Information Technology Reference
In-Depth Information
where an attacker A on host H launches a remote SSHd attack against a victim
host V .
a 1 ,a 2 ,a 3 δ 2 c 1 ; d 1
where: a 1 = reachable(H, V, 22) , a 2 = service(vul-SSHd, 22, root, V) , a 3 =
sh(A, l 1 ,H) , c 1 = sh(A, root, V) ,and d 1 = service(vul-SSHd, 22, root, V) .
Remote Buffer Overflow Exploit in Sendmail
A popular message transfer agent, Sendmail, can be remotely compromised al-
lowing an attacker to gain a root level privilege on a remote victim's host [2].
A malicious custom e-mail message is sent to the victim's machine V ,which
overflows the victim mail server's buffer. We model this exploit as a rule δ 3 .An
attacker A launches the exploit from his machine H .
a 1 ,a 2 ,a 3 δ 3 c 1
where: a 1 = reachable(H, V, 25) , a 2 = service(vul-Sendmail, 25, l 1 ,V) , a 3 =
sh(A, l 2 ,H) ,and c 1 = sh(A, l 1 ,V) .
Anonymous FTP .rhosts Remote Login Exploit
The purpose of the FTP .rhosts file attack is to obtain a trust relationship
between two hosts, say H and V , as described in [15,6]. The FTP vulnerability
allows an attacker A to write/overwrite any files in the home directory of an
FTP user F . This permits an attacker to create/modify a .rhosts file in the FTP
home directory on host V , and thus to masquerade as a legitimate user of the
system without the need for a password. We model the FTP .rhosts attack as a
transition rule δ 4 .
a 1 ,a 2 ,a 3 ,a 4 δ 4 c 1
where: a 1 = sh(A, l 1 ,H) , a 2 = service(vul-FTP, 21, l 2 ,V) , a 3 = reachable(H,
V, 21) , a 4 = writable-ftp-home-dir(F, l 3 ,V) ,and c 1 = rshTrust(H, l 3 ,V) .
And finally, we model the remote login trust exploit as a transition rule δ 5 .
a 1 ,a 2 ,a 3 δ 5 c 1
where: a 1 = sh(A, l 1 ,H) , a 2 = rshTrust(H, l 3 ,V) , a 3 = reachable(H, V, .rlogin) ,
and c 1 = sh(A, l 3 ,V) .
Chaining of Exploits. Let =
where the rules δ 's are as
described above. These exploits can be chained together as illustrated in Figure 1
depicting two simple attack paths. A firewall with only two ports in an open
state, ports 25 and 53, isolates the internal hosts from the external (Internet)
hosts. That is, the firewall only allows DNS and mail network packets into the
network. Also, note that the critical server (CS) and DBMS host are not directly
accessible from outside the network. This can be represented by the following
reachability predicates:
1 2 3 4 5 }
Search WWH ::




Custom Search