Information Leakage

Information leakage can be likened to leaky pipes.Whenever something comes
out, it is almost always undesirable and results in some sort of damage.
Information leakage is typically an abused resource that precludes attack. In the
same way that military generals rely on information from reconnaissance troops
that have penetrated enemy lines to observe the type of weapons, manpower, supplies,
and other resources possessed by the enemy, attackers enter the network to
perform the same tasks, gathering information about programs, operating systems,
and network design on the target network.
Service Information Leakage
Information leakage occurs in many forms. Banners are one example. Banners are
the text presented to a user when they attempt to log into a system via any one
of the many services. Banners can be found on such services as File Transfer
Protocol (FTP), secure shell (SSH), telnet, Simple Mail Transfer Protocol (SMTP),
and Post Office Protocol 3 (POP3). Many software packages for these services
happily yield version information to outside users in their default configuration.
Another similar problem is error messages. Services such as Web servers yield
more than ample information about themselves when an exception condition is
created. An exception condition is defined by a circumstance out of the ordinary,
such as a request for a page that does not exist, or a command that is not recognized.
In these situations, it is best to make use of the customizable error configurations
supplied, or create a workaround configuration. Observe Figure 2.4 for a
leaky error message from Apache.
Protocol Information Leakage
In addition to the previously mentioned cases of information leakage, there is also
what is termed protocol analysis. Protocol analysis exists in numerous forms. One
type of analysis is using the constraints of a protocol’s design against a system to
yield information about a system. Observe this FTP system type query:
elliptic@ellipse:~$ telnet parabola.cipherpunks.com 21
Trying 192.168.1.2...
Connected to parabola.cipherpunks.com.
Escape character is '^]'.
220 parabola FTP server (Version: 9.2.1-4) ready.
SYST
215 UNIX Type: L8 Version: SUNOS
www.syngress.com
Figure 2.4 An HTTP Server Revealing Version Information
40 Chapter 2 • Classes of Attack
This problem also manifests itself in such services as HTTP. Observe the
leakage of information through the HTTP HEAD command:
elliptic@ellipse:~$ telnet www.cipherpunks.com 80
Trying 192.168.1.2...
Connected to www.cipherpunks.com.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2001 11:25:13 GMT
Server: Apache/1.3.22 (Unix)
Last-Modified: Wed, 28 Nov 2001 22:03:44 GMT
ETag: "30438-44f-3c055f40"
Accept-Ranges: bytes
Content-Length: 1103
Connection: close
Content-Type: text/html
Connection closed by foreign host.
Attackers also perform protocol analysis through a number of other methods.
One such method is the analysis of responses to IP packets, an attack based on
the previously mentioned concept, but working on a lower level. Automated
tools, such as the Network Mapper, or Nmap, provide an easy-to-use utility
designed to gather information about a target system, including publicly reachable
ports on the system, and the operating system of the target. Observe the
output from an Nmap scan:
elliptic@ellipse:~$ nmap -sS -O parabola.cipherpunks.com
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on parabola.cipherpunks.com (192.168.1.2):
(The 1533 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
Remote operating system guess: Solaris 2.6 - 2.7
Uptime 5.873 days (since Thu Nov 29 08:03:04 2001)
Nmap run completed -- 1 IP address (1 host up) scanned in 67 seconds
First, let’s explain the flags (also known as options) used to scan parabola.The sS
flag uses a SYN scan, exercising half-open connections to determine which ports
are open on the host.The O flag tells Nmap to identify the operating system, if
possible, based on known responses stored in a database.As you can see, Nmap was
able to identify all open ports on the system, and accurately guess the operating
system of parabola (which is actually a Solaris 7 system running on a Sparc).
All of these types of problems present information leakage, which could lead
to an attacker gaining more than ample information about your network to
launch a strategic attack.
Leaky by Design
This overall problem is not specific to system identification. Some programs happily
and willingly yield sensitive information about network design. Protocols
such as Simple Network Management Protocol (SNMP) use clear text communication
to interact with other systems.To make matters worse, many SNMP
implementations yield information about network design with minimal or easily
guessed authentication requirements, ala community strings.
Sadly, SNMP is still commonly used. Systems such as Cisco routers are
capable of SNMP. Some operating systems, such as Solaris, install and start SNMP
facilities by default. Aside from the other various vulnerabilities found in these
programs, their default use is plain bad practice.
Leaky Web Servers
We previously mentioned some Web servers telling intrusive users about themselves
in some scenarios.This is further complicated when things such as PHP,
Common Gateway Interface (CGI), and powerful search engines are used. Like
any other tool, these tools can be used in a constructive and creative way, or they
can be used to harm.
Things such as PHP, CGI, and search engines can be used to create interactive
Web experiences, facilitate commerce, and create customizable environments for
users.These infrastructures can also be used for malicious deeds if poorly
designed. A quick view of the Attack Registry and Intelligence Service (ARIS)
shows the number three type of attack as the “Generic Directory Traversal
Attack” (preceded only by the ISAPI and cmd.exe attacks, which, as of the time
of current writing, are big with the Code Red and Nimda variants).This is, of
course, the dot-dot (..) attack, or the relative path attack (…) exercised by
including dots within the URL to see if one can escape a directory and attain a
listing, or execute programs on the Web server.
Scripts that permit the traversal of directories not only allow one to escape
the current directory and view a listing of files on the system, but they allow an
attacker to read any file readable by the HTTP server processes ownership and
group membership.This could allow a user to gain access to the passwd file in
/etc or other nonprivileged files on UNIX systems, or on other implementations,
such as Microsoft Windows OSs, which could lead to the reading of (and, potentially,
writing to) privileged files.Any of the data from this type of attack could
be used to launch a more organized, strategic attack.Web scripts and applications
should be the topic of diligent review prior to deployment.
A Hypothetical Scenario
Other programs, such as Sendmail, will in many default implementations yield
information about users on the system.To make matters worse, these programs
use the user database as a directory for e-mail addresses. Although some folks may
scoff at the idea of this being information leakage, take the following example
into account.
A small town has two Internet service providers (ISPs). ISP A is a newer ISP,
and has experienced a significant growth in customer base. ISP B is the older ISP
in town, with the larger percentage of customers. ISP B is fighting an all-out war
with ISP A, obviously because ISP A is cutting into their market, and starting to gain ground on ISP B. ISP A, however, has smarter administrators that have taken
advantage of various facilities to keep users from gaining access to sensitive information,
using tricks such as hosting mail on a separate server, using different logins
on the shell server to prevent users from gaining access to the database of mail
addresses. ISP B, however, did not take such precautions. One day, the staff of ISP
A gets a bright idea, and obtains an account with ISP B.This account gives them a
shell on ISP B’s mail server, from which the passwd file is promptly snatched, and
all of its users mailed about a great new deal at ISP A offering them no setup fee
to change providers, and a significant discount under ISP B’s current charges.
As you can see, the leakage of this type of information can not only impact
the security of systems, it can possibly bankrupt a business. Suppose that a company
gained access to the information systems of their competitor.What is to
stop them from stealing, lying, cheating, and doing everything they can to undermine
their competition? The days of Internet innocence are over, if they were
ever present at all.
Why Be Concerned with Information Leakage?
Some groups are not concerned with information leakage.Their reasons for this
are varied, including reasons such as the leakage of information can never be
stopped, or that not yielding certain types of information from servers will break
compliance with clients.This also includes the fingerprinting of systems, performed
by matching a set of known responses by a system type to a table identifying
the operating system of the host.
Any intelligently designed operating system will at least give the option of
either preventing fingerprinting, or creating a fingerprint difficult to identify
without significant overhaul. Some go so far as to even allow the option of
sending bogus fingerprints to overly intrusive hosts.The reasons for this are clear.
Referring back to our previous scenario about military reconnaissance, any group
that knows they are going to be attacked are going to make their best effort to
conceal as much information about themselves as possible, in order to gain the
advantage of secrecy and surprise.This could mean moving, camouflaging, or
hiding troops, hiding physical resources, encrypting communications, and so
forth.This limiting of information leakage leaves the enemy to draw their own
conclusions with little information, thus increasing the margin of error.
Just like an army risking attack by a formidable enemy, you must do your best
to conceal your network resources from information leakage and intelligence gathering.
Any valid information the attacker gains about one’s position and perimeter
gives the attacker intelligence from which they may draw conclusions and fabricate
a strategy. Sealing the leakage of information forces the attacker to take more intrusive
steps to gain information, increasing the probability of detection.

0 comments: