Solved

types of remote vuln and how local vulns on web servers can be hacked

Posted on 2012-04-04
11
504 Views
Last Modified: 2012-04-11
Can I ask how a “local exploit” would be a risk factor if combined by a “remote exploit” on a web server? Take the website running on the server out the equation, the server is running IIS and say server 2003. Can you explain to me in management terms how

a) a remote exploit would put an attacker in the position to attack the “local exploit”, i.e. what type of “remote vulnerabilities” would get them in a position to attack the local on a typical web server.

b) the types of local exploit that would need to be checked (I am assuming OS patches, local accounts/weak passwords would be the 2 obvious ones, but are there any more? )

If you could put this in the context of apache web server running ubuntu as OS, or an IIS web server running on Windows 2003 server that would help me no end.
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 125 total points
ID: 37809596
@pma111,

"It is only when we forget all our learning that we begin to know."
by Henry David Thoreau


I would say do the Vulnerability testing your self on your servers and the report that would be generated would tell you what the vulnerability is, its CVE number and the exploit that can be triggered.

I would recommend you to use metasploit for the same. They have community version which is free of cost.

Further for vulnerability scanning and management you would need Nexpose which works in conjunction with metasploit and there is also a community version of it.

Metasploit Community Edition
http://www.metasploit.com/download/

Download Nexpose Community Edition
http://www.rapid7.com/vulnerability-scanner.jsp

If you need any help in running those application we can help.

Sudeep
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 125 total points
ID: 37809617
modern OS and server components can be considered rather secure if propper patched
of course, there's no patch for zero-day exploits

so the main threat are vulnerabilities in your (web) application which can be exploited remotely
if you have such vulnerabilites, they may be used to exploit local vulnerabilities too

to give a more practical example, lets assume that you have a fully patched OS, a fully patched web server and a fully patched db server; but you use default (mainly insecure) configurations and you have a vulnerable web application
then this webapp is remotly exploitable and the exploit may use techniques to run programs on your system which exploit other weaknesses which could only be accessed whit proper permission on the local system (i.e. run OS commands)
for example, if you have a local exploit which may attack your mail server listening on port 25 and your network firewall blocks all connections to port 25, you cannot exploit it remotely but you can exploit it locally when logged in to that system
now consider a weak webapp which allows running OS commands in context of the web server user, then this could be exploited remotely and also exploits the local vulnerability

conclusion aka best practice: fix any weakness or vulnerability you know of, best you do it in the source code
0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 125 total points
ID: 37809794
a) If the remote vulnerability allows the attacker any kind of access to the system, that is, as ahoffman said, allowing him to run any kind of commands or code on the server, this would allow him to also exploit any local vulnerabilities. Typically a hardened web server for example would run as an unprivileged account, therefore only granting limited access to the system for an attacker that compromises the service. If you're looking at vulnerability information from for example MS security bulletins, any that allows remote code execution or remote access qualifies as one.

b) There aren't really any limitations on where the local vulnerability could be, in any piece of software or configuration on the server. Local just means it can't be exploited remotely, that is, it isn't on a service that is published to the network. The main problem in this scenario are privilege escalation exploits, which allow the attacker who got limited access in step a) to gain full access using a different local exploit.
0
 
LVL 3

Author Comment

by:pma111
ID: 37809826
Ok thanks. Are there any tools that can assist in auditing iis/apache misconfigurations or is that more geared towards manual assessement.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 37809849
You have a couple options. You could use a vulnerability scanner in authenticated mode (Nessus for example), or some more limited quick'n'dirty tool like MBSA (https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19892) but the best option would be to do it manually using some checklists or forcing the proper configurations on the servers via scripts or GPO. Good hardening guidelines for each OS and web server can be found here:

http://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37809898
keep in mind: the main source of vulnerabilities today are web applications
a proper configured web/application server and os does not help, it just raises the bar for forther exploitations, hence being considered "defence in depth"
for webapps, you need pentests or better SCA
0
 
LVL 3

Author Comment

by:pma111
ID: 37810774
Ok thanks. WOuld you say web apps are justs een as footholds to get in the network? I.e. youd imagine a hacker needs some motive. So trying SQLinjection on someones gardening tips website wouldnt really be of much use, as opposed a companies payroll web app would be much more juicy target. But again the compromise may just be seen as a foothold irrelevant of the apps content.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 37810806
That, or maybe just to use the resources of the compromised server. Even the gardening website may have some nice cpu time, network bandwidth and disk space to use for spamming, DDoS:ing and other stuff.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37811567
> .. someones gardening tips website ..
if that website is hosted on the same system as a companies payroll web app, i.e. virtual hosts, then the garden is real nice target for an attacker
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 37812117
I see remote vulnerability comes most of the time due to unnecessary services and ports open that invites poking of internal or local services that can be vulnerable. Fingerprint type of web server is straightforward or through error page present more opportunities remotely to find out more of internal running. Definitely agreed with you all folks...this article present how easily web server can be exploited remotely to later launch further local filtration or pivot further using exploitation tool like metasploit or backtrack
 http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/

Even defense in breadth may make sense once you identify a point of entry to exploit..mainly to assess attack surface and further damages...just two cents worth...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37812392
> ... comes most of the time due to unnecessary services and ports open ...
80, 443

*SCNR*
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
OfficeMate Freezes on login or does not load after login credentials are input.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now