Realsecure Advisory - Fate Research Labs (11-01-00)

[Loki <loki () f8labs com>]

    -----------------.---------------------------------------------.
  /|                 |                             .               |
 / | :               : :             : :             :             |
|  | ::        ------  ::            : ::          | ::     -      |-----
|  | ::              : ::     .      :      |      | ::            :     |
|  |                 :        .      |------|      |               :     |
|  |           ------^        :      |     /       |                     .
|  ;----------"---------------^------     /  ------'---------------------
| /          /               /      /----'        /                     /
|'----------'---------------'------'     --------'---------------------'
                                www.f8labs.com





INTRODUCTION

Advisory .........: RealSecure or Real"un"Secure <RealSecure Can Not Detect
RDS and recent Unicode Exploit>
Release Date .....: 11-01-00
Application ......: RealSecure by ISS
Version ..........: All versions prior to and including 5.0 of all sensors
Vendor Status ....: Contacted - no responses
By ...............: Fate Research Labs
WWW ..............: www.f8labs.com




[ OVERVIEW ]

RealSecure by Internet Security Systems recently released version 5.0 of
their
Intrusion Detection System software. ISS markets RealSecure as a collection
of
detection modules with unique attack recognition and response capabilities,
otherwise known as sensors. The network class of sensors monitors the raw,
unfiltered traffic on enterprise networks, looking for patterns, protocol
violations, and repeated access attempts that indicate malicious intent. The
OS
sensor performs real-time intrusion monitoring, detection, and prevention of
malicious activity by analyzing kernel-level events and host logs.

When RealSecure detects unauthorized activity, it can respond in a number of
ways,
automatically recording the date, time, source, and target of the event,
recording the content of the attack, notifying the system administrator,
reconfiguring a firewall or router, suspending a user account, or
terminating
the attack.




[ ADVISORY ]

Despite all of the wonderful, feature rich, value add functionality of
RealSecure,
their remains one catch. In no place within the management console are you
allowed
to add your own custom signatures. This is the very thing that makes this
product
so weak. With all of the open source Intrusion Detection Systems, including
some
commercial ones offered by other companies, the user is allowed to add his
own
custom signatures to the database. Our question is why would ISS not want
their
customers to have that same luxury. The administrator finds himself in a GUI
hell
filled with icons of signatures provided by ISS when administering the
signatures.

A year old advisory called RDS by Rain Forrest Puppy, which is a popular toy
by skript
kiddies is one of the most common tools used to compromise NT-based
machines. I quote
from the original RDS advisory released 10-12-99.


    "it...is direct, immediate, and almost 100% guaranteed
     to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE
     IS RIDICULOUS!"
                                        -Russ Cooper, NTBugtraq


     "This exploit also does *not* require the presence of
      any sample web applications or example code...the
      issue affects at least 50% of the IIS servers I have
      seen"
                                        -Greg Gonzalez, NTBugtraq



/* -- snip from bugtraq id: 529 -- */

MDAC (Microsoft Data Access Components) is a package used to integrate web
and
database services. It includes a component named RDS (Remote Data Services).
RDS allows remote access via the internet to database objects through IIS.
Both
are included in a default installation of the Windows NT 4.0 Option Pack,
but
can be excluded via a custom installation.

RDS includes a component called the DataFactory object, which has a
vulnerability
that could allow any web user to:

--Obtain unauthorized access to unpublished files on the IIS server
--Use MDAC to tunnel ODBC requests through to a remote internal or external
location,
thereby obtaining access to non-public servers or effectively masking the
source of an
attack on another network.


The main risk in this vulnerability is the following:
--If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are
installed,
a user could use the shell() VBA command on the server with System
privileges.
(See the Microsoft JET Database Engine VBA Vulnerability for more
information).
These two vulnerabilities combined can allow an attacker on the Internet to
run
arbitrary commands with System level privileges on the target host.

/* -- snap end bugtraq desc. of rds exploit -- */



With such a dangerous tool on the loose, and the amount of sites compromised
using
it not declining, the need to detect and prevent such an attack is
detrimental. To
our surprise, the newest version and new set of signatures provided by ISS
would not
detect our RDS attacks on remote networks being protected by RealSecure.
With so many
large corporations and even Security Operation Centers deploying this
product, it is
the belief of F8 Labs that the customers of this product are made aware of
its
handicap. If a popular exploit that was released last year has not yet been
added to
their signature database, what else has not that we haven't tested?

It has also been discovered that the recent Unicode exploit goes undetected
by
RealSecure as well.

------ snip // unicode --------

An anonymous person posts that they can run arbitrary commands on IIS 5
(Win 2000) using the following URL:

http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d
ir+c:\


It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity
getting the better of me, I tried it on IIS 4. Uh oh, works there too.

------ snap // unicode --------



[ FOR THE KIDDIES ]

For those of you out there who would like to know if RealSecure is
protecting a
remote site, try looking for a service running on port 2998. This is the
administration
port that a remote console would use to connect to the remote sensor.


[ CONCULSION ]

Fate Research suggests that ISS allow customers the ability to modify
built-in signatures
as well as add signatures. The inability to add new signatures for exploits
as they
are released puts full control in the hands of ISS in hopes that they are
protecting your
network against commonly used new threats. A task that they are failing
miserably with at the
time of this writing.






================================================================
Loki
Fate Research Labs
loki () f8labs com
----------------------------------------------------------------
BEGIN PGP SIGNATURE

iQA/AwUBOfZvfGnwBJRV5bxfEQJu7gCfQ/T0O9u75nzRGWVSeurNmnFRVr8Anj0c
M+UXhPDBvsm+ffRpv41zevQN
=3IRx
================================================================