[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : RealSecure can not detect RDS and recent unicode exploit

Title: RealSecure can not detect RDS and recent unicode exploit
Released by: Fate Research Labs
Date: 1st November 2000
Printable version: Click here
    -----------------.---------------------------------------------.

  /|                 |                             .               |

 / | :               : :             : :             :             |

|  | ::        ------  ::            : ::          | ::     -      |-----

|  | ::              : ::     .      :      |      | ::            :     |

|  |                 :        .      |------|      |               :     |

|  |           ------^        :      |     /       |                     .

|  ;----------"---------------^------     /  ------'---------------------

| /          /               /      /----'        /                     /

|'----------'---------------'------'     --------'---------------------'

                                www.f8labs.com











INTRODUCTION



Advisory .........: RealSecure or Real"un"Secure 

Release Date .....: 11-01-00

Application ......: RealSecure by ISS

Version ..........: All versions prior to and including 5.0 of all sensors

Vendor Status ....: Contacted - no responses

By ...............: Fate Research Labs

WWW ..............: www.f8labs.com









[ OVERVIEW ]



RealSecure by Internet Security Systems recently released version 5.0 of

their

Intrusion Detection System software. ISS markets RealSecure as a collection

of

detection modules with unique attack recognition and response capabilities,

otherwise known as sensors. The network class of sensors monitors the raw,

unfiltered traffic on enterprise networks, looking for patterns, protocol

violations, and repeated access attempts that indicate malicious intent. The

OS

sensor performs real-time intrusion monitoring, detection, and prevention of

malicious activity by analyzing kernel-level events and host logs.



When RealSecure detects unauthorized activity, it can respond in a number of

ways,

automatically recording the date, time, source, and target of the event,

recording the content of the attack, notifying the system administrator,

reconfiguring a firewall or router, suspending a user account, or

terminating

the attack.









[ ADVISORY ]



Despite all of the wonderful, feature rich, value add functionality of

RealSecure,

their remains one catch. In no place within the management console are you

allowed

to add your own custom signatures. This is the very thing that makes this

product

so weak. With all of the open source Intrusion Detection Systems, including

some

commercial ones offered by other companies, the user is allowed to add his

own

custom signatures to the database. Our question is why would ISS not want

their

customers to have that same luxury. The administrator finds himself in a GUI

hell

filled with icons of signatures provided by ISS when administering the

signatures.



A year old advisory called RDS by Rain Forrest Puppy, which is a popular toy

by skript

kiddies is one of the most common tools used to compromise NT-based

machines. I quote

from the original RDS advisory released 10-12-99.





    "it...is direct, immediate, and almost 100% guaranteed

     to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE

     IS RIDICULOUS!"

                                        -Russ Cooper, NTBugtraq





     "This exploit also does *not* require the presence of

      any sample web applications or example code...the

      issue affects at least 50% of the IIS servers I have

      seen"

                                        -Greg Gonzalez, NTBugtraq







/* -- snip from bugtraq id: 529 -- */



MDAC (Microsoft Data Access Components) is a package used to integrate web

and

database services. It includes a component named RDS (Remote Data Services).

RDS allows remote access via the internet to database objects through IIS.

Both

are included in a default installation of the Windows NT 4.0 Option Pack,

but

can be excluded via a custom installation.



RDS includes a component called the DataFactory object, which has a

vulnerability

that could allow any web user to:



--Obtain unauthorized access to unpublished files on the IIS server

--Use MDAC to tunnel ODBC requests through to a remote internal or external

location,

thereby obtaining access to non-public servers or effectively masking the

source of an

attack on another network.





The main risk in this vulnerability is the following:

--If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are

installed,

a user could use the shell() VBA command on the server with System

privileges.

(See the Microsoft JET Database Engine VBA Vulnerability for more

information).

These two vulnerabilities combined can allow an attacker on the Internet to

run

arbitrary commands with System level privileges on the target host.



/* -- snap end bugtraq desc. of rds exploit -- */







With such a dangerous tool on the loose, and the amount of sites compromised

using

it not declining, the need to detect and prevent such an attack is

detrimental. To

our surprise, the newest version and new set of signatures provided by ISS

would not

detect our RDS attacks on remote networks being protected by RealSecure.

With so many

large corporations and even Security Operation Centers deploying this

product, it is

the belief of F8 Labs that the customers of this product are made aware of

its

handicap. If a popular exploit that was released last year has not yet been

added to

their signature database, what else has not that we haven't tested?



It has also been discovered that the recent Unicode exploit goes undetected

by

RealSecure as well.



------ snip // unicode --------



An anonymous person posts that they can run arbitrary commands on IIS 5

(Win 2000) using the following URL:



http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d

ir+c:\





It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity

getting the better of me, I tried it on IIS 4. Uh oh, works there too.



------ snap // unicode --------







[ FOR THE KIDDIES ]



For those of you out there who would like to know if RealSecure is

protecting a

remote site, try looking for a service running on port 2998. This is the

administration

port that a remote console would use to connect to the remote sensor.





[ CONCULSION ]



Fate Research suggests that ISS allow customers the ability to modify

built-in signatures

as well as add signatures. The inability to add new signatures for exploits

as they

are released puts full control in the hands of ISS in hopes that they are

protecting your

network against commonly used new threats. A task that they are failing

miserably with at the

time of this writing.













================================================================

Loki

Fate Research Labs

loki@f8labs.com

----------------------------------------------------------------

BEGIN PGP SIGNATURE



iQA/AwUBOfZvfGnwBJRV5bxfEQJu7gCfQ/T0O9u75nzRGWVSeurNmnFRVr8Anj0c

M+UXhPDBvsm+ffRpv41zevQN

=3IRx

================================================================








(C) 1999-2000 All rights reserved.