Re: SourceFire RNA

[Renaud Deraison <deraison () nessus org>]

[ The second half of this post is more related to VA scanners in general,
and may be considered as being off-topic. 
Moderator : kill this message if you do not think it belongs here]


On Tue, Dec 02, 2003 at 05:27:57PM -0500, Jason wrote:
> - Checking the registry requires administrative privilege, this is in 
> essence advertising the administrative credentials to everyone that is a 
> recipient of the probe.

The credentials are sent under the form of a hash (NTLMv2 or kerberos).
This is not a vulnerability per se.


> - Attempting to elicit a specific response only identified that a patch 
> had been installed, if alternative methods of resolution were taken like 
> disabling DCOM then the check was ineffective and inaccurate.

If you disable DCOM, then the attack vector is not here any more -> you 
are not vulnerable. So the active probe actually did its job well.

> - It resulted in a false sense of security for many because the patch 
> was ineffective and resulted in a 100% false negative for any integrated 
> system that relied solely on this information for vulnerability management.

The initial patch _was_ effective - it fixed _a_ form of the overflow.
If the patch was properly applied, msblaster would not propagate.

Unfortunately, there were other flaws in MSRPC and others vectors were
not fixed by this patch, and were not known either when it was written.

> The passive approach was able to identify, with a high degree of 
> certainty, the likely vulnerable systems before patching even began

Absolutely not ! Passively you CAN NOT determine if the patch has been
applied. If all the VA tools out there are sending a tortured series of
MSRPC packets there is a good reason for that. 

Passively you can at best determine that you have a bunch of Windows 
hosts out there. Some might have been patched, some might not. And in
the end, you don't even know if you've seen ALL of them.

> , it 
> was able to identify the change in behavior even though the host was 
> supposed to have been patched... 

Correct. This is the job of an IDS, though. Also, if a host changes
behavior because it has been infected by the MSRPC worm, you're quite
screwed, security-wise.

> In this way you can foresee possible 
> and actual vulnerabilities without ever touching the host directly. With 
> this information you can target your response to the high risk systems 
> and handle the situation more effectively.


You did not foresee anything. You saw that a 

> Next we have evasion, it is trivial to evade any active probe, 
> especially routine ones. When we start thinking about threat management 
> this scenario is an even greater concern. An attacker can easily evade 
> and active probe from scanning machines and continue to provide services.

It's easy to evade active probes ONCE you've broken in the target. Then
it's obviously too late for pro-active security, this is why there are
IDSes out there.

> I hope I have illustrated why passive is the best way to go when 
> considering the true threats and the alternatives.

Your "illustration" is based on a total misundertanding of the facts.



                                -- Renaud

---------------------------------------------------------------------------
---------------------------------------------------------------------------