advisory ms08-067 security rules and freeware toola [1938-02]

8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]

1/7

Security

AdvisoryMS08-067:

Security Rules and

Freeware Tools

MS08-067

Security rules

dependent on

certain transmissionscharacteristics can be

atally awed.

There are inherent

dangers in using

common reeware

attack tools to create,

or ne tune, security

rules or your intrusionprevention system.

next page


2/7

2

The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

Security devices such as intrusion prevention

systems (IPS), are deployed to identiy and

mitigate malicious activity, this is usually

achieved by monitoring network trac in

real-time against a set o predened rules thatare written to identiy the characteristics o a

threat.

In the most serious situations, security rules

may only identiy the reeware tool executing

the specic attack and completely ignore the

actual attack being executed rom the original

exploit code.

This advisory highlights the well-known

and documented MS08-067 vulnerability

and how executing it with dierent

methods can lead to the attack being

completely ignored or misidentifed by

security systems.

Developers who create these security rules, or

signatures, would normally use exploit code to

execute an attack against a vulnerable system,

so the resulting network trac can be analysed

and an appropriate security rule devised toidentiy the threat.

A signicant danger exists in using common

reeware tools to execute attacks against a

vulnerable system, as opposed to using the

actual exploit code, as certain transmission

characteristics can be introduced into the

attack that can afect the security rules ability

to identiy it.

Overview

print close

next page

previous page
http://print/http://close/http://close/http://print/


3/7

3


Trac IQ Proessional, with its extensive trac

library and advanced trac transmission

capabilities, makes it ideally suited to auditing

and proving your securitys ability to identiy

and mitigate threats and to validate the

capabilities and conguration o packet

ltering devices on your network, including

application layer rewalls, routers and intrusion

prevention systems.

Used as part o your on-going network security

assessment and enhancement procedures,

Trac IQ Proessionalwill accurately audit

and validate your deensive capabilities and

enhance them by providing high quality

security rules to maximise threat recognition

and signicantly lower the probability o attack

penetration.

Understanding the conguration and

capabilities o your deences, will enable you

to enhance and accelerate perormance and

extending the lie o your existing network

security devices.

Applying high quality security rules, specically

developed to identiy an attack against

a vulnerability rather than identiying a

specic instance o an attack, will enhance

perormance and decrease the number o

rules required to be loaded by security devices.

How we

can help

Trac IQ Proessional - Testing MS08-067 with diferent transmission methods.

print close

next page

previous page


4/7

4


Threat description

SMB::pipeio_trans and SMB::pipeio_rw are

two diferent transmission techniques that

can be used by the Metasploit ramework

when executing SMB type attacks.

SMB::pipeio_trans (transact named pipes) is

the normal method o communication withnamed pipes. During the development o the

Metasploit ramework, it was discovered that

i this transact named pipe was not created,

and data was just sent down a write pipe

ollowed by an immediate read on the same

pipe, this would trigger processing and have

the same efect as using a standard named

pipe. This alternative method is known

as pipeio_rw, and is deault transmission

method used by Metasploit.

There is a clear danger in relying solely on

tools like Metasploit to execute attacks

and create security rules rom the resulting

network trac.

Great care should be taken to create rules

that identiy the original exploit using normal

protocol transmission as well as alternativetransmission techniques like those ound in

Metasploit.

Security rules written to identiy an

attack using Metasploit as a delivery

mechanism with the pipeio_rw or

pipeio_trans methods, are likely not to

identiy the same attack being executed

rom the original source code or script.

These two methods o transmission are

signicantly diferent and the alternative

pipeio_rw method o transmission works well

as an IPS evasion technique.

I Metasploit is solely used as an attack

platorm to assist in the writing o security

rules, a signicant problem can occur.

It can be demonstrated that security rules

written to identiy SMB type attacks sent

rom Metasploit, will correctly identiy the

attack i the deault transmission method

(pipeio_rw) is used. I the standard method o

transmission is used (pipeio_trans) the same

attack is oten misidentied and, urthermore,

i the original source code or an exploit is

then used to deliver the same attack, the

security rules miss the attack altogether.

Threat

print close

next page

previous page


5/7

5


Remediation

It should be recognised that security

rules written to identiy an attack using

Metasploit as a delivery mechanism with

the pipeio_rw or pipeio_trans methods, are

likely not to identiy the same exploit being

executed rom the original source code or

script, conorming to the normal protocol

specication and method o execution.

Security Assessment and Enhancement

Trac IQ Proessional, as part o your

continual network security assessment and

enhancement procedures, will ensure that

your network security devices maintain the

highest levels o threat identication and

mitigation.

Our high quality security rules will help youenhance the capabilities, accelerate the

perormance and extend the lie o your

existing network security devices.

Idappcom recommends regular network

security assessments, to determine i

attacks using various transmission methods

or evasion techniques are capable o

penetrating security deences.

Applying high quality security rules rom the

Trac IQ Library will assist you in achieving

the highest standards o network threatidentication and mitigation.

Remediation

print close

next page

previous page


6/7

6


DownloadsReerences and Further ReadingMetasploit

Metasploit Framework

http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

Exploit Code

Debasis Mohanty

http://www.hackingspirits.com/vuln-rnd/srvsvcexpl.rar

C.V.E

Common Vulnerabilities and Exposures

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250

print close

next page

previous page


7/7

7


idappcom limitedBarham Court, Teston, Kent ME18 5BZ. UK

t: +44 (0)203 355 6804

e: [email protected]

www.idappcom.com

MS08-067

Detailed white papers are available rom our web site www.idappcom.com

or by email request to [email protected]

ID 1938

previous page

advisory ms08-067 security rules and freeware toola [1938-02]

Documents