Rule release for today - August 25 2009

A maintenance release this one, a few new rules and some performance enhancements. Also, make sure you are using the dcerpc2 preprocessor now since these rule releases no longer include any of the flowbit rules that used to be needed for some DCERPC related vulnerabilities.

As a result of ongoing research, the Sourcefire VRT has added multiple rules to the web-activex, web-misc, specific-threats, exploit and chat rule sets to provide coverage for emerging threats from these technologies.

Advisory and changelog link here: http://www.snort.org/vrt/advisories/2009/08/25/vrt-rules-2009-08-25.html

SubSeven is back after hiatus

According to an entry on July 31, 2009 on www.subseven.org, the infamous backdoor SubSeven is back. "Work with the crew on a new version of 2.2 has begun. For now we will call it 2.3", said mobman, who is known for having written the first version of the program in 1999. There is no mention as to why development resumed after a break of several years. We grabbed a copy of the latest build (2.1.5) posted on the website and ClamAV detected the server and client files as:

server.exe: Trojan.SubSeven.215-srv
SubSeven.exe: Trojan.Spy-50523

We will continue to monitor this website for updates to SubSeven.

Rule release for today - August 18 2009

As a result of ongoing research, the Sourcefire VRT has added multiple rules to the web-client, web-misc and sql rule sets to provide coverage for emerging threats from these technologies.

Snort link here: http://www.snort.org/vrt/advisories/2009/08/18/vrt-rules-2009-08-18.html

Sourcefire 3D customers can get SEU 235 with these new rules and modifications.

Vulnerability Report August 2009

This month's report covers three of the Microsoft Tuesday advisories, Snort 2.8.5 RC, Byakugan, DHCLIENT and BIND 9.

New Byakugan functionality - !jutsu searchVtptr

With heap metadata exploits going out of favor (hzon's fine work not withstanding), I've recently gone after a number of vtable overwrites. This can be no fun at all to do by hand, so I've added some helpful code to byakugan to let you search for the pointers to pointers to pointers to code that you need. :)

So if you're in a situation where you get this:

mov ecx, [edx] : edx = [something you control]
push edx
call [ecx + 0x1c]

You know you've trashed a vtable pointer. If you also say have esi pointing to a buffer you control, then you need to get esi into esp, then return. To do this though, you'll need a pointer to a pointer that when 0x1c is added to it points to a pointer to (for example):

mov esp, esi
ret

This used to mean clever IDA scripts, searching over multiple DLLs, lots of time, PITA. To do this automagically in byakugan, you can now type:

!jutsu searchVtptr [offset in vtable] [opcodes]

So in this case:

!jutsu searchVtptr 0x1c mov esp, esi | ret

This works a lot like the searchOpcode jutsu. Instructions are delineated by the | character in your command. Currently, no wildcards are supported, but I plan to add that functionality. The main stopping block to that I think is speed. It's not really a speed demon jutsu now as it is (with three nested search loops) but I suppose it beats hunting by hand ;) So if you're lucky, and your process space contains the code and pointers you need, you'll get something like this back:

0x75cb4b36 -> 0x10450107 -> 0x100ffc08 -> sequence

0x6bb322a6 -> 0x1045891b -> 0x100ffc08 -> sequence

0x6f862d19 -> 0x1045891b -> 0x100ffc08 -> sequence

0x6b7e9459 -> 0x10458b3f -> 0x100ffc08 -> sequence

0x6b82884e -> 0x10458b3f -> 0x100ffc08 -> sequence

Once you have a working chain of pointers, you can put the return address to turn off dep in your pointer at esi, one of your chain pointers in edx, and roll on along from there. Happy hunting!

Microsoft Tuesday Coverage for August 2009

Well, first Microsoft Tuesday after DefCon and as punishment, there are 9 advisories to note with 8 of them being suitable for detection by an IPS/IDS.

Microsoft Security Advisory (MS09-036):
Microsoft Internet Information Server (IIS) contains a programming error that may allow a remote attacker to cause a Denial of Service (DoS) against a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15851.

Microsoft Security Advisory (MS09-037):
The Microsoft Active Template Library contains programming errors that may allow a remote attacker to execute code on a vulnerable system.

Previously released rules to detect attacks targeting this vulnerability are included in this release with updated references, and are identified with GID 1, SIDs 15638 through 15671.

Microsoft Security Advisory (MS09-038):
The Microsoft Windows AVIFile API contains a programming error that may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 15854 and 15857.

Microsoft Security Advisory (MS09-039):
The Microsoft Windows Internet Naming Service (WINS) contains a programming error that may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 15848 and 15849.

Microsoft Security Advisory (MS09-041):
The Microsoft Windows Workstation Service contains a programming error that may allow a remote attacker to execute code on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15860.

Microsoft Security Advisory (MS09-042):
The Microsoft Windows Telnet implementation suffers from a programming error that may allow a remote attacker to execute code on an affected system. The problem occurs due to the improper processing of NTLM credentials.

A Rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15847.

Microsoft Security Advisory (MS09-043):
Microsoft Office Web Components contain multiple vulnerabilities that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15685 through 15692 and GID 1, SIDs 15852, 15853, 15855 and 15856.

Previously released rules to detect attacks targeting this vulnerability are included in this release with updated references, and are identified with GID 1, SIDs 7872 and 7873.

Microsoft Security Advisory (MS09-044):
Microsoft Remote Desktop Connection contains programming errors that may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15850 and 15861 through 15864.

As always, a link to snort.org http://www.snort.org/vrt/advisories/2009/08/11/vrt-rules-2009-08-11.html

Syntax Checking your Snort Rules

Our friend over in blighty has been at it again. This time, Leon has come up with dumbpig, a tool written in Perl that will check your Snort rules and tell you what, if anything, is wrong with them and what you should do about it.

Here's a sample of dumbpig output:

torchwood% ./dumbpig.pl -h

DumbPig version 0.5 - leon.ward@sourcefire.com 
Because I hate looking for the same dumb problems with snort rule-sets

     __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   
  
Config
----------------------
* Sensivity level - 3/3
* Blacklist outputi : Disabled
* Processing File - 0
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled 
----------------------
Error : Please specify a rules file
Usage dumbPig  
  -u or --update  Check for updates
  -r or --rulefile   
  -s or --sensitivity  <1-4> Sensitivity level, Higher the number, the higher the pass-grade
  -b or --blacklist  Enable blacklist output (see Marty's Blog post for details)
  -p or --pause  Pause for ENTER after each FAIL
  -w or --write  Filename to wite CLEAN rules to
  -q or --quiet  Suppress FAIL, only provide summary
  -d or --disabled Check rules that are disabled i.e commented out #alert # alert etc
  -v or --verbose  Verbose output for debugging
  -c or --censor  Censor rules in the output, in case you dunt trust everyone
  -f or --forcefail Force good rules to FAIL. Allows output of all rules

Checking an actual VRT rules file:

torchwood% ./dumbpig.pl -s 4 -r netbios.rules -d

DumbPig version 0.5 - leon.ward@sourcefire.com 
Because I hate looking for the same dumb problems with snort rule-sets

     __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   
  
Config
----------------------
* Sensivity level - 4/3
* Blacklist outputi : Disabled
* Processing File - netbios.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled 
----------------------
--------------------------------------
Total: 0 fails over 679 lines in netbios.rules
- Contact leon.ward@sourcefire.com

Looks like we can write pretty good Snort rules. Let's try someone else's efforts (and we'll censor the output to save embarrassment):

torchwood% ./dumbpig.pl -s 4 -r other.rules -d -c

DumbPig version 0.5 - leon.ward@sourcefire.com 
Because I hate looking for the same dumb problems with snort rule-sets

     __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   
  
Config
----------------------
* Sensivity level - 4/3
* Blacklist outputi : Disabled
* Processing File - other.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Enabled
* Quite mode : Disabled 
----------------------
Issue 1 
2 Problem(s) found with rule on line 127 of other.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any  ( \ 
 msg: "XXXXXXXX"; \ 
 fragbits: !M; \ 
 fragoffset: >0; \ 
 classtype: bad-unknown; \ 
 sid: XXXXX; \ 
 rev:5; \ 
)
- TCP/UDP rule with no deep packet checks? This rule looks more suited to a firewall or blacklist
- TCP, without flow. Considder adding flow to provide better state tracking on this TCP based rule
=============================================================================

..big snip here...

--------------------------------------
Total: 11 fails over 628 lines in other.rules
- Contact leon.ward@sourcefire.com

Not so great rule writing akshully.

So, if you write your own Snort rules and you want to be sure you are doing it right, we recommend you use dumbpig and don't forget to send Leon a thank you note (and probably beer, he likes that).

DoJoSec meeting - August 6th

This month's DoJoSec meeting features three speakers:

Sean Morrissey - "Apple’s File Vault – How Secure is it?"
Dale Beauchamp - "The First 120"
Matt Fisher - "The Big Picture: Web Risks and Assessments Beyond Scanning"

Details are available here: http://www.dojosec.com/?p=160

We'll see you there.

Freakshow Sumo

Patrick Mullen (phoo) and Ryan Pentney (kappa) take each other on in a Sumo match at the IOActive Freakshow party at Defcon 17.



Watch closely, the loser of each bout gets tea bagged.