«
»

=========Vulnerability Research================

Looking for vulnerabilities and exploiting them tends to be the longest
and most laborious part of an ethical hack. However, you are more
likely to have success in gaining elevated access to a system by
exploiting a vulnerability in an application or service, than by any other
method.
Publicly known vulnerabilities are announced in two main ways:
• Fix Advisories
• Full disclosure Advisories

Fix Advisories
Fix advisories warn of a vulnerability, but may not necessarily contain
the actual exploit code for them. They will usually advise the recipient
that an exploit exists for a certain vulnerability and provide details of
how to resolve the issue. These types of announcements are usually
made in conjunction with the software developer.

Full Disclosure Advisories
There are a number of full disclosure mailing lists available for public
subscription. The most well known of which is Bugtraq. In addition to
warning of a vulnerability in a product they will often contain details of
how to exploit the vulnerability. Either in the form of source code or, in
the case of HTTP vulnerabilities, exact details of what data to send to
port 80 on the vulnerable machine.

Application Errors
One of the most common ways to exploit a system is to take advantage
of application errors. For instance, an old version of the UNIX sendmail
SMTP server allows any file on the remote system (e.g. the shadowed
password file) to be e-mailed to an attacker.
More recently, an old bug has re-surfaced thanks to the growing
number of HTTP interfaces to various applications. This bug is known
as the root-bug. In effect, the vulnerability allows you to read any file
on the remote file system irrespective of whether or not the requested
file is within the webroot directory. One of the most common
applications open to the vulnerability is Compaq’s Insight Manager
’utility’.
If an administrator on the remote system has run the rdisk utility, then
by simply going to http://victim:2301/../../../winnt/repair/sam._
will allow the attacker to retrieve the remote system’s SAM file (in
compressed form). This can then easily be imported into a tool such as
L0phtcrack and the account details and passwords gained.
There are two main ways to discover application errors:
• Automated Tools
• Manual Checking

This entry was posted on February 25, 2010 at 1:54 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment