Security rules dependent on certain transmissions characteristics can be fatally flawed.

There are inherent dangers in using common freeware attack tools to create, or fine tune, security rules for your intrusion prevention system.

Security Advisory
MS08-067: Security Rules and Freeware Tools

next page

MS08-067

The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

Security devices such as intrusion prevention systems (IPS), are deployed to identify and mitigate malicious activity, this is usually achieved by monitoring network traffic in real-time against a set of predefined rules that are written to identify the characteristics of a threat.

Developers who create these security rules, or signatures, would normally use exploit code to execute an attack against a vulnerable system, so the resulting network traffic can be analysed and an appropriate security rule devised to identify the threat. A significant danger exists in using common freeware tools to execute attacks against a vulnerable system, as opposed to using the actual exploit code, as certain transmission characteristics can be introduced into the attack that can affect the security rules ability to identify it.

In the most serious situations, security rules may only identify the freeware tool executing the specific attack and completely ignore the actual attack being executed from the original exploit code. This advisory highlights the well-known and documented MS08-067 vulnerability and how executing it with different methods can lead to the attack being completely ignored or misidentified by security systems.

Overview

next page
previous page

print

close

The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

Traffic IQ Professional, with its extensive traffic library and advanced traffic transmission capabilities, makes it ideally suited to auditing and proving your securitys ability to identify and mitigate threats and to validate the capabilities and configuration of packet filtering devices on your network, including application layer firewalls, routers and intrusion prevention systems. Used as part of your on-going network security assessment and enhancement procedures, Traffic IQ Professional will accurately audit and validate your defensive capabilities and enhance them by providing high quality security rules to maximise threat recognition and significantly lower the probability of attack penetration.

Applying high quality security rules, specifically developed to identify an attack against a vulnerability rather than identifying a specific instance of an attack, will enhance performance and decrease the number of rules required to be loaded by security devices.

Understanding the configuration and capabilities of your defences, will enable you to enhance and accelerate performance and extending the life of your existing network security devices.

How we can help

next page
previous page

Traffic IQ Professional - Testing MS08-067 with different transmission methods.

print close

The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

Threat description SMB::pipeio_trans and SMB::pipeio_rw are two different transmission techniques that can be used by the Metasploit framework when executing SMB type attacks. SMB::pipeio_trans (transact named pipes) is the normal method of communication with named pipes. During the development of the Metasploit framework, it was discovered that if this transact named pipe was not created, and data was just sent down a write pipe followed by an immediate read on the same pipe, this would trigger processing and have the same effect as using a standard named pipe. This alternative method is known as pipeio_rw, and is default transmission method used by Metasploit.

These two methods of transmission are significantly different and the alternative pipeio_rw method of transmission works well as an IPS evasion technique. If Metasploit is solely used as an attack platform to assist in the writing of security rules, a significant problem can occur. It can be demonstrated that security rules written to identify SMB type attacks sent from Metasploit, will correctly identify the attack if the default transmission method (pipeio_rw) is used. If the standard method of transmission is used (pipeio_trans) the same attack is often misidentified and, furthermore, if the original source code for an exploit is then used to deliver the same attack, the security rules miss the attack altogether.

There is a clear danger in relying solely on tools like Metasploit to execute attacks and create security rules from the resulting network traffic. Great care should be taken to create rules that identify the original exploit using normal protocol transmission as well as alternative transmission techniques like those found in Metasploit. Security rules written to identify an attack using Metasploit as a delivery mechanism with the pipeio_rw or pipeio_trans methods, are likely not to identify the same attack being executed from the original source code or script.

Threat

next page
previous page

print

close

The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

Remediation It should be recognised that security rules written to identify an attack using Metasploit as a delivery mechanism with the pipeio_rw or pipeio_trans methods, are likely not to identify the same exploit being executed from the original source code or script, conforming to the normal protocol specification and method of execution.

Idappcom recommends regular network security assessments, to determine if attacks using various transmission methods or evasion techniques are capable of penetrating security defences. Applying high quality security rules from the Traffic IQ Library will assist you in achieving the highest standards of network threat identification and mitigation.

Security Assessment and Enhancement Traffic IQ Professional, as part of your continual network security assessment and enhancement procedures, will ensure that your network security devices maintain the highest levels of threat identification and mitigation. Our high quality security rules will help you enhance the capabilities, accelerate the performance and extend the life of your existing network security devices.

Remediation

next page
previous page

print

close

The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

References and Further Reading Metasploit Metasploit Framework http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi Exploit Code Debasis Mohanty http://www.hackingspirits.com/vuln-rnd/srvsvcexpl.rar C.V.E Common Vulnerabilities and Exposures http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250

Downloads

next page
previous page

print

close

The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. idappcom Limited 2012. SECADV 2012-003 (rev 2)

Detailed white papers are available from our web site www.idappcom.com or by email request to client.services@idappcom.com

idappcom limited Barham Court, Teston, Kent ME18 5BZ. UK t: +44 (0)203 355 6804 e: customer.services@idappcom.com www.idappcom.com

previous page

MS08-067
ID 1938