types of remote vuln and how local vulns on web servers can be hacked

Can I ask how a “local exploit” would be a risk factor if combined by a “remote exploit” on a web server? Take the website running on the server out the equation, the server is running IIS and say server 2003. Can you explain to me in management terms how

a) a remote exploit would put an attacker in the position to attack the “local exploit”, i.e. what type of “remote vulnerabilities” would get them in a position to attack the local on a typical web server.

b) the types of local exploit that would need to be checked (I am assuming OS patches, local accounts/weak passwords would be the 2 obvious ones, but are there any more? )

If you could put this in the context of apache web server running ubuntu as OS, or an IIS web server running on Windows 2003 server that would help me no end.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sudeep SharmaTechnical DesignerCommented:

"It is only when we forget all our learning that we begin to know."
by Henry David Thoreau

I would say do the Vulnerability testing your self on your servers and the report that would be generated would tell you what the vulnerability is, its CVE number and the exploit that can be triggered.

I would recommend you to use metasploit for the same. They have community version which is free of cost.

Further for vulnerability scanning and management you would need Nexpose which works in conjunction with metasploit and there is also a community version of it.

Metasploit Community Edition

Download Nexpose Community Edition

If you need any help in running those application we can help.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
modern OS and server components can be considered rather secure if propper patched
of course, there's no patch for zero-day exploits

so the main threat are vulnerabilities in your (web) application which can be exploited remotely
if you have such vulnerabilites, they may be used to exploit local vulnerabilities too

to give a more practical example, lets assume that you have a fully patched OS, a fully patched web server and a fully patched db server; but you use default (mainly insecure) configurations and you have a vulnerable web application
then this webapp is remotly exploitable and the exploit may use techniques to run programs on your system which exploit other weaknesses which could only be accessed whit proper permission on the local system (i.e. run OS commands)
for example, if you have a local exploit which may attack your mail server listening on port 25 and your network firewall blocks all connections to port 25, you cannot exploit it remotely but you can exploit it locally when logged in to that system
now consider a weak webapp which allows running OS commands in context of the web server user, then this could be exploited remotely and also exploits the local vulnerability

conclusion aka best practice: fix any weakness or vulnerability you know of, best you do it in the source code
a) If the remote vulnerability allows the attacker any kind of access to the system, that is, as ahoffman said, allowing him to run any kind of commands or code on the server, this would allow him to also exploit any local vulnerabilities. Typically a hardened web server for example would run as an unprivileged account, therefore only granting limited access to the system for an attacker that compromises the service. If you're looking at vulnerability information from for example MS security bulletins, any that allows remote code execution or remote access qualifies as one.

b) There aren't really any limitations on where the local vulnerability could be, in any piece of software or configuration on the server. Local just means it can't be exploited remotely, that is, it isn't on a service that is published to the network. The main problem in this scenario are privilege escalation exploits, which allow the attacker who got limited access in step a) to gain full access using a different local exploit.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

pma111Author Commented:
Ok thanks. Are there any tools that can assist in auditing iis/apache misconfigurations or is that more geared towards manual assessement.
You have a couple options. You could use a vulnerability scanner in authenticated mode (Nessus for example), or some more limited quick'n'dirty tool like MBSA (https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19892) but the best option would be to do it manually using some checklists or forcing the proper configurations on the servers via scripts or GPO. Good hardening guidelines for each OS and web server can be found here:

keep in mind: the main source of vulnerabilities today are web applications
a proper configured web/application server and os does not help, it just raises the bar for forther exploitations, hence being considered "defence in depth"
for webapps, you need pentests or better SCA
pma111Author Commented:
Ok thanks. WOuld you say web apps are justs een as footholds to get in the network? I.e. youd imagine a hacker needs some motive. So trying SQLinjection on someones gardening tips website wouldnt really be of much use, as opposed a companies payroll web app would be much more juicy target. But again the compromise may just be seen as a foothold irrelevant of the apps content.
That, or maybe just to use the resources of the compromised server. Even the gardening website may have some nice cpu time, network bandwidth and disk space to use for spamming, DDoS:ing and other stuff.
> .. someones gardening tips website ..
if that website is hosted on the same system as a companies payroll web app, i.e. virtual hosts, then the garden is real nice target for an attacker
btanExec ConsultantCommented:
I see remote vulnerability comes most of the time due to unnecessary services and ports open that invites poking of internal or local services that can be vulnerable. Fingerprint type of web server is straightforward or through error page present more opportunities remotely to find out more of internal running. Definitely agreed with you all folks...this article present how easily web server can be exploited remotely to later launch further local filtration or pivot further using exploitation tool like metasploit or backtrack

Even defense in breadth may make sense once you identify a point of entry to exploit..mainly to assess attack surface and further damages...just two cents worth...
> ... comes most of the time due to unnecessary services and ports open ...
80, 443

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.