misusing open services on the internet
play

Misusing Open Services on the Internet Jelte Fennema Ben de Graaff - PowerPoint PPT Presentation

Misusing Open Services on the Internet Jelte Fennema Ben de Graaff University of Amsterdam Supervisor: Rick van Galen (KPMG) February 3, 2016 Introduction Approach Proof of concept Results Scanning the Internet Conclusion References


  1. Misusing Open Services on the Internet Jelte Fennema Ben de Graaff University of Amsterdam Supervisor: Rick van Galen (KPMG) February 3, 2016

  2. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Introduction Open service: no authentication or default credentials Relevant: more than 35,000 open MongoDB instances Exposing 685 TB (last December [1]) More than just data leaks – example: botnet command and control Misusing Open Services on the Internet 2/24 Jelte Fennema, Ben de Graaff

  3. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References A problem for devops and software developers “Memcached does not spend much, if any, effort in ensuring its defensibility from random Internet connections. So you must not expose Memcached directly to the Internet.” – Memcached documentation “Everybody has privileges to do anything. Neat.” — CouchDB security documentation Misusing Open Services on the Internet 3/24 Jelte Fennema, Ben de Graaff

  4. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Research goals ◮ What are settings that lead to exploitable services? ◮ What are the operations required when exploiting an open service as a command & control server? ◮ What are best practices for default configurations and authentication? Misusing Open Services on the Internet 4/24 Jelte Fennema, Ben de Graaff

  5. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Approach For various software packages... ◮ Examine configuration (weaknesses?) ◮ Tool to scan level of access ◮ Proof of concept: botnet command & control Misusing Open Services on the Internet 5/24 Jelte Fennema, Ben de Graaff

  6. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Approach For various software packages... ◮ Examine configuration (weaknesses?) ◮ Tool to scan level of access ◮ Proof of concept: botnet command & control Scanning the Internet ◮ Shodan ◮ ZMap and our own scan tool Misusing Open Services on the Internet 5/24 Jelte Fennema, Ben de Graaff

  7. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Software classes ◮ Relational databases: MySQL, MariaDB, PostgreSQL Misusing Open Services on the Internet 6/24 Jelte Fennema, Ben de Graaff

  8. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Software classes ◮ Relational databases: MySQL, MariaDB, PostgreSQL ◮ NoSQL databases: MongoDB, CouchDB Misusing Open Services on the Internet 6/24 Jelte Fennema, Ben de Graaff

  9. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Software classes ◮ Relational databases: MySQL, MariaDB, PostgreSQL ◮ NoSQL databases: MongoDB, CouchDB ◮ Key-value store: Redis, Memcached Misusing Open Services on the Internet 6/24 Jelte Fennema, Ben de Graaff

  10. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Software classes ◮ Relational databases: MySQL, MariaDB, PostgreSQL ◮ NoSQL databases: MongoDB, CouchDB ◮ Key-value store: Redis, Memcached ◮ Message queue: RabbitMQ Misusing Open Services on the Internet 6/24 Jelte Fennema, Ben de Graaff

  11. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Software classes ◮ Relational databases: MySQL, MariaDB, PostgreSQL ◮ NoSQL databases: MongoDB, CouchDB ◮ Key-value store: Redis, Memcached ◮ Message queue: RabbitMQ ◮ Printing protocols: CUPS (and IPP printers) Misusing Open Services on the Internet 6/24 Jelte Fennema, Ben de Graaff

  12. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Proof of concept Simple botnet simulation (communication channel): ◮ Botnet operator sends signed commands to one bot or all bots ◮ Bots execute commands, write back encrypted results Operator Bot Operator Write Read Setup command command Read result Write result Misusing Open Services on the Internet 7/24 Jelte Fennema, Ben de Graaff

  13. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Impact on the Internet What is the impact on the Internet? Is configuration security a factor? Misusing Open Services on the Internet 8/24 Jelte Fennema, Ben de Graaff

  14. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Configuration security PostgreSQL Memcached RabbitMQ MongoDB CouchDB MySQL CUPS Redis Localhost (in config) Y Y Y N Y Y N N Not public (default) Y N Y N Y N N N Table 1: Comparison of security settings for the software packages Misusing Open Services on the Internet 9/24 Jelte Fennema, Ben de Graaff

  15. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Configuration security PostgreSQL Memcached RabbitMQ MongoDB CouchDB MySQL CUPS Redis Localhost (in config) Y Y Y N Y Y N N Not public (default) Y N Y N Y N N N Authentication by default Y Y Y Y N N N N No public creds or anon Y Y Y Y N N N N Table 1: Comparison of security settings for the software packages Misusing Open Services on the Internet 9/24 Jelte Fennema, Ben de Graaff

  16. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Configuration security PostgreSQL Memcached RabbitMQ MongoDB CouchDB MySQL CUPS Redis Localhost (in config) Y Y Y N Y Y N N Not public (default) Y N Y N Y N N N Authentication by default Y Y Y Y N N N N No public creds or anon Y Y Y Y N N N N Host-based access control Y Y Y Y N N N N Table 1: Comparison of security settings for the software packages Misusing Open Services on the Internet 9/24 Jelte Fennema, Ben de Graaff

  17. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Configuration security PostgreSQL Memcached RabbitMQ MongoDB CouchDB MySQL CUPS Redis Localhost (in config) Y Y Y N Y Y N N Not public (default) Y N Y N Y N N N Authentication by default Y Y Y Y N N N N No public creds or anon Y Y Y Y N N N N Host-based access control Y Y Y Y N N N N Authentication always on N Y N Y N N N N Table 1: Comparison of security settings for the software packages Misusing Open Services on the Internet 9/24 Jelte Fennema, Ben de Graaff

  18. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Configuration security PostgreSQL Memcached RabbitMQ MongoDB CouchDB MySQL CUPS Redis Localhost (in config) Y Y Y N Y Y N N Not public (default) Y N Y N Y N N N Authentication by default Y Y Y Y N N N N No public creds or anon Y Y Y Y N N N N Host-based access control Y Y Y Y N N N N Authentication always on N Y N Y N N N N Minimal steps to make open 3 2 3 1 1 1 0 0 Table 1: Comparison of security settings for the software packages Misusing Open Services on the Internet 9/24 Jelte Fennema, Ben de Graaff

  19. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Configuration security PostgreSQL Memcached RabbitMQ MongoDB CouchDB MySQL CUPS Redis Localhost (in config) Y Y Y N Y Y N N Not public (default) Y N Y N Y N N N Authentication by default Y Y Y Y N N N N No public creds or anon Y Y Y Y N N N N Host-based access control Y Y Y Y N N N N Authentication always on N Y N Y N N N N Minimal steps to make open 3 2 3 1 1 1 0 0 Steps to make public/secure 3 2 3 1 3 3 1 2 Table 1: Comparison of security settings for the software packages Misusing Open Services on the Internet 9/24 Jelte Fennema, Ben de Graaff

  20. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Percentage of open services exposed to the Internet 100% Open with limited access Open 80% Percentage of open services 60% 40% 20% 0% PostgreSQL CUPS RabbitMQ CouchDB MongoDB Redis Memcached IPP Software packages Figure 1: Percentages of open services. Misusing Open Services on the Internet 10/24 Jelte Fennema, Ben de Graaff

  21. Introduction Approach Proof of concept Results Scanning the Internet Conclusion References Combined results L d Q e Q B B h S M D c D e a o r t h S c g i g b c s m P t n i b u d s P U o e o a o e M M P P C R C R I Localhost (in config) Y Y N Y Y N N – Not public (default) Y Y N Y N N N – Authentication by default Y Y Y N N N N – No public creds or anon Y Y Y N N N N – Host-based access control Y Y Y N N N N – Authentication always on N N Y N N N N – Minimal steps to make open 3 3 1 1 1 0 0 – Steps to make public/secure 3 3 1 3 3 1 2 – Percentage open 2% 21% 22% 72% 71% 37% 98% 81% With full access 2% 1% 22% 18% 71% 37% 98% – Table 2: Combined comparison of software packages Misusing Open Services on the Internet 11/24 Jelte Fennema, Ben de Graaff

Recommend


More recommend