Dude this happens all the time. It's the essense of a hack. Case 1. 1. Webserver on the DMZ is running an older version of IIS that is vulnerable to *insert your buffer overflow here* Attacker inserts trojan and creates some variable that will either force the server to reboot or make the admin reboot (maybe a DoS of some sort to trick a dumb netadmin). Upon reboot, trojan is executed and attacker has full access to the dmz server. 2. Let's say hypothetically that the firewall has been mis-configured by a sloppy netadmin who decided to choose ANY for the source and destination interfaces to allow the DMZ server to access the internal LAN via port 21 for uploading FTP files from an internal node. Now attacker has the option to upload a trojan to the node on the internal lan. Let's also say that trojan.a has the ability to setup terminal services on this box as well as change the default listening port to 21. Voila. Attacker has basically exploited numerous vulnerabilities and gained access to your internal LAN. Case 2. 1. Citrix server setup for remote access. The box hasn't been patched in awhile. Stale username setup and attacker gains access to a user account. Using priveldge escalation via Debploit (sploit that calls the windows session manger debugging subsystem to attach to a priv process), he now gains access to the local system account and creates himself a nice admin account. 2. The citrix server is not in a dmz. Now that the attacker has access to cmd.exe he/she decides to run kaht.exe on the local LAN, an RPC Dcom scanner and sploiter. He finds 20 vulnerable boxes, gains access to 10 of them. One happens to be the payroll server. Case closed. This topic actually does not belong in the bugtraq mailing list. It should be on firewalls or security. -----Original Message----- From: Sudhakar-bugtraq Govindavajhala [mailto:sudhakar@CS.Princeton.EDU] Sent: Thursday, April 29, 2004 7:36 PM To: bugtraq@securityfocus.com Subject: Multi stage attacks on networks? Hi I am a Ph.D. student studying network security at Princeton University. I am trying to see if attacker can use a series of vulnerabilities to take over a particular resource. Has there been prior work on this topic earlier? Can someone give me a real example where the adversary actually uses a series of vulnerabilities to break into a resource? May be he uses the webserver in DMZ and then uses it to get access to fileserver and then uses it to compromise something else? thanks for your time, Sudhakar. Sudhakar Govindavajhala Department of Computer Science Graduate Student, Princeton University (o) +1 609 258 1798 http://www.cs.princeton.edu/~sudhakar DISCLAIMER: This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
