advisory ms08-067 security rules and freeware toola [1938-02]
TRANSCRIPT
-
8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]
1/7
Security
AdvisoryMS08-067:
Security Rules and
Freeware Tools
MS08-067
Security rules
dependent on
certain transmissionscharacteristics can be
atally awed.
There are inherent
dangers in using
common reeware
attack tools to create,
or ne tune, security
rules or your intrusionprevention system.
next page
-
8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]
2/7
2
The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)
Security devices such as intrusion prevention
systems (IPS), are deployed to identiy and
mitigate malicious activity, this is usually
achieved by monitoring network trac in
real-time against a set o predened rules thatare written to identiy the characteristics o a
threat.
In the most serious situations, security rules
may only identiy the reeware tool executing
the specic attack and completely ignore the
actual attack being executed rom the original
exploit code.
This advisory highlights the well-known
and documented MS08-067 vulnerability
and how executing it with dierent
methods can lead to the attack being
completely ignored or misidentifed by
security systems.
Developers who create these security rules, or
signatures, would normally use exploit code to
execute an attack against a vulnerable system,
so the resulting network trac can be analysed
and an appropriate security rule devised toidentiy the threat.
A signicant danger exists in using common
reeware tools to execute attacks against a
vulnerable system, as opposed to using the
actual exploit code, as certain transmission
characteristics can be introduced into the
attack that can afect the security rules ability
to identiy it.
Overview
print close
next page
previous page
http://print/http://close/http://close/http://print/ -
8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]
3/7
3
The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)
Trac IQ Proessional, with its extensive trac
library and advanced trac transmission
capabilities, makes it ideally suited to auditing
and proving your securitys ability to identiy
and mitigate threats and to validate the
capabilities and conguration o packet
ltering devices on your network, including
application layer rewalls, routers and intrusion
prevention systems.
Used as part o your on-going network security
assessment and enhancement procedures,
Trac IQ Proessionalwill accurately audit
and validate your deensive capabilities and
enhance them by providing high quality
security rules to maximise threat recognition
and signicantly lower the probability o attack
penetration.
Understanding the conguration and
capabilities o your deences, will enable you
to enhance and accelerate perormance and
extending the lie o your existing network
security devices.
Applying high quality security rules, specically
developed to identiy an attack against
a vulnerability rather than identiying a
specic instance o an attack, will enhance
perormance and decrease the number o
rules required to be loaded by security devices.
How we
can help
Trac IQ Proessional - Testing MS08-067 with diferent transmission methods.
print close
next page
previous page
http://print/http://close/http://close/http://print/ -
8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]
4/7
4
The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)
Threat description
SMB::pipeio_trans and SMB::pipeio_rw are
two diferent transmission techniques that
can be used by the Metasploit ramework
when executing SMB type attacks.
SMB::pipeio_trans (transact named pipes) is
the normal method o communication withnamed pipes. During the development o the
Metasploit ramework, it was discovered that
i this transact named pipe was not created,
and data was just sent down a write pipe
ollowed by an immediate read on the same
pipe, this would trigger processing and have
the same efect as using a standard named
pipe. This alternative method is known
as pipeio_rw, and is deault transmission
method used by Metasploit.
There is a clear danger in relying solely on
tools like Metasploit to execute attacks
and create security rules rom the resulting
network trac.
Great care should be taken to create rules
that identiy the original exploit using normal
protocol transmission as well as alternativetransmission techniques like those ound in
Metasploit.
Security rules written to identiy an
attack using Metasploit as a delivery
mechanism with the pipeio_rw or
pipeio_trans methods, are likely not to
identiy the same attack being executed
rom the original source code or script.
These two methods o transmission are
signicantly diferent and the alternative
pipeio_rw method o transmission works well
as an IPS evasion technique.
I Metasploit is solely used as an attack
platorm to assist in the writing o security
rules, a signicant problem can occur.
It can be demonstrated that security rules
written to identiy SMB type attacks sent
rom Metasploit, will correctly identiy the
attack i the deault transmission method
(pipeio_rw) is used. I the standard method o
transmission is used (pipeio_trans) the same
attack is oten misidentied and, urthermore,
i the original source code or an exploit is
then used to deliver the same attack, the
security rules miss the attack altogether.
Threat
print close
next page
previous page
http://print/http://close/http://close/http://print/ -
8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]
5/7
5
The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)
Remediation
It should be recognised that security
rules written to identiy an attack using
Metasploit as a delivery mechanism with
the pipeio_rw or pipeio_trans methods, are
likely not to identiy the same exploit being
executed rom the original source code or
script, conorming to the normal protocol
specication and method o execution.
Security Assessment and Enhancement
Trac IQ Proessional, as part o your
continual network security assessment and
enhancement procedures, will ensure that
your network security devices maintain the
highest levels o threat identication and
mitigation.
Our high quality security rules will help youenhance the capabilities, accelerate the
perormance and extend the lie o your
existing network security devices.
Idappcom recommends regular network
security assessments, to determine i
attacks using various transmission methods
or evasion techniques are capable o
penetrating security deences.
Applying high quality security rules rom the
Trac IQ Library will assist you in achieving
the highest standards o network threatidentication and mitigation.
Remediation
print close
next page
previous page
http://print/http://close/http://close/http://print/ -
8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]
6/7
6
The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)
DownloadsReerences and Further ReadingMetasploit
Metasploit Framework
http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi
Exploit Code
Debasis Mohanty
http://www.hackingspirits.com/vuln-rnd/srvsvcexpl.rar
C.V.E
Common Vulnerabilities and Exposures
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
print close
next page
previous page
http://print/http://close/http://close/http://print/ -
8/2/2019 Advisory MS08-067 Security Rules and Freeware Toola [1938-02]
7/7
7
The technical content o this advisory was correct at the time o publication but may be amended or changed rom time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)
idappcom limitedBarham Court, Teston, Kent ME18 5BZ. UK
t: +44 (0)203 355 6804
www.idappcom.com
MS08-067
Detailed white papers are available rom our web site www.idappcom.com
or by email request to [email protected]
ID 1938
previous page