June 22, 2005
In This Issue
Tech Talk

Your Defense is Offensive

Today, Information Technology is flooded with various gadgets and products that are all marketed to help improve security. Some of these products do in fact work as advertised while others do not. One would assume that the security products themselves are in fact secure but the reality is that some security products may in fact be more of a danger to your networks than a benefit. This paper will outline some of the known vulnerabilities in security products as well as some new attack vectors that may not have been considered. This paper is not designed to single out a specific vendor but one may in fact notice a pattern of a few specific vendors having more issues than others.

In the Beginning

By searching the Open Source Vulnerability Database (OSVDB) for the simple keyword of 'security' one finds issues dating as far back as 1996;

OSVDB ID 6519 – IPFW address:mask syntax firewall filter leak.


While this flaw does not lead to IPFW to be used as an attack vector it does show that security issues within security products have existed for quite some time. Lets look at some of the newer, more serious issues out there.

More Relevant Issues

Starting with a security technology that everyone has been convinced that they need, firewalls. When you search online vulnerability databases such as OSVDB (www.osvdb.org) using the simple word; 'firewall' you will find approximately 160 different vulnerabilities. Of course not all of these are serious enough to be used as an attack vector but some are.

The first of which is OSVDB ID 4412 – Checkpoint Firewall-1 SmartDashboard Overflow. This vulnerability allows a remotely authenticated user to elevate their privileges and execute arbitrary commands. This issue is over a year old and according to OSVDB, there are no known patches or workarounds for it but exploit code does in fact exist. The level of exposure to a vulnerability such as this is limited, as you do need to be an authenticated user which would lead one to assume that various log files will offer evidence of your dirty deeds of course those log files are only good if stored in a secure manner and that the evil user doesn't know to cover up the evidence.

Obviously, allowing code be executed on your firewall is a bad thing and the scenarios where this can be abused are endless.

Also under the category of abusing firewalls we find a handful of Zone Alarm vulnerabilities. According to OSVDB there are sixteen different ways one could abuse Zone Alarm. However, out of those sixteen vulnerabilities only two offer the ability to be used in an attack other than your run of the mill denial of service. The first of which was discovered by eEye Digital Security, and is an overflow that was present in the SMTP processing agent. Those of you familiar with this vulnerability are probably getting ready to correct me by saying that this is not remotely exploitable as it requires the malformed SMTP RCPT TO string to come from the client are only partially correct. Yes, the malformed command must come from the client side but that does not rule out the potential to abuse this flaw.

For example, a malicious web link could be easily crafted and used to trick users into sending an email with the correct malicious string causing either the system to simply crash or, even better from an attacker's perspective, to execute commands with system privileges. Probably the easiest and most reliable attack to initiate here, not that I would know anything about attacking systems, would be to upload and execute something, netcat perhaps, that can give you system level shell or backdoor access to the system. Using the netcat example, simply executing it to listen on port 53 or some other non-obvious port is pretty common and as far as I know netcat is not on any of the Anti-Virus vendor hit lists.

The second vulnerability in Zone Alarm is very similar albeit more difficult to achieve as it requires abusing a specific device driver installed with Zone Alarm. Again, this needs to be achieved on the client side and this vulnerability is more prone to crashing the system than it is successfully executing commands but the potential is there and it does work.

In order to prevent this paper from turning into one about nothing more than broken firewalls which would ultimately lead into a rant that may in fact be construed as anti-firewall technology I will move on to another popular security technology – Intrusion Detection Systems (IDS).

As you probably know, there are host based (HIDS) and network based (NIDS) intrusion detection systems for the purpose of this paper I will not distinguish between the two and do what makes most NIDS and HIDS vendors cringe and simply lump them together.

If one wanted to go old school there was a vulnerability found back in 1999 that affected the Dragon IDS system and allowed attackers the ability to execute commands on the IDS host. Of course, this paper is meant to demonstrate practical real world attacks so we will fast forward to attacks that are relevant enough to work in today's environments.

For my first example, I will use the Snort vulnerability that was found just over two years ago. I have personally witnessed environments still running older versions of Snort which is why I am using it as an example. Basically, an attacker can send a specially crafted packet that will cause a heap overflow and execute commands.

Let's think about this one for a minute. Here you have a system that is typically installed on sensitive network segments and is typically in a position to see most network traffic. A smart attacker, wouldn't abuse the sensitivity of this system and rather use this vulnerability to gather data. For example, if one was to use this vulnerability to obtain a remote shell, one could use this system to capture sensitive information as that is essentially what it is already doing.

Luckily, this vulnerability has been fixed and is not present on any new versions of Snort. My next example for those that are good at noticing patterns was discovered by eEye Digital Security.

OSVDB ID # 4702 explains how a flaw in the way RealSecure, Preventia, and BlackIce reassemble SMB packets can be abused to run arbitrary code with SYSTEM privileges. This vulnerability can be exploited with only one simple SMB packet and to quote the eEye advisory, code execution is effortless.

So once again, we have a system that is typically used in sensitive locations offering the ability for an attacker to access sensitive data. Much like the Snort attack, a smart attacker would not abuse this flaw but silently use it to gather sensitive data. In fact this combined with the fact that there are numerous ways to bypass IDS signatures, in general and not just ISS IDS products, and an attacker could easily gain and maintain access to the system. If cautious the attacker could pull this off without being detected.

Another example of the same IDS products leaving organizations open to attack is the ICQ Protocol overflow that was used in the Witty worm. The witty worm is a great example of how so called systems designed to protect you can leave you vulnerable.

All of the above examples are known and have been known for quite some time. Most of them have been addressed by the vendors although that does not mean that there are still systems that can be attacked using these methods. The next scenarios are ones that may or may not have been thought of or reported but does illustrate how the very infrastructure we have built to protect our networks can in fact be used against us.

Patch & Systems Management

At Blackhat Amsterdam 2005, Chris Farrow presented a talk that was researched and written by me. This talk outlined many of the flaws in the current patch and systems management process including some ideas on how these flaws can be abused. Most of these attack scenarios are completely theoretical and while variations or portions of the attacks outline have in fact occurred no one has performed an attack against the patching or systems management infrastructure, YET.

During the Blackhat talk, the following disclaimer was given in point form;
  • No vendor products will be named unless information is already public.
  • Most of these flaws apply to multiple vendors.
  • Any vendor specific issues will be disclosed to the vendors before they are publicly disclosed.
The patching of workstations and servers has become a necessity in maintaining system security and uptime. Almost every organization today finds themselves forced to install some sort of patch on an almost monthly basis. This has become a very expensive problem for organizations and many vendors have gladly stepped up to the plate with various solutions designed to help manage the patching and configuration of systems thus helping to increase the overall security of an organization. Too bad many of these vendors did not consider the impact of their very own products on an organization's security.

Before we dive into the specific flaws in the various products lets look at the anatomy of a Microsoft patch. Patches released by Microsoft are digitally signed, these signatures are available on the patch download server and Microsoft controls the patch process with an XML file named mssecure.xml. As a bare minimum this seems like a reasonable way to handle patch distribution but can you think of any other vendors out there that do not even bother to do this bare minimum?

Patch and Systems Management products can be lumped into two categories. Agent based and Agentless technologies. Obviously, the agent based systems require an agent to be installed on the host systems in order for them to be managed or patched. The agentless systems do not require an agent but usually require privileged credentials or some sort of trust relationship on the network.

Most of these systems communicate over the following protocols;
  • HTTP
  • RPC / DCOM
You will notice that the short list above does not include any protocols that are natively "secure" by means of encryption. Some products do have an option to run over HTTPS while others do encrypt agent to master communications but most do not.

Patches are fed to the master systems either directly via Windows Update over HTTP. Some systems download new patches for each run while others store the patches in a central repository. Some systems are able to simply push out patches and configuration changes while others require custom scripts to be created.

So far, while explaining at very high level how most vendors have approached patch and systems management I have already uncovered some potential flaws that should be investigated. They are;
  • Lack of encrypted communications between the console and the agents.
  • Lack of true authentication (some products) between the agent and the console.
  • Patch repository is a potential attack vector.
To better explain the above list. It has been observed that some vendors do not encrypt the communications via the agent and the console. This leaves them open to replay attacks, and man in the middle attacks. Imagine a sophisticated attacker placing himself between your servers and the system that has the ability to alter the configuration of those systems.

The second point, during testing and research for the original Blackhat talk it was found that some agents only check that the machine name sending the commands matches that of the console and then simply does what it is told by this machine. Obviously this is a huge mistake in terms of security as an attacker can easily not only discover the machine name but also spoof it.

The patch repositories on some systems by default have extremely weak directory and file permissions leaving the very patches themselves vulnerable to modification. While some systems combat this by checking the digital signature each time it issues a patch, others simply check once, save the patch in the directory and then assume that it is a valid patch as long as the file name matches. These are all weaknesses in the patch products themselves but as with any weakness, it is useless unless there is a legitimate attack vector to go along with such weakness.

The first potential attack vector comes from the internal threat which admittedly is not as sexy or cool as an external attack.
  • Compromise the patch repository
    • Attacker gains access to the central patch repository modifies a patch to install malicious code and waits for that patch to be rolled out.
    • Attacker gains access to the central patch repository follows the numbering sequence of vendor patches and places a malicious patch with the next patch name knowing that the system will not overwrite what is in the repository.
  • Sniff internal network for Agent to Console communications or console to system communications
    • Look for credentials as they will have privileged access.
    • Watch for specific commands to figure out and document what the agent will respond to and how it will respond.
    • Man in the middle (MITM) the system and substitute the payload with malicious code.
    • Adjust patch targeting to prevent a patch from being installed leaving a system vulnerable. This would only work if the agent does not report back to the console of patch success/fail. Although such traffic can also be modified or created.
An internal malicious user could pull off one of the above attacks undetected as long as the user is smart enough to learn exactly how the system works and what inputs and outputs it expects. Systems Administrators explicitly trust what they see on their consoles and do not have the time or reason to double check the system.

The second attack scenario is in fact an external attack scenario and abuses a couple flaws found specifically in the Microsoft patch process. The first issue with the Microsoft Patch process is that it is a regularly scheduled process. This gives an attacker a window of opportunity – more on this shortly. The second issue that that while Microsoft publishes a XML file containing everything a user needs to validate a patch. That XML is distributed from the same systems that the patches are distributed from. You will see why this can be a problem in the following scenario.
  • Attacker creates Trojan patch(s) digitally signs them and creates the proper XML file that some systems will look for.
    • Patiently wait for the next "Patch Tuesday"
  • Attacker goes after the infrastructure of their target.
    • Redirects requests for known patch sites to site containing spoofed patches.
    • System will receive what it believes to be a valid XML file then begin download the executables.
  • All your base belong to attacker.
    • The Trojan patch could address the actual problem and simply install its own additional code.
    • The Trojan patch can be digitally signed, obviously not with Microsoft's key but with another. Many patch management systems only check that there is a signature and does not actually validate that signature.

Solutions & Conclusion

The above scenarios are nothing more than scenarios based on high level research of vulnerabilities and how specific products work. While products that run and "secure" Microsoft environments were used in all of the examples these flaws can in fact extend to other operating systems.

The bottom line and the entire point of this paper is that organizations need to start putting more thought and research into what products they use to protect their infrastructures. Basing purchasing decisions on who has the cutest booth babes at the various conferences may make sense for general IT products and services but not when selecting a security or systems management vendor.

Steve Manzuik – Security Product Manager, eEye Digital Security

News & Articles
The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.

BusinessWeek: Computers' Insecure Security
"Software meant to protect PCs are now attack targets, revealing a rising number of flaws -- even more than those of Microsoft products." Full Article

NewsFactor: Hackers Eye Security Software as New Target for Malware
"Rather than going after operating systems like Windows, malicious hackers have become more interested in the vulnerabilities that might exist in commonly used security software from vendors like Symantec, Check Point and F-Secure." Full Article

Sydney Morning Herald: Security Claims Asking for Trouble
"Two words that should never pass the lips of a software vendor are 'it's secure'. Such statements draw the undivided attention of the world's security researchers..." Full Article

SecurityFocus: Flaw Disclosure Hurts Software Maker's Stock
"Software makers stand to lose significant market value whenever a flaw is found in their products, two university researcher said in a paper published on Friday." Full Article

Reader Q&A

Q: What steps should I take to secure my wireless device?

A: This is a fairly general question that is quite broad. You could mean something as simple as your 802.11b Wireless Access Point (WAP) or you could mean that nice new Centrino laptop you bought that not only has 802.11b but also Bluetooth. For the purpose of this answer I will concentrate on wireless devices such as your laptop and your mobile phones. That being said, a quick Google search reveals a lot of information on securing the end-points (change the ssid, turn on WEP, etc.).

When I look at wireless devices I own, I see my Blackberry phone and my standard issue IBM Thinkpad. My Blackberry of course has Bluetooth but the folks at Research In Motion ship these things with the Bluetooth disabled out of the box. So unless you are using a Bluetooth enabled headset I would leave it that way. Many security vulnerabilities have been discovered in the Bluetooth protocol one of which would allow someone to masquerade as a legitimate device (for example your headset) and "pair" with your phone. Before you run out and disable Bluetooth on your phone note that in order for this to be successful the attacker must have brute forced your access PIN on the phone which even though it is only 4 numbers (on most model phones) is not an easy task not to mention that the range of Bluetooth devices is very limited. Be sure to change the default PIN on your phone as my experience with an old Nokia phone was that the default PIN was simply "1234". Also, if your device supports it, set it to only communicate with the devices you wish and not accept new pairing requests and also manually pair your headset and other devices to the handset.

The laptop however is a bit more dangerous. Here you have a device that has both 802.11b and Bluetooth built in and enabled by default.

The first thing I did with my laptop was disabled the Bluetooth as I am perfectly happy using a USB cable to sync my phone. When I do find a need to use the Bluetooth connectivity, I turn off authentication and set a random PIN. Once finished using the device I disable Bluetooth once again on my laptop.

As for the wireless, I leave that turned off as well unless I am using it on a wireless network that I trust. Read the last few words again and think about them – "a wireless network that I trust".

I will not go into detail about untrusted wireless network at airports, coffee shops, etc. but I will say that the only wireless network I trust is the one I setup using proper encryption, and MAC filtering. When I am not using this network, my wireless is disabled and stays that way.

Sure, it is convenient to use a wireless network at an airport, hotel or coffee shop but unless you have proper host based security, such as a good firewall, anti-virus, and intrusion prevention I would highly recommend against it. Before I go on any business trip where I know I will have to use the untrusted networks, because saying never do it does not make business sense, I insure that my laptop has all the latest windows updates, has the latest updates to my favorite IPS, Blink of course, and that my Anti-Virus is also up to date and working. Doing anything less would be asking for trouble.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Announcements

Advisory: HTML Help File Parsing Buffer Overflow
On June 14, 2005, eEye announced the discovery of a new critical vulnerability related to Microsoft Windows. The discovery uncovers a critical flaw in Microsoft's HTML Help, affecting unpatched Windows 2003, XP, 2000 and 98 machines. Full Article

Seminar: Post-Patch Day Vulnerability Expert Forum
Join experts from eEye's research team for a discussion following every month's Microsoft "Patch Tuesday". The forum is a quick way to get up to speed on current potential risks to your organization. Full Article

Products: Blink® 2.0 Beta Available for Evaluation
The latest version of eEye's award-winning endpoint security solution – Blink 2.0 - is available for public download. With the addition of anti-spyware technology and dynamic protection from "phishing" scams, Blink delivers the most comprehensive layers of protection available. Full Article

Etcetera

Microsoft Begs To Be Hacked
Microsoft recently invited hackers to descend upon Redmond for a chance to exploit Windows code openly. The event was billed as "Blue Hat" in reference to the popular Black Hat conferences that provide a public forum for security professionals and the hacking community to interface. More

Microsoft's Security Response Center: How Little Patches Are Made
Once the tests are completed, the process shifts to actually creating content for the bulletins, which are scheduled for release on the second Tuesday of every month. During this phase, the MSRC again coordinates closely with the product teams to make sure that there's a perfect balance between providing accurate guidance without offering enough information for malicious hackers to reverse-engineer the patch. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.