks for your time,
Sudhakar.



Sudhakar Govindavajhala Department of Computer Science
Graduate Student, Princeton University
(o) +1 609 258 1798
http://www.cs.princeton.edu/~sudhakar

On Thu, 29 Apr 2004, Sudhakar-bugtraq Govindavajhala wrote:

> I am a Ph.D. student studying network security at Princeton
> University. I am trying to see if attacker can use a series of
> vulnerabilities to take over a particular resource. Has there been prior
> work on this topic earlier? Can someone give me a real example where the
> adversary actually uses a series of vulnerabilities to break into a
> resource?
>
> May be he uses the webserver in DMZ and then uses it to get access
> to fileserver and then uses it to compromise something else?

Almost any compromise is conducted in this manner. I can't think of any
single compromise that didn't start at one point and then turn into a romp
through more vulnerable resources. Dig around for horror stories of IP
capable printers configured with default gateways and default admin
passwords. Another example would be the use of worm style backdoor
infections used as launchpads for more nefarious hilarity.

Go, go, gadget google.

- billn

Dude this happens all the time. It's the essense of a hack.=20

Case 1.=20

1. Webserver on the DMZ is running an older version of IIS that is
vulnerable to *insert your buffer overflow here* Attacker inserts trojan
and creates some variable that will either force the server to reboot
or make the admin reboot (maybe a DoS of some sort to trick a dumb
netadmin). Upon reboot, trojan is executed and attacker has full access
to the dmz server.=20

2. Let's say hypothetically that the firewall has been mis-configured by
a sloppy netadmin who decided to choose ANY for the source and
destination interfaces to allow the DMZ server to access the internal
LAN via port 21 for uploading FTP files from an internal node. Now
attacker has the option to upload a trojan to the node on the internal
lan. Let's also say that trojan.a has the ability to setup terminal
services on this box as well as change the default listening port to 21.
Voila. Attacker has basically exploited numerous vulnerabilities and
gained access to your internal LAN.=20


Case 2.=20

1. Citrix server setup for remote access. The box hasn't been patched in
awhile. Stale username setup and attacker gains access to a user
account. Using priveldge escalation via Debploit (sploit that calls the
windows session manger debugging subsystem to attach to a priv process),
he now gains access to the local system account and creates himself a
nice admin account.=20

2. The citrix server is not in a dmz. Now that the attacker has access
to cmd.exe he/she decides to run kaht.exe on the local LAN, an RPC Dcom
scanner and sploiter. He finds 20 vulnerable boxes, gains access to 10
of them. One happens to be the payroll server. Case closed.=20


This topic actually does not belong in the bugtraq mailing list. It
should be on firewalls or security.=20



-----Original Message-----
From: Sudhakar-bugtraq Govindavajhala [mailto:sudhakar@CS.Princeton.EDU]

Sent: Thursday, April 29, 2004 7:36 PM
To: bugtraq@securityfocus.com
Subject: Multi stage attacks on networks?


Hi
I am a Ph.D. student studying network security at Princeton
University. I am trying to see if attacker can use a series of
vulnerabilities to take over a particular resource. Has there been
prior work on this topic earlier? Can someone give me a real example
where the adversary actually uses a series of vulnerabilities to break
into a resource?

May be he uses the webserver in DMZ and then uses it to get
access to fileserver and then uses it to compromise something else?


thanks for your time,
Sudhakar.



Sudhakar Govindavajhala Department of Computer Science
Graduate Student, Princeton University
(o) +1 609 258 1798
http://www.cs.princeton.edu/~sudhakar




DISCLAIMER:
This e-mail, including attachments, may include confidential and/or =
proprietary information, and may be used only by the person or entity to =
which it is addressed. If the reader of this e-mail is not the intended =
recipient or his or her authorized agent, the reader is hereby notified =
that any dissemination, distribution or copying of this e-mail is =
prohibited. If you have received this e-mail in error, please notify the =
sender by replying to this message and delete this e-mail immediately.