OSU Central Web Services Vulnerabilities

balecomputerΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

92 εμφανίσεις








OSU Central Web Services Vulnerabilities

ECE 478








Friday, 6
th

June, 2003



Jacob P. Campbell

Robert Hopson


Page
2

of
12


Campbell & Hopson

Abstract

................................
................................
................................
.........................

3

Introduction

................................
................................
................................
...................

3

Apache

................................
................................
................................
...........................

4

Description

................................
................................
................................
............

4

Vulnerabilities

................................
................................
................................
........

4

Tomcat

................................
................................
................................
...........................

5

Description

................................
................................
................................
............

5

Vulnerabilities

................................
................................
................................
........

5

MySQL
................................
................................
................................
............................

6

Description

................................
................................
................................
............

6

Vulnerabilities

................................
................................
................................
........

6

Coldfusion

................................
................................
................................
.....................

7

Description

................................
................................
................................
............

7

Vulnerabilities

................................
................................
................................
........

7

PHP

................................
................................
................................
................................

7

Description

................................
................................
................................
............

7

Vulnerabilities

................................
................................
................................
........

8

ProFTPD

................................
................................
................................
.........................

8

Description

................................
................................
................................
............

8

Vulnerabilities

................................
................................
................................
........

9

Successful Intrusions

................................
................................
................................
...

9

Linux and ptrace

................................
................................
................................
....

9

Weak passwords on default accounts

................................
................................
..

10

Conclusions
................................
................................
................................
.................

11

Works Cited

................................
................................
................................
.................

12

Works Consulted

................................
................................
................................
.........

12


Page
3

of
12


Campbell & Hopson

OSU Central Web Services Vulnerabilities



Abstract


Oregon State University uses a centralized computer system known as Cent
ral Web
Services (CWS) to host web pages. Thousands of students and employees can log in to
this system to edit and upload files. A variety of access methods are available, including
SSH, FTP, and direct web access.


This document
provides
an analysis of

internal vulnerabilities and external threats.
Possible security concerns extend from software running on the CWS system, including:


0.

Apache

1.

Tomcat

2.

MySQL

3.

ColdFusion

4.

PHP

5.

ProFTPD


This document identifies

security concerns on the system and provide
s

recomm
endati
ons for improving security. It also contains accounts of two successful
intrusions into the CWS system.



Introduction


Central Web Services provides hosting of static and dynamic web content for OSU and
OSU affiliated organizations. Web hosting in

its current form involves two completely
separate “customer bases.” Authors are content providers, and end
-
users are those
who access the content.


These two customer bases present demands that are often at odds with each other.
Authors want easy access

to the system and the latest technology in order to simplify
their publishing process and make their content more appealing. End
-
users, who are
much more numerous, require rapid, reliable, and strictly limited access. So a single
resource is accessible
by several methods, each potentially utilizing a different security
implementation.


An example of the complexity of the security model: Under the domain
oregonstate.edu, CWS hosts approximately 54 gigabytes (GB) of text, graphics, and
multimedia content.

These files are accessible by 554 authors organized into 546
permission groups. More than 200 of these groups have some type of access restriction
ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
4

of
12


Campbell & Hopson

on their files, limiting by IP address or requiring user credentials are the two most
common methods

[
1
]
.


CWS manages the list of groups and the files those groups have access to. Individual
groups are free to control their own members (any Onid account can be given access),
but CWS manages the authentication of all members. Along similar lines, CWS makes
a
ll the files available via the web, while each group can choose to limit what is publicly
available, and use a variety of authentication methods to do so. Several layers of
applications and security mechanisms make these various access restrictions possib
le.


What follows is a breakdown of the various applications and services provided by CWS,
where they depend on each other for security, possible vulnerabilities, and
recommendations for improving security.


Apache

Description


The Apache web server is a
n open
-
source HTTP server available for most modern
operating systems, including Windows, UNIX, and Linux. Apache is the most widely
used web server on the Internet, and has been since April of 1996. Currently an
estimated 62% of all web sites use Apache

[
2
].


Since Apache has the largest share of the HTTP server market it is the best choice for
OSU’s
web hosting

needs. Apache provides web services that meet the most current
HTTP standards, giving OSU the flexibility and freedom to design web pages that
use
the capabilities of the Internet to its fullest. However, keeping with the most recent
HTTP standard leads to the possibility of vulnerabilities entering the system every time a
patch or update for Apache is released. Apache is an open source project
, available
under the GNU General Public License (GPL).


Vulnerabilities



Apache is the most important application in CWS; it serves every one of the
approximately 5 million web pages [
1
] CWS processes per day. This makes it a likely
target for an atta
ck; take down Apache, and deny web services for all end users. In
practice, this is less of a concern than it might seem. Apache as an application is quite
resilient; a recent link from
http://slashdot.org

sent web us
ers to an OSU hosted Apache
server, with a peak load of 1200 active connections [
1
]. At that load the network
connection on the machine was saturated and the machine fell back to using swap
memory for a time, but the Apache service stayed responsive, sugg
esting it was capable
of handling an even greater load on better hardware.


ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
5

of
12


Campbell & Hopson

It is entirely possible that potential exploits are present in Apache; in July 2002 a private
security firm reported a vulnerability in the FreeBSD and Windows versions and a worm
that exploited this vulnerability soon followed. This worm was never widespread, and
the Apache development team released a patch soon afterward.


Tomcat

Description


Tomcat builds on the well
-
tested and secure Apache code base, and uses Apache’s
preforki
ng, connection handling, and security model as a platform to run small Java
applications called “Servlets.” Tomcat is the official Reference Implementation for the
Java Servlet and JavaServer Pages technologies [
3
], and as such is open
-
source
software.


T
omcat is not widely used by CWS; in its current incarnation, it mainly serves as a
translation engine for CWS’s Google Search Appliance (GSA). The GSA returns XML
code from queries; a custom Java Servlet applies an XML Stylesheet to rewrite the XML
in HTM
L that fits in with OSU’s look and feel.



Vulnerabilities


Tomcat is an excellent service for running user applications; because of its Apache roots
it is robust and secure. Its Java interface adds another layer of security


the “virtual
machine” conc
ept provides a rigidly limited environment for running applications.
Tomcat Servlets can be limited in execution time, memory consumption, network port
access, and several other resources in addition to the normal system restrictions applied
to regular To
mcat processes.


Because it is just a reference implementation for Java Servlets, Tomcat is not as stable
as a plain Apache server, or some other available Java Servlet Servers. However it
doesn’t see much production use on CWS, and is installed mainly
to provide Servlet
hosting capabilities should the need arise. An outage in the Tomcat Server prevents
access to the GSA at
http://search.oregonstate.edu
, which is inconvenient to users but
doesn’t actually p
revent them from viewing any web content. Tomcat has no s
pecial
access to the GSA, it only

proxies requests and results, so even if Tomcat were seized
by an attacker, it wouldn’t pose a serious threat to the CWS systems.


ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
6

of
12


Campbell & Hopson

MySQL

Description


MySQL is the
database server used by Central Web Services, and the most popular open
source database implementation in the world. CWS uses MySQL to make online
databases available to individual web developers. This not only benefits web site
appearance, but also prov
ides content and develops interactive sites where end
-
users
can communicate information to the developer, to be collected in the database for later
use.


In addition to normal web content storage, CWS also does much of its user
management with a restricted

MySQL database. Storing this information in a database
makes it possible to update user and group information on the fly through both
command line tools and a web interface. In addition, for the large number of users and
groups on CWS, retrieving user d
ata from an indexed database can actually be faster
than the flat text files commonly used on UNIX systems.


MySQL is the best database choice for CWS for several reasons. In particular, there is
no license fee for the MySQL database server under the GNU
General Public License.
Also, MySQL is better for speed, compactness, stability and ease of deployment than
other implementations available [
4
].


Vulnerabilities


Storing user account information in MySQL carries a number of security concerns;
making this

information updatable via the web compounds these concerns. Foremost,
any vulnerability in the MySQL server immediately has an effect on the rest of the
system. The most obvious exploit is changing user passwords, since the database
makes it possible to

change or erase all user accounts with a single query. More subtle
problems exist as well, such as creating a user account with an ID number of '0' (in
effect adding another “root” account to the system), changing user ID numbers to give
improper file pe
rmissions or access to other systems on the CWS network, and others.


CWS currently handles many of these exploits; for most accounts, the ID number is the
Onid ID number. For those authors without Onid accounts, the system uses an ID
number from a predef
ined list of acceptable numbers. The password for the MySQL
account is perhaps the most vulnerable; since it needs to be readable to php, it sits in
plain text. However, this file is readable only to the web server user (www
-
data), and is
in a directory

unreadable to normal users (so the name of the file with the password
can’t be seen either).


The database runs on a separate machine from the rest of the system; in the event an
attacker compromises MySQL, it is possible to simply unhook the database s
erver and
restore the last known good database from nightly backups on a different machine.
ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
7

of
12


Campbell & Hopson

Using MySQL for authentication this way provides some measure of security through
obscurity as
well;

see
Linux and ptrace
,
in the successful intrusions section bel
ow
.

Coldfusion

Description


ColdFusion is a server side application that allows web developers to integrate enhanced
content into web pages. It is an extremely popular database
-
to
-
web gateway capable of
transferring large amounts of data from a database o
n the server to a web page to be
served to the end user very quickly. Web developers can easily use this functionality to
create dynamic sites and web based applications.



Vulnerabilities


Coldfusion on Linux is at best a poor implementation; it is plagu
ed with stability issues
and software bugs that continue to go unaddressed by the authors at Macromedia.
However, while these bugs do
affect Coldfusion’s

functionality, they have yet to result in
any kind of exploitable security flaw. Coldfusion is anoth
er Java application that takes
advantage of the virtual machine concept to provide increased security.


Whether this is a good trade
-
off for the reliability issues that seem to plague it is in
question: It is CWS’s foremost priority to make OSU’s web pag
es available to campus
and the rest of the world, and because Coldfusion runs on top of Apache, it can and
does occasionally monopolize all the available Apache processes. This results in the
equivalent of an internal DoS attack, which is much more effect
ive given that Coldfusion
executes as fast as the machine it’s on rather than being limited by network bandwidth.
There is a great deal of existing Coldfusion content on the CWS systems, so while web
authors are strongly encouraged to use the PHP script
ing language (see below), the
Coldfusion application has a limited future in CWS.

PHP

Description


PHP
, which stands for PHP Hypertext Preprocessor, is a scripting language well suited
for
w
eb development that can be embedded into HTML. PHP is mainly used

for server
-
side scripting, which can be used for tasks such as collecting form data, generating
dynamic page content, or sending and receiving cookies. PHP's abilities include
outputting html, images, PDF files, and even Flash movies generated on the fly
. PHP
can also be used in place of an application like ColdFusion for creating dynamic sites and
web based applications, or for serving as a gateway between a server
-
side database and
the web. PHP is also available under the GPL.


ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
8

of
12


Campbell & Hopson

Vulnerabilities


Becaus
e PHP is a server
-
side scripting language, it can potentially be quite dangerous.
The processing of PHP scripts happens on user demand, which makes it possible for an
attacker to inject their own code into poorly written scripts (i.e., those that do not v
erify
input received from web pages). PHP runs with the same privileges as the web server,
which typically means it has read
-
only access to the file system. However, PHP on CWS
is often used with MySQL to store and retrieve data in response to user input
. Poorly
written PHP scripts can give an attacker the ability to insert arbitrary data into MySQL,
and execute their own queries.


The interaction between these two applications creates a complex security hazard:
MySQL doesn’t make the distinction betwe
en an appropriate query and an inappropriate
one (although it does have the ability to limit the types of actions an account can
perform on a given database). The original author obviously has some intention for the
PHP script, but if an attacker is able
to execute his or her own code, it is neither PHP nor
MySQL’s responsibility to disallow execution of that code. This is a typical argument
against executable scripts running with privileged access to data. Historically,
precompiled programs used for sim
ilar purposes have been plagued with buffer overflow
vulnerabilities (something scripting languages are very good at avoiding, since all their
memory is dynamically allocated as they are executed).


What PHP doesn’t do is recognize Apache’s configuration

directives, which means any
given PHP script potentially has access to the entire file system (rather than a limited
directory tree, as specified in Apache’s configuration). When PHP scripts operate in
combination with some type of service that requires
credentials (such as MySQL or some
other database), those credentials must be stored in a file readable by the account PHP
runs under. And because PHP runs under the same account for every user/web page on
a system and can see the entire file system, mali
cious users can access databases and
resources belonging to other users on the system. A further danger of this unrestricted
file system access is that some files that have to be world
-
readable (such as the
password file) are viewable through a web page.


Most of the danger in PHP scripting comes from poorly written scripts that allow
attackers to execute their own code. The best course for CWS to take is to limit the
abilities of PHP itself, since verifying the security of every PHP script is unfeasible.

In
order to best serve users, CWS offers a complete PHP hosting environment. This means
that the system administrators respond reactively to security problems with poorly
written PHP scripts, but the additional capabilities PHP provides to web authors
ou
tweighs these security concerns.

ProFTPD

Description


ProFTPD is a File Transfer Protocol server built from the ground up with an emphasis on
security and configurability. File transfer capabilities are among the most basic needs of
ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
9

of
12


Campbell & Hopson

a web developer, allow
ing developers to create and test content remotely, then transfer
it to the server and make it active once it is complete. End
-
users benefit tremendously
from the FTP server as well; ProFTPD allows users to download text, image files,
applications, or any

other files the web developer has made available for download to
the public. ProFTPD is also available under the Gnu Public License.


Vulnerabilities


FTP is a very old protocol, like Telnet. All FTP transfers send raw data


this includes
account names

and passwords


between client and server. Attackers with physical
access to the same network as an FTP user intercept these credentials.


The ProFTPD server itself has demonstrated a number of security problems in the past
(most involving some type of

buffer overrun), but its code has been extensively audited
and it is now believed to be quite secure (insofar as a raw data protocol implementation
can be). See
Weak passwords

in the successful intrusions section below
.


The best current alternative to F
TP is to manage all file transfers through an SSH
session, so
-
called SFTP. This encrypts both credentials and data to prevent the simple
eavesdropping attacks possible with FTP. CWS fully supports SFTP as a method for
uploading and downloading files, but

also maintains the FTP service to accommodate
software clients such as Macromedia Dreamweaver, which feature built
-
in FTP transfers.
Until all CWS web authors are able to transition to newer software that supports SFTP,
the FTP service must be available
for file transfers.

Successful Intrusions

Linux and ptrace


On March 17, 2003, a vulnerability in the Linux kernel was announced that employed
the ptrace() function. ptrace() allows a process to monitor the execution and memory
usage of another process.
The flaw allowed code executing ptrace() to attach itself to a
process running with root privileges and gain the privileges of that process. This
vulnerability required that malicious code execute on the attacked machine; it was not
an exploit for any giv
en service. Only attackers with access to an account were able to
exploit this flaw.


A fix in the form of a patch to the Linux kernel source was soon available on the
Internet. In a high
-
demand production environment such as CWS, however, it can be
di
fficult to deploy patches that require service outages. So CWS delayed installing the
patch until the following weekend.


The day after the vulnerability was announced, one of the CWS servers was
compromised. All users were being denied authentication an
d it was soon obvious from
the IRC traffic to and from the server that it had been successfully attacked. CWS
ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
10

of
12


Campbell & Hopson

administrators blocked off
-
campus network connections to that machine, and were able
to log in using a shared private
-
key back door.


CWS immed
iately found the small executable program used by the attackers to exploit
the ptrace() vulnerability. Further investigation showed that the attacker replaced the
sshd service with one of their own designed to listen for and retransmit passwords to an
IRC

server. This listener failed to intercept any passwords despite repeated login
attempts by many CWS users; this was puzzling until the daemon was analyzed more
closely. The combination of LDAP and MySQL authentication on CWS’s systems
screened all user
passwords from the false daemon, which was looking for
authentication requests against the system password file.
[1]


The attackers originally logged in with the user credentials of one of the CWS
employees. Where these credentials
came from

is still unc
lear; according to the
employee, that combination of username and password was in use on several
completely different systems in geographically separate areas. The attackers originated
from Arizona, where the employee had been only days before, so it is l
ikely the
credentials were sniffed from an FTP or telnet connection made from Arizona to CWS.


It is interesting to note that the attacker apparently did not check the access the
compromised account had on the CWS systems; that particular user’s account al
ready
had root
-
level privileges on most of the system. This oversight, in combination with the
attacker’s complete failure to harvest any other passwords or compromise any other
CWS servers those credentials had access to on the same network, suggests tha
t CWS
was fortunate to be attacked by such an unskilled entity.


The comprised system was patched, software packages were verified, and the machine
was put back into service the same day.


Weak passwords on default accounts


A recent successful attack on

CWS exploited
a

simple oversight by the administrators in
combination with the weakness of the ftp protocol. An installation of the Oracle
database software created a default account with a very simple password. This account
was meant to provide limited

file permissions and schedule simple maintenance jobs on
the system. However, the default accounts policies on this server also created a
password for the user (6 characters, all alphabetic) and a login shell, meaning it had the
ability to login as any o
ther user, through FTP, SSH, or any other service. The FTP
service, which had been disabled for security reasons, was enabled by a CWS employee
in an attempt to speed up a slow file transfer (because of the overhead involved in
encrypting data through SFT
P).


Attackers used FTP to brute force this relatively simple
password

and gain access to the
machine.

[1]

Ideally this would have gotten them only as much access as this limited
account was supposed to have, but another misconfiguration by CWS resulted
in the
attackers having root access. In some haste to fix a file permission problem, an
employee (interestingly the same employee responsible for running the FTP service, and
ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
11

of
12


Campbell & Hopson

the owner of the account used to exploit the ptrace() problem described earlier
) had
added this default oracle account to the group ‘root’. So the attackers were easily able
to remove all existing accounts on the machine, stop services that would permit outside
access to the server, and install a program that subsequently connected
to an IRC
network and tried to brute
-
force a password there.


Recovering this server took some time; there was no backdoor access, so it had to be
booted from a CD so the system password file could be wiped clean and the data on it
recovered.

[1]

Conclusio
ns


Because of the wide range of software in place on the Central Web Services systems,
monitoring them for security is a serious task. A total of 16 servers running 3 different
operating systems are responsible for serving out more than 5 million request
s per day
for web pages, streaming video, and other documents published by members of the
OSU community. On top of this normal service load, the system is highly visible and
subject to frequent attacks.


Every piece of software analyzed in this paper ha
s had some sort of security measure
built in, whether it’s ColdFusion running on a virtual machine, or MySQL requiring
credentials to connect to a database. This layering of security layer on security layer
has worked very well. The present systems have
been in place for more than six
months: the two successful attacks in that time seems like a high number, until one
considers the volume of intrusion attempts, the large number of services available on
these machines, and the reliance on insecure protocol
s such as FTP.


CWS makes heavy use of open source software, as previously noted. Apache, PHP,
MySQL, and Linux, arguably the most important pieces of software on the CWS systems,
are all completely open source. Of the two successful intrusions to happen

in the last
year, one was possible due to a vulnerability in the Linux kernel that likely wouldn’t have
been found had it been a closed source piece of software.


Based on the intrusions, and the vulnerability histories of the various applications on
CW
S, the biggest concern for CWS is safeguarding user credentials. Since most web
applications have no real system privileges, it is the user accounts that can log in, create
and remove files, and run programs that are most dangerous. The fact that most CW
S
users transmit their credentials over FTP should concern both them and the CWS
administration, since all parties are likely to suffer damages when an attacker uses
stolen credentials to compromise the system.


While it is the task of Central Web Servic
es to make web content available on the
internet, the responsibility for keeping this content secure is shared with all the authors
on the system. Since their improper use of resources can lead to loss of security,
education could ultimately be one of the

most useful security precautions available.
ECE 478 Spring 2003

OSU Central Web Services Vulnerabilities


Page
12

of
12


Campbell & Hopson

Works Cited


[1]


Central Web Services Administration and System Logs.

cws
-
dev@lists.orst.edu
. April


May 2003


[2]
Apache Software Foundation, “The Apache
HTTP Server Project.”
<http://httpd.apache.org/>. 03 June 2003.


[
3
] Apache Software Foundation, “The Jakarta Site


Apache Tomcat.”
<http://jakarta.apache.org/tomcat/>. 03 June 2003.


[
4
]


MySQL AB, “MySQL Database Server.”
<http://www.mysql.com/pro
ducts/mysql/index.html>. 03 June 2003.


Works Consulted


[
5
]


A
.

Carasik, "Choosing the Best Solution for Your Network Security," IS Control
Journal, 2001 vol. 3, pp. 33
-
39.


[6] J. Keiser, M. Reichenbach, "Evaluating Security Tools Towards Usable Secu
rity,"
IFIP 17
th

World Computer Congress, 2002, pp. 247
-
256.


[7]


Macromedia Inc., “Macromedia


Macromedia ColdFusion MX.”
<http://www.macromedia.com/software/coldfusion/>. 03 June 2003.


[
8
]


S. Miltchev, S. Ioannidis, A. D. Keromytis, "A Study of th
e Relative Costs of
Network Security Protocols," Proceedings of the FREENIX Track: 2002 USENIX Annual
Technical Conference, 2002, pp. 41
-
48.


[
9
] K. Siau, K. Whitacre, "Internet and e
-
Business Security," Information Security
Management; Global Challenges

in the New Millennium, 2001, pp. 125
-
134.


[
10
] T. Singleton, "Managing the most critical Internet security vulnerabilities: one
effective approach," EDPACS: the EDP audit, control and security newsletter, Aug. 2002,
pp. 1
-
11.