advisory ms08-067 security rules and freeware toola [1938-02]

Upload: bethany-wood

Post on 06-Apr-2018

217 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

    1/7

    Security

    AdvisoryMS08-067:

    Security Rules and

    Freeware Tools

    MS08-067

    Security rules

    dependent on

    certain transmissionscharacteristics can be

    atally awed.

    There are inherent

    dangers in using

    common reeware

    attack tools to create,

    or ne tune, security

    rules or your intrusionprevention system.

    next page

  • 8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

    2/7

    2

    The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

    Security devices such as intrusion prevention

    systems (IPS), are deployed to identiy and

    mitigate malicious activity, this is usually

    achieved by monitoring network trac in

    real-time against a set o predened rules thatare written to identiy the characteristics o a

    threat.

    In the most serious situations, security rules

    may only identiy the reeware tool executing

    the specic attack and completely ignore the

    actual attack being executed rom the original

    exploit code.

    This advisory highlights the well-known

    and documented MS08-067 vulnerability

    and how executing it with dierent

    methods can lead to the attack being

    completely ignored or misidentifed by

    security systems.

    Developers who create these security rules, or

    signatures, would normally use exploit code to

    execute an attack against a vulnerable system,

    so the resulting network trac can be analysed

    and an appropriate security rule devised toidentiy the threat.

    A signicant danger exists in using common

    reeware tools to execute attacks against a

    vulnerable system, as opposed to using the

    actual exploit code, as certain transmission

    characteristics can be introduced into the

    attack that can afect the security rules ability

    to identiy it.

    Overview

    print close

    next page

    previous page

    http://print/http://close/http://close/http://print/
  • 8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

    3/7

    3

    The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

    Trac IQ Proessional, with its extensive trac

    library and advanced trac transmission

    capabilities, makes it ideally suited to auditing

    and proving your securitys ability to identiy

    and mitigate threats and to validate the

    capabilities and conguration o packet

    ltering devices on your network, including

    application layer rewalls, routers and intrusion

    prevention systems.

    Used as part o your on-going network security

    assessment and enhancement procedures,

    Trac IQ Proessionalwill accurately audit

    and validate your deensive capabilities and

    enhance them by providing high quality

    security rules to maximise threat recognition

    and signicantly lower the probability o attack

    penetration.

    Understanding the conguration and

    capabilities o your deences, will enable you

    to enhance and accelerate perormance and

    extending the lie o your existing network

    security devices.

    Applying high quality security rules, specically

    developed to identiy an attack against

    a vulnerability rather than identiying a

    specic instance o an attack, will enhance

    perormance and decrease the number o

    rules required to be loaded by security devices.

    How we

    can help

    Trac IQ Proessional - Testing MS08-067 with diferent transmission methods.

    print close

    next page

    previous page

    http://print/http://close/http://close/http://print/
  • 8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

    4/7

    4

    The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

    Threat description

    SMB::pipeio_trans and SMB::pipeio_rw are

    two diferent transmission techniques that

    can be used by the Metasploit ramework

    when executing SMB type attacks.

    SMB::pipeio_trans (transact named pipes) is

    the normal method o communication withnamed pipes. During the development o the

    Metasploit ramework, it was discovered that

    i this transact named pipe was not created,

    and data was just sent down a write pipe

    ollowed by an immediate read on the same

    pipe, this would trigger processing and have

    the same efect as using a standard named

    pipe. This alternative method is known

    as pipeio_rw, and is deault transmission

    method used by Metasploit.

    There is a clear danger in relying solely on

    tools like Metasploit to execute attacks

    and create security rules rom the resulting

    network trac.

    Great care should be taken to create rules

    that identiy the original exploit using normal

    protocol transmission as well as alternativetransmission techniques like those ound in

    Metasploit.

    Security rules written to identiy an

    attack using Metasploit as a delivery

    mechanism with the pipeio_rw or

    pipeio_trans methods, are likely not to

    identiy the same attack being executed

    rom the original source code or script.

    These two methods o transmission are

    signicantly diferent and the alternative

    pipeio_rw method o transmission works well

    as an IPS evasion technique.

    I Metasploit is solely used as an attack

    platorm to assist in the writing o security

    rules, a signicant problem can occur.

    It can be demonstrated that security rules

    written to identiy SMB type attacks sent

    rom Metasploit, will correctly identiy the

    attack i the deault transmission method

    (pipeio_rw) is used. I the standard method o

    transmission is used (pipeio_trans) the same

    attack is oten misidentied and, urthermore,

    i the original source code or an exploit is

    then used to deliver the same attack, the

    security rules miss the attack altogether.

    Threat

    print close

    next page

    previous page

    http://print/http://close/http://close/http://print/
  • 8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

    5/7

    5

    The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

    Remediation

    It should be recognised that security

    rules written to identiy an attack using

    Metasploit as a delivery mechanism with

    the pipeio_rw or pipeio_trans methods, are

    likely not to identiy the same exploit being

    executed rom the original source code or

    script, conorming to the normal protocol

    specication and method o execution.

    Security Assessment and Enhancement

    Trac IQ Proessional, as part o your

    continual network security assessment and

    enhancement procedures, will ensure that

    your network security devices maintain the

    highest levels o threat identication and

    mitigation.

    Our high quality security rules will help youenhance the capabilities, accelerate the

    perormance and extend the lie o your

    existing network security devices.

    Idappcom recommends regular network

    security assessments, to determine i

    attacks using various transmission methods

    or evasion techniques are capable o

    penetrating security deences.

    Applying high quality security rules rom the

    Trac IQ Library will assist you in achieving

    the highest standards o network threatidentication and mitigation.

    Remediation

    print close

    next page

    previous page

    http://print/http://close/http://close/http://print/
  • 8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

    6/7

    6

    The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

    DownloadsReerences and Further ReadingMetasploit

    Metasploit Framework

    http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

    Exploit Code

    Debasis Mohanty

    http://www.hackingspirits.com/vuln-rnd/srvsvcexpl.rar

    C.V.E

    Common Vulnerabilities and Exposures

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250

    print close

    next page

    previous page

    http://print/http://close/http://close/http://print/
  • 8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

    7/7

    7

    The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

    idappcom limitedBarham Court, Teston, Kent ME18 5BZ. UK

    t: +44 (0)203 355 6804

    e: [email protected]

    www.idappcom.com

    MS08-067

    Detailed white papers are available rom our web site www.idappcom.com

    or by email request to [email protected]

    ID 1938

    previous page