Examples and descriptions of various common vulnerabilities
Microsoft Windows, the operating system most commonly used on systems connected to the Internet, contains multiple, severe vulnerabilities. The most commonly exploited are in IIS, MS-SQL, Internet Explorer, and the file serving and message processing services of the operating system itself.
A vulnerability in IIS, detailed in Microsoft Security Bulletin MS01-033, is one of the most exploited Windows vulnerabilities ever. A large number of network worms have been written over the years to exploit this vulnerability, including ‘CodeRed’. CodeRed was first detected on July 17th 2001, and is believed to have infected over 300,000 targets. It disrupted a large number of businesses, and caused huge financial losses around the world. Although Microsoft issued a patch for the vulnerability along with the MS01-033 security bulletin, some versions of the CodeRed worm are still spreading throughout the Internet.
The Spida network worm, detected almost a year after CodeRed appeared, relied on an exposure in MS-SQL server software package to spread. Some default installations of MS-SQL server did not have a password on the ‘SA’ system account. This allowed anyone with network access to the system to run random commands. When using this exposure, the worm configures the ‘Guest’ account to allow file sharing and uploads itself to the target. It then uses the same MS-SQL password-less ‘SA’ account access to launch a remote copy of itself, thus spreading the infection.
The Slammer network worm, detected in late January 2003, used an even more direct method to infect Windows systems running MS-SQL server: a buffer overflow vunerability in one of the UDP packet handling subroutines. As it was relatively small – 376 bytes – and used UDP, a communication protocol designed for the quick transmission of data, Slammer spread at an almost incredible rate. Some estimate the time taken for Slammer to spread across the world at as low as 15 minutes, infecting around 75,000 hosts.
These three notorious worms relied on vulnerabilities and exposures in software running on various versions of Microsoft Windows. However, the Lovesan worm, detected on 11th August 2003, used a much more severe buffer overflow in a core component of Windows itself to spread. This vulnerability is detailed in Microsoft Security Bulletin MS03-026.
Sasser, which first appeared at the beginning of May 2003, exploited another core component vulnerability, this time in the Local Security Authority Subsystem Service (LSASS). Information about the vulnerability was published in Microsoft Security Bulletin MS04-011. Sasser spread rapidly, and infected millions of computers world-wide, at an enormous cost to business. Many organizations and institutions were forced to suspend operations due to the network distruption caused by the worm.
Inevitably, all operating systems contain vulnerabilities and exposures which can be targeted by hackers and virus writers. Although Windows vulnerabilities receive the most publicity due to the number of machines running Windows, Unix has its own weak spots.
For years, one of the most popular exposures in the Unix world has been the ‘finger’ service. This service allows someone outside a network to see which users are logged on a certain machine or which location users are accessing the computer from. The ‘finger’ service is useful, but also exposes a great deal of information which can be used by hackers.
Here’s what a sample of a remote ‘finger’ report looks like:
Login Name Tty Idle Login Time Office Office Phone xenon pts/7 22:34 May 12 16:00 (chrome.chiba) polly pts/3 4d May 8 14:21 cracker DarkHacker pts/6 2d May 10 11:58
This shows that we can learn some interesting things about the remote machine using the finger server: there are three users logged in but two of them have been idle for more than two days, while the other one has been away from the computer for 22 minutes. Log-in names shown by the finger service can be used to try login/password combinations. This can quickly result in a system compromise, especially if users have based their passwords on their username, a relatively common practice.
The fingers service not only exposes important information about the server it is hosted on; it has been the target of many exploits, including the famous network worm written by Robert Morris Jr, which was released on November 2nd 1988. Most modern Unix distributions therefore come with this service disabled.
The ‘sendmail’ program, originally written by Eric Allman, is also another popular target for hackers. ‘Sendmail’ was developed to handle the transfer of email messages via the Internet. Due to the large number of operating systems and hardware configurations, ‘Sendmail’ grew into an extremely complex program, which has a long and notorious history of severe vulnerabilities. The Morris worm utilized a ‘sendmail’ exploit as well as the ‘finger’ vulnerability to spread.
There are many other popular exploits in the Unix world which target software packages such as SSH, Apache, WU-FTPD, BIND, IMAP/POP3, various parts of the kernels etc.
The exploits, vulnerabilities, and incidents listed above highlight an important fact. While the number of systems running IIS, MS-SQL or other specific software packages can by counted in the hundreds of thousands, the total number of systems running Windows is probably close to several hundred million. If all these machines were targeted by a worm or a hacker using an automated hacking tool, this would pose an extremely severe threat to the internal structure and stability of the Internet.