This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
CVE stands for Common Vulnerabilities and Exposures.CVE Vulnerablities and exposures CVE is a dictionary of common names such as this CVE Identifiers for publicly known information security vulnerabilities, while its common configuration enumeration provides identifier for security configuration exposures and vulnerability issues (CVE, 2010).
CVE common identifier facilitates the exchange of data across separate network security database, tools and provide the bases for assessing the coverage for tools. If security organizations to report from one of the tools of private security has CVE ID may then be accessed quickly and accurately fix the information in a separate database and one or more CVE-compatible to fix the problem with (CVE,2010).
Some more description about CVE is given below:
One name for one vulnerablilty or exposure.
One standardized description for each vulnerability or exposure.
A directionary instead of database.
How disparate databases and tools can speak the same language.
The way to interoperability and excellent security coverage.
A basis for evauation among databases and tools.
Free for public use and download.
Industry endored through the CVE editorial board and CVE-Compatible products.
CVE launched in 1999 when most of the CVE information security tools used their own databases with their own names for vulnerabilities. At that time there was no significant variation between the products and no easy way to determine when the different databases were referring to the same problem. The consequences of potential gaps in security coverage and lack of compatibility between the effective disperate databases and tools. In addition to each vendor tool used different measures of state in a number of vulnerabilities or exposures they detected, which means there is no uniform basis of assessment among the tools (CVE,2010).
Common standardized identifiers of CVE's provide the solution to these problems.
CVE is now the industry standard for identification names. CVE vulnerability and exposure to provide reference points for the exchange of data so that information security products and services that can talk with others. CVE identifiers also provides a basis for assessing the coverage of tools and services so that users can determine the most effective tools and appropriate to the need of their organizations. In short products and services compatible with CVE provide better coverage easier interoperability and enhanced security (CVE, 2010).
Working OF CVE
CVE identifier creation process begins with the discovery of a potential security vulnerability.
According to CVE (2010) the information is then assigned a CVE identifier with candidate status by the CVE Candidate Numbering Authority (CAN), posted on the CVE site and proposed to the CVE editorial board by the CVE editor. As part of its management of CVE, the MITRE Corporation jobs as editor and primary CAN.
The Board discusses the candidate and vote on whether it should become entry. If CVE candidate unacceptable reason for the refusal is noted in the archives of the editorial board Web site. If CVE candidate is accepted its status is update to entry on the list of CVE. However the assignment does not guarantee the number of candidates to become official CVE entry.
Microsoft Security Bulletin MS03-026
Buffer Overrun In RPC Interface Could Allow Code Execution (823980):
Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in the Windows interface and Distributed Component Object Model (DCOM) Remote Procedure Call (RPC). After the release of this bulletin Microsoft has been made aware that additional ports involving RPC can be used to exploit this vulnerability. Information on these additional ports were added to the mitigating factors and the section of the bulletin of the problem. In addition, Microsoft issued security bulletin MS03-039 and an updated scanning tool which replaces this publication and the original scanning tool provided with it (Microsoft TechNet, 2003).
According to Microsoft TechNet (2003) the updated tool with the number MS03-039 replaces the one provided in Microsoft Knowledge Base article 826369. If the tool originally provided with this bulletin is used against a system which has installed the security patch provided MS03-039, the tool is outdated and will report incorrectly that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine whether their systems patched.
It stands for Remote Procedure call, Microsoft TechNet (2003) stated that it is a protocol used by Windows operating system. Inter-process communication mechanism provides by RPC that allows to run the program on one computer to seamlessly execute on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) protocol to the RPC, but with the addition of some Microsoft specific extensions.
Microsoft TechNet (2003) narrated that there is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. Consequences of failure because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on port RPC. This interface handles DCOM object activation requests that are sent by client machines to the server. Attacker who successfully exploited this vulnerability to be able to run code with Local System privileges on an affected system. The attacker will be able to take any action on the system, including installing programs and view change, or delete data, or create new accounts with full privileges.
To exploit this vulnerability, one of the attacker need to send a specially formed request to the remote computer on specific RPC ports.
Stonesoft (2011) stated about this vulnerability: RPC DCOM interface buffer overflow vulnerability (MS03-026).
The RPC DCOM interface suffers from a weakness in the object activation request handing. When exploited successfully the vulnerability allows remote code execution with system privileges through a buffer overflow. Exploits are available in the internet widely. The blaster/Msblast/LovSAN and Nachi/Welchia worms exploit this vulnerability.
Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. Previously called "Network OLE," DCOM is designed for use and transport across multiple network, including Internet protocols such as HTTP (Microsoft TechNet, 2003).
To exploit this vulnerability, the attacker requires the ability to send a specially crafted request to port 135, 139, 445 or 593 or any port specifically configured RPC port on the remote machine. For intranet environments, these ports are usually available, but for Internet connected machines, these are usually blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker does not require any additional privileges (Microsoft TechNet, 2003).
Best practices recommend blocking all TCP/IP ports that are not used effectively, and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most Internet connected devices must be RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More efficient protocols such as RPC over HTTP are provided for hostile environments (Microsoft TechNet, 2003).
RPC tools make it seem to users as though a client directly calls a procedure located in a remote server program. Client and server each have their own address spaces; that is, all its own memory resource allocated to data used by the procedure. The following figure illustrates the RPC architecture (MSDN, 2011).
Dictionary - View detailed dictionary
Â According to MSDN (2011) The client application calls a local stub procedure instead of the actual code implemention of the procedure. Stubs are classified and connect them with the client application. Instead of containing the actual code that implements the remote procedure, the client stub code:
* Retrieves the required parameters from the client address space.
* Translates the parameters as needed to coordinate the NDR standard for transmission over the network.
* Calls functions in the library of the client run-time RPC to send the request and parameters on the server.
According to MSDN (2011) To call the remote procedure the server perform the following steps.
* The server RPC run-time library functions accept the request and call the server stub procedure.
* The server stub retrieves the parameters of the buffer network and its transmission from a network transmission format to a format the server needs.
* The server stub calls the actual procedure on the server.
Dictionary - View detailed dictionary
The remote procedure then runs and possibly generating output parameters and return value. When a remote procedure is complete, a similar series of steps returns the data to the client (MSDN, 2011).
*The remote procedure returns its data to the server stub.
*The server stub conversion output parameters to the required format for transfer over the network and returns them to the RPC run-time library functions.
*The server RPC run-time library functions transfer data on the network to the client computer.
The client completes the process by accepting the data over the network and return it to the calling function.
MSDN (2011) stated that Client RPC run-time library receives a remote procedure return values and return them to the client stub. The client stub converts the data from the NDR to the format used by the client computer. Stub writes data in client memory and returns the result to the calling program to conduct client. The calling procedure continues as if the procedure had been called on the same computer.
The run-time libraries in two parts: the import library, which is associated with the application and the RPC run-time library, which is implemented by a dynamic-link library (DLL).
The server application contains calls to the server run-time library functions which register the server's interface and allow the server to accept remote procedure calls. The server application also contains the application-specific remote procedures that are called by applications (MSDN, 2011).
Microsoft Windows RPC vulnerable to buffer overflow (Vulnerability VU#568148)
According to US-CERT (2007) Buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. The remote attacker can exploit this vulnerability to execute arbitrary code or cause a denial of service. And the exploitation of this vulnerability is available to the public.
Microsoft describes the implementation of the RPC protocol, "which is the protocol used by Windows operating system. RPC provides an inter-process communication mechanism that allows to run the program on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions."
A buffer overflow has been discovered in Microsoft's RPC implementation. Quoting from Microsoft Security Bulletin MS03-026:
There is a vulnerability in a part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects in particular the Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention UNC paths) to the server (US-CERT, 2007).
US-CERT (2007) narrated that a remote attacker can exploit this vulnerability to execute arbitrary code with System Privileges or cause a denial of service.
Apply a patch as described in Microsoft Security Bulletin MS03-026. Microsoft is actively deploying the patches for this vulnerability via Windows Update.
You may want to prevent access to the outside of the network perimeter, specifically by blocking access to TCP ports 135, 139, 445, 593 and UDP ports 135, 137, 138, and 445. You may also like to disable Com Internet Services and RPC over HTTP. This will limit exposure to attacks. However, blocking at the network perimeter continues to allow the attackers in the perimeter of your network to exploit the vulnerability. It is important to understand network configuration and service requirements before deciding what changes are appropriate (US-CERT, 2007).
Depending on site requirements, you may want to disable DCOM as described in the MS03-026. Disabling DCOM will help protect against this vulnerability, but may also cause undesirable side effects in it. Additional details on disabling DCOM and possible side effects available in the Microsoft Knowledge Base Article 825750 (US-CERT, 2007).
Archives (2003) has given that Security researchers discovered the basic techniques of a new attack vectors for vulnerabilities, published recently in systems running Microsoft Windows. These new attack methods were found during researching exploitation conditions for the Workstation Service vulnerability discovered by eEye Digital SecurityÂ and disclosed in Microsoft security bulletin MS03-049 of November 11th, 2003.
They may also apply to other vulnerabilities such as DCE RPC DCOMÂ and the Messenger service vulnerabilities addressed by bulletins MS03-001,Â MS03-026 and MS03-043.
We found that by combining three protocol properties common to theÂ Â vulnerabilities mentioned, an attacker can develop more serious, stealth and low-noise attack vectors than those originally concieved.Core Security Technologies urges users of Microsoft Windows operating systemsÂ Â for the deployment of patches available for these vulnerabilities to fix the problem effectively. Suggested workarounds should be revisited to ensure that all currently known attack vectors properly including the new ones (Archives, 2003).
Microsoft RPC services running on Windows 2000 and Windows XP.
Patches are readily available to fix the vulnerabilities and close all known attack vectors.
Several vulnerabilities in the Microsoft RPC code like [MS03-001], [MS03-026], [MS03-043], [MS03-049]) have been disclosed recently.
We were able to successfully exploit some of the latest DCE RPC vulnerabilities through less noted ports and even on broadcast addresses. We were able to exploit [MS03-026] using 445/TCP 139/TCP 135/TCP 135/UDP and 80/TCP. [MS03-049] successfully exploited through 445/TCP 139/TCP and dynamically assigned TCP/UDP ports over 1024. We have not seen public exploits or worms using these ports, and we are not sure whether the Windows API can be designed for this purpose. We have our own implementation of RPC which is part of the publicly available impacketÂ project (Archives, 2003).
Remote Procedure Call (RPC)
Porter (2003) has also generalized that Remote Procedure Call is a protocol level application used to facilitate communication between two devices on the network. RPC uses the client/server model of communication where the requesting machine is considered the client and the machine servicing the request is considered the server. Since RPC working on the application layer of the OSI model it is not concerned with the details of the underlying network. A runtime program located on both the client and server computers which has knowledge of the underlying network and manages the transmission of the RPC request across the network. Porter (2003) has further explained that the RPCDCOM interface accessible through port 135 is used to provide the location of DCOM services to clients making associated requests. Having the service dynamically provide the location or port of the requested DCOM service is intended to simplify the process by providing a single point of access for initial requests. This prevents the requesting application/client from having to know the specific access point when the original call is made.
In the context of this exploit, RPC traffic is transmitted at the transport layer of the network via the Transmission Control Protocol (TCP).
The majority of vulnerabilities related to RPC have been related to buffer overflows to gain control over a victim or specially crafted requests which cause certain level of denial of service (DoS). This specific exploit and most of the others capitalize on weaknesses in the specific implementations as opposed to a general weakness in the protocol or specification. Different buffer overflow vulnerabilities are specific to the coding and implementation of the service. Ensure secure coding practices, such as checking/limiting of all input being returned to the application, would block the buffer overflows without having any affect on the functionality of the service (Porter, 2003).
Porter (2003) also stated about one recent vulnerabilitity which relate to RPC . CVE candidate CAN-2003-0352 references the vulnerability.
CVE Number (CAN-2003-0352)
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message.
Name: dcom.c - This is the base code which executes the RPC buffer overflow
and opens a command shell listening on port 4444.
CERT Advisory: CA-2003-16
CERT Vulnerability Note: VU#568148
Microsoft Security Bulletin: MS03-026
msblast.exe (MS Blast/Blaster/Lovsan)
Systems Affected :
Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Tablet PC Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows NT Workstation 4.0
Nortel Symposium including TAPI ICM
Nortel Business Communications Manager
Nortel International Centrex-IP
Nortel Periphonics with OSCAR Speech Server
Porter (2003) has further explained that this exploit takes advantage of a buffer overflow in the Distributed Component Object Model and interface within the Remote Procedure Call mechanism of many Windows operating systems. By sending a specially crafted RPC request to port 135 this exploit overflows the buffer and returns instructions to the stack which then launches a shell command (with the privileges of the system) listening on port 4444 of the victim's machine.
How Exploit Works
The exploit is possible there is a security vulnerability in an RPC interface implementing DCOM services within Microsoft's Windows operating systems.
Buffer Overflows: The exploit uses a buffer overflow. A buffer overflow is occurs when passing a lot of data to the buffer memory for your application. If the application does not check the amount of data being returned, the data can overflow the buffer. The overflowed data may then be returned to the operating system stack and possibly executed with the privileges of the application. If the application is running with high level root or administrator access then the code being implemented that can perform the tasks which are usually limited. This can include modifying the operating system, opening command shells, creating user accounts, etc (Porter, 2003).
This specific buffer overflow is possible due to an unchecked parameter within a
COSERVERINFO * pServerInfo,
CLSID * pclsid,
IUnknown * punkOuter,
OLECHAR * szName,
MULTI_QI * rgmqResults
The "CoGetInstanceFromFile" function above is used to create a new object and initialize it from a file. This function has a parameter of "szName" which is used to select a file to be initialized. This parameter is allocated a value of 0x20 (32 bytes) for the filename, however the input is not checked. When a larger value is input, anything outside the spave 0x20 is overflowed and can then be executed on the target system. This is the critical flaw in the DCOM RPC interface which allows for exploitation to achieve success. By inserting instructions into the data which is overflowed the exploit can cause the operating system to spawn a command shell listening on a specific port. This original version of the dcom.c exploit spawns this shell on TCP port 4444, although subsequent versions allow the attacker to specify the port at the time of execution (Porter, 2003).
According to Porter (2003) exploit performs the following steps:
Connects to TCP port 135 of the victim machine.
Issues an RPC request for the file
the victim's machine, which overflows the buffer.
Returns instructions to the operating system, via the overflowed
buffer, to open a command shell listening on TCP port 4444.
Connects to shell via port 4444 on the victim's machine.
Vulnerabilities will always be a part of our systems. The ability to definitively determine the presence of vulnerabilities on those systems, and then to apply all known security fixes and patches. The RPC/DCOM vulnerability (CVE # CAN-2003-03 52) is a serious threat due to the widespread use of the Windows operating systems affected. After writing this paper I understand the above vulnerabilities. I also came to know what action is necessary to mitigate the risk via several different courses of action.