Posts Tagged ‘IDS’

Summary:

On July 6th, 2009 a zero day vulnerability in a component of the Windows operating system controlling
MPEG2 videos became publicly distributed. The attack code is currently present on several malware
servers in Asia and being used to infect unwitting clients who have been redirected to these servers. This
vulnerability will allow the remote control of clients who are pushed to malicious web servers via XSS or
phishing techniques. Microsoft has not issued a patch for this vulnerability, but they have recommended a
common workaround for dealing with ActiveX vulnerabilities which we have included below under
‘Recommended Preventative Actions’. Only older versions of Windows (2000, XP, 2003) are vulnerable to
this, as Vista and later operating systems have architecture which prevents the vulnerable code from being
exposed to the malicious control object. Major IDS/IPS/AV vendors have released signatures to detect
exploits against this vulnerability.

Severity: MEDIUM

We consider this to be a ‘medium’ severity event. We have not, to this date, seen high infection ratesamongst our monitored networks, but vendors are just now releasing signatures to detect the exploit comingback from a malicious webserver to a vulnerable client. This exploit is not related to any worms, but isbeing used to install Trojan software which may then perform additional attacks on vulnerable hosts viaother exploit vectors. While normally we would give ActiveX exploits a low severity, there over the past 18months there have been a proliferation of SQL Injection attacks resulting in legitimate ASP.NET sitesunwittingly serving up malicious javascript, that ‘trusting’ the intention of a site is no longer prudent forsurfing behavior We feel the multitude of the hacked web environments hosting up active pages with malicious javascript inclusions, coupled with newer methods of attack obfuscation, added to the knowledgethat MPEG2 is an EXTREMELY popular media format justifies this severity.

How to Determine Whether You Are Vulnerable:

All 2003 and XP systems will be vulnerable to this unless specific actions have been taken to:
[1] Disable ActiveX altogether (not recommended in many environments)
[2] Are not using Internet Explorer at all
[3] Disabled Windows Media Software by some 3rd party application
[4] Have updated A/V software which detects the attack and mitigates it
[5] Have set the kill-bit for ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-
A63F772D46CF)
[6] Perform an automated Scan on hosts that are in the Windows 2003/XP tranche of Operating Systems.

Recommended Preventive Actions:

Oddly, Microsoft has discovered that no ActiveX control objects which interface with MSvidctl.dll are
needed by Internet Explorer. On Windows XP and 2003 systems they may all be safely disabled by using
the tool Microsoft provides for at URL: http://support.microsoft.com/kb/972890. Later systems such as
Windows Vista, 2008, v7 do not appear to be vulnerable.

How to Detect Potential Attacks:

Intrusion Detection Systems which have recently come out withsignatures to detect some facet of this attempted exploit. We are currently investigating efficacy of these signatures and will be updating managed and monitored devices according.
Snort
SourceFire
McAfee
Tipping Point
IDP
Cisco
Popular Antivirus Software are detecting attacks as ‘JS/Exploit.CVE-2008-0015.A.Gen trojan

What to do if You Have Been Attacked:

Typically workstations, laptops and desktops running XP or 2003 are the ones likely to fall victim to this
type of attack. Recommend consulting your security policy for the Incident Response
procedure as it pertains to the asset which is compromised. Infection should be considered serious, and
Windows MSRT may or may not be enough to remove the Trojan Software that the attacker has installed.

Detailed Analysis:

From Microsoft:
Customers who are using Windows Vista or Windows Server 2008 are not affected because the
ability to pass data to this control within Internet Explorer has been restricted.
By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is
known as Enhanced Security Configuration. Enhanced Security Configuration is a group of
preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator
downloading and running specially crafted Web content on a server. This is a mitigating factor for
Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing
Internet Explorer Enhanced Security Configuration.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open
HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate
attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail messages. However, if a user clicks a link in
an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through
the Web-based attack scenario.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is
used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or
host user-provided content or advertisements could contain specially crafted content that could
exploit this vulnerability. In all cases, however, an attacker would have no way to force users to
visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or Instant Messenger message that
takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the
local user. Users whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

Suggested Reading:

http://www.microsoft.com/technet/security/advisory/972890.mspx
http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activexcontrol-
object-in-msvidctl-dll.aspx

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0015

Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. Have a look at the flash demo and then feel free to download it.

Features

The full documentation can be found in the tarball and also here, but here’s a list of what the Ninja does:

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

Platforms supported

Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X

Sqlninja does not run on Windows.

http://sqlninja.sourceforge.net/