| Name |
Type |
Impact |
Description |
| Detection |
discovery |
1 |
Numerous port scanning tools are avaliable to download |
| SNMP |
discovery |
4 |
SNMP v1 is insecure. This version uses passwords, or community names to enforce the security. SNMP v2 uses MD5 to authenticate transmissions between SNMP servers and agents. However, it did not affect the use of simple passwords mechanism. |
| Default Accounts |
back doors |
5 |
Usually network devices are shipped with user or administrator default username and password. |
| Lower the Gates |
back doors |
5 |
Some known vulnerabilities are: Cisco's Write MIB, Cisco Weak Encryption, TFTP Downloads |
| Detecting the Media |
shared media |
1 |
Shared-bus - CSMA/CD used by Ethernet sends the destination traffic to every node on the segment allows the hackers sniffing the network. |
| Capturing SNMP Information |
shared media |
1 |
Hackers find out the community string information by sniffing the SNMP traffic. |
| SNMP Sets |
SNMP set |
5 |
Once the router's read/write community string was known. Then hackers can inject SNMP set requests to the network devices, adding static routes and rerouting traffic, etc. |
| RIP Spoofing |
RIP spoofing |
5 |
Router using Routing Information Protocol (RIP) v1 did not require authnetication when updating its routing tables |
| Name |
Access |
Impact |
Description |
| Brute Force Attacks |
remote |
4 |
Guessing the userID / password on a service. The most common types of service include: Telnet, FTP, rlogin, rsh, SSH, POP, and HTTP. |
| Buffer Overflow Attacks |
remote |
5 |
A buffer overflow error causes a violation of segment partition. This type of vulnerability is usually associated with specific C functions like strcpy(), strcat(), and sprintf(). |
| Input Validation Attacks |
remote |
4 |
Some programs did not properly parse and validate the input it received. For example,, PHF script that found in early versions of Apache Web server and NCSA HTTPD, accepted the newline character %a and execute any subsequent commands with the privileges of the user ID running the Web server. An input validation attack occurs when:
- A program fails to recognize syntactically incorrect input
- A module accepts extraneous input
- A module fails to handle missing input fields
- A field-value correlation error occurs
|
| X Windows |
remote |
4 |
"-display" option of xterm allows hacker to redirect a command shell to a remote server |
| Reverse Telnet and Back Channels |
remote |
4 |
netcat or nc listeners on the hacker system accepts reverse telnet connection from the target system. A reverse telnet is executed by exploiting script vulnerability, for example, PHF script. |
| TFTP |
remote |
2 |
Trivial File Transfer Protocol (TFTP) is a UDP-based protocol used to boot diskless workstations. It listens on port 69 and provides very little security. Hacker will locate a system with TFTP server enabled and attempt to TFTP a copy of the /etc/passwd file back to their system. |
| FTP |
remote |
4 |
FTP is often abused to gain access to remote system or store illegal files |
| Sendmail |
remote |
5 |
The program is improved vastly over the past years, but the chance to find additional vulnerabilities from the 80000+ codes is still high. |
| Remote Procedures Call Services |
remote |
5 |
RPC was designed to interoperate with Network Information System (NIS) abd Network File System (NFS). Many RPC services are run with root privileges. Thus, a successful buffer overflow or input invalidation attack will lead to direct root access. Moreover, the legacy framework had little security built in. |
| NFS |
remote |
4 |
If� a file handle is sniffed or guessed, remote attackers could easily access those files on the remote system. Another common type of NFS vulnerability relates to a misconfiguration that exports the file system to everyone. |
| X Security Level |
remote |
3 |
X security level is an all or nothing approach. As a matter of convenience, a system administrator will issue "xhost +", allowing unauthenticated access to the X server by any local or remote user. Many PC-based X servers default to xhost +. |
| Password Composition Vulnerabilities |
local |
5 |
Also known as the Automated Dictionary Attack. While brute force guessing is considered an active attack, password cracking can be done offline and is passive in nature. It is a local attack as hacker obtain access to the /etc/passwd file or shadow password file. |
| Local Buffer Overflow |
local |
5 |
It was found that there was a buffer overflow condition in libc relating to the environment variable LC_MESSAGES. Any SUID program that is dynamically linked to libc and honors the LC_MESSAGES is subject to a buffer overflow attack. |
| Symbolic Link |
local |
5 |
Problem may happen when programs bindly following symbolic links to other files. For example, Dtappgather will bindly follow a hacker's symbolic link to /etc/passwd and changed the ownership of the file to the hacker's user ID. The hacker can add a 0 UID (root equivalent) account to the password file if both /etc/passwd and /etc/shadow are changed user ID. |
| File Descriptor Attacks |
local |
5 |
When the kernel opens an existing file or creates a new file, it returns a specific file descriptor that a program can use to read or write to that file. Once OpenBSD was vulnerable to a file description allocation attack in ver 2.3. The chpass command used to modify some of the information stored in the password file did not allocate file descriptors correctly. In the attack, hacker modify the temporary file /tmp/ptmp used by chpass by adding a 0 UID account with no password. |
| Race Conditions |
local |
5 |
Timing the attack to abuse the program to abuse the program or process after it enters a privileged mode but before it gives up its privileges. Example, Signal Handling Issues, the wu-ftpd v2.4 signal handling vulnerability. |
| Core-File Manipulation |
local |
2 |
FTPD allowed hackers to cause FTP server to write a world-readable core file to the roor directory if the PASV command were issued before logging in to the server. The core file contained portions of the shadow password file, and in many cases, users' password hashes. |
| Shared Libraries |
local |
5 |
If hackers are able to modify a shared library or provide an alternate shared library via environment variable, then they could gain root access. Example, in.telnetd environment vulnerability. |
| File and Directory Permissions |
local |
4 |
Two biggest avenues of abuse related to SUID root files and world writable files. |
| Shell Attacks |
local |
4 |
Example, IFS (Internal Field Separator) Attack. If hacker can manipulate the IFS variable, they may be able to trick a SUID program into executing a Trojan that will has the root privileges. |
| Rootkits |
local |
5 |
A hacker's UNIX rootkit consists of four groups of tools:
- Trojan program such as altered version of login, netstat, and ps. It is critical that the system admin check the size and date/time stamp on the binaries, especially on the programs: login, su, telnet, ftp, passwd, netstat, ifconfig, ls, ps, ssh, find, du, df, sync, reboot, halt, shutdown, etc.
- Back doors such as inted insertions
- Interface sniffers, e.g., Sniffit, tcpdump, linsniff.
- System log cleaners. Example, look into /etc/syslog.conf
|
| Name |
Type |
Impact |
Description |
| Web pages as the information source |
Web Pilfering |
1 |
Sometimes quite a lot of system information can be read from the HTML / JavaScript sources, e.g., src path, and comments that contain valuable information. Moreover, instead of going through the Web pages one by one, hackers use custome Perl scripts or automated tools to crawl a web server and search for certain keywords. |
| Automated Scriptes |
vulnerabilities |
2 |
Using vulnerability scanning scripts can help hackers to find out the known holes of the Web servers going to attack. |
| Automated Applications |
vulnerabilities |
2 |
Unlike the automated scripts, they run serially and manually. They are used for smaller networks anbd targeted servers, e.g. Sitescan and Grinder. |
| IIS 4.0 MDAC RDS Vulnerability |
input invalid |
5 |
A weakness in the Remote Data Service (RDS) component of Microsoft Data Access Components (MDAC) allowing the hacker to execute arbitarry code on affected servers. |
| CGI Vulnerability |
input invalid |
5 |
Example, Phone Book Script (PHF), Irix CGI Problems, etc |
| ASP Vulnerability |
input invalid |
3 |
Example, ASP Dot Bug, ASP Alternate Data Stream, etc |
| Cold Fusion Vulnerability |
input invalid |
4 |
Smaple codes comes with the software do not limit their interactions to localhost only, e.g., openfile.cfm file. This file allows hacker to upload any file to the Web server. |
| PHP Vulnerability |
buffer overflow |
5 |
Buffer overflow bug found the php.cgi 2.0beta10 or earlier distribution of the NCSA HTTPD sever. |
| Misuse of Hidden Tags |
poor web design |
3 |
Example, use hidden HTML tags to assign the price to a online selling item. Another example is the hacker changed the width value of fields to a large number and submit a large string of characters. The server may response strangely. |
| Server Side Includes (SSIs) |
poor web design |
5 |
A large number of SSI tags are available, includes echo, include, fsize, flashmod, exec, config, odbc, email, if, goto, label and break. |
| Appending to Files |
poor web design |
3 |
For example, if a comments form is allowed to view. Then the hacker can submit a JavaScript code to prompt the onlooking users for their username and password. |