types of remote vuln and how local vulns on web servers can be hacked

Posted on 2012-04-04
Last Modified: 2012-04-11
Can I ask how a “local exploit” would be a risk factor if combined by a “remote exploit” on a web server? Take the website running on the server out the equation, the server is running IIS and say server 2003. Can you explain to me in management terms how

a) a remote exploit would put an attacker in the position to attack the “local exploit”, i.e. what type of “remote vulnerabilities” would get them in a position to attack the local on a typical web server.

b) the types of local exploit that would need to be checked (I am assuming OS patches, local accounts/weak passwords would be the 2 obvious ones, but are there any more? )

If you could put this in the context of apache web server running ubuntu as OS, or an IIS web server running on Windows 2003 server that would help me no end.
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
LVL 30

Accepted Solution

Sudeep Sharma earned 125 total points
ID: 37809596

"It is only when we forget all our learning that we begin to know."
by Henry David Thoreau

I would say do the Vulnerability testing your self on your servers and the report that would be generated would tell you what the vulnerability is, its CVE number and the exploit that can be triggered.

I would recommend you to use metasploit for the same. They have community version which is free of cost.

Further for vulnerability scanning and management you would need Nexpose which works in conjunction with metasploit and there is also a community version of it.

Metasploit Community Edition

Download Nexpose Community Edition

If you need any help in running those application we can help.

LVL 51

Assisted Solution

ahoffmann earned 125 total points
ID: 37809617
modern OS and server components can be considered rather secure if propper patched
of course, there's no patch for zero-day exploits

so the main threat are vulnerabilities in your (web) application which can be exploited remotely
if you have such vulnerabilites, they may be used to exploit local vulnerabilities too

to give a more practical example, lets assume that you have a fully patched OS, a fully patched web server and a fully patched db server; but you use default (mainly insecure) configurations and you have a vulnerable web application
then this webapp is remotly exploitable and the exploit may use techniques to run programs on your system which exploit other weaknesses which could only be accessed whit proper permission on the local system (i.e. run OS commands)
for example, if you have a local exploit which may attack your mail server listening on port 25 and your network firewall blocks all connections to port 25, you cannot exploit it remotely but you can exploit it locally when logged in to that system
now consider a weak webapp which allows running OS commands in context of the web server user, then this could be exploited remotely and also exploits the local vulnerability

conclusion aka best practice: fix any weakness or vulnerability you know of, best you do it in the source code
LVL 19

Assisted Solution

CoccoBill earned 125 total points
ID: 37809794
a) If the remote vulnerability allows the attacker any kind of access to the system, that is, as ahoffman said, allowing him to run any kind of commands or code on the server, this would allow him to also exploit any local vulnerabilities. Typically a hardened web server for example would run as an unprivileged account, therefore only granting limited access to the system for an attacker that compromises the service. If you're looking at vulnerability information from for example MS security bulletins, any that allows remote code execution or remote access qualifies as one.

b) There aren't really any limitations on where the local vulnerability could be, in any piece of software or configuration on the server. Local just means it can't be exploited remotely, that is, it isn't on a service that is published to the network. The main problem in this scenario are privilege escalation exploits, which allow the attacker who got limited access in step a) to gain full access using a different local exploit.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.


Author Comment

ID: 37809826
Ok thanks. Are there any tools that can assist in auditing iis/apache misconfigurations or is that more geared towards manual assessement.
LVL 19

Expert Comment

ID: 37809849
You have a couple options. You could use a vulnerability scanner in authenticated mode (Nessus for example), or some more limited quick'n'dirty tool like MBSA ( but the best option would be to do it manually using some checklists or forcing the proper configurations on the servers via scripts or GPO. Good hardening guidelines for each OS and web server can be found here:
LVL 51

Expert Comment

ID: 37809898
keep in mind: the main source of vulnerabilities today are web applications
a proper configured web/application server and os does not help, it just raises the bar for forther exploitations, hence being considered "defence in depth"
for webapps, you need pentests or better SCA

Author Comment

ID: 37810774
Ok thanks. WOuld you say web apps are justs een as footholds to get in the network? I.e. youd imagine a hacker needs some motive. So trying SQLinjection on someones gardening tips website wouldnt really be of much use, as opposed a companies payroll web app would be much more juicy target. But again the compromise may just be seen as a foothold irrelevant of the apps content.
LVL 19

Expert Comment

ID: 37810806
That, or maybe just to use the resources of the compromised server. Even the gardening website may have some nice cpu time, network bandwidth and disk space to use for spamming, DDoS:ing and other stuff.
LVL 51

Expert Comment

ID: 37811567
> .. someones gardening tips website ..
if that website is hosted on the same system as a companies payroll web app, i.e. virtual hosts, then the garden is real nice target for an attacker
LVL 63

Assisted Solution

btan earned 125 total points
ID: 37812117
I see remote vulnerability comes most of the time due to unnecessary services and ports open that invites poking of internal or local services that can be vulnerable. Fingerprint type of web server is straightforward or through error page present more opportunities remotely to find out more of internal running. Definitely agreed with you all folks...this article present how easily web server can be exploited remotely to later launch further local filtration or pivot further using exploitation tool like metasploit or backtrack

Even defense in breadth may make sense once you identify a point of entry to exploit..mainly to assess attack surface and further damages...just two cents worth...
LVL 51

Expert Comment

ID: 37812392
> ... comes most of the time due to unnecessary services and ports open ...
80, 443


Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
A hard and fast method for reducing Active Directory Administrators members.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question