Diaries

Published: 2003-07-17

Cisco IOS Interface Denial of Service Vulnerability


Cisco announced a critical infrastructure vulnerability concerning the IOS software which is widely deployed as a network operating system on routers and switches.

A working exploit has been posted to public mailing lists. It has been reported
that the exploit code was used in some attacks. However, so far we don't see any
widespread usage. Sporadic network outages over the last two days can be attributed to network operators upgrading routers.
Summary:

Cisco IOS is deployed on many routers involved in the Internet infrastructure. A specially crafted sequence of IPv4 packets could cause an error on router interfaces where the interface will incorrectly mark the interface as having a full queue and block inbound traffic to that interface. The effected router has to be rebooted to resume operation.

Impact:

A large number of ISPs and end users is using effected equipment. Large internet service providers already upgraded many routers. As a side effect, internet users may have experienced outages due to the maintenance work. Some of these outages are reflected in the 'global instability index' which is maintained by Dennis McGrath (Univ. Dartmouth): http://people.ists.dartmouth.edu/~dmcgrath/gii/ . The
measured BGB route flapping occurs as ISPs reroute traffic temporarily while some routers are down for upgrades.

Details:

More details are available from Cisco on this vulnerability and potential fixes or work arounds.

References:

http://www.cert.org/advisories/CA-2003-15.html

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
----
Contributed by the SANS Incident Handlers (isc at incidents dot org)

0 Comments

Published: 2003-07-16

Microsoft Buffer Overrun in RPC


In July 17th, CERT and Microsoft released an Security Bulletin regarding a
newly discovered buffer overrun in Microsoft Windows Products.
Vulnerable Systems

==================

-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 Terminal Services Edition
-Microsoft Windows 2000
-Microsoft Windows XP
-Microsoft Windows Server 2003
Summary

==================

A buffer overrun was discovered in Microsoft´s RPC Impelemntation. RPC is one
of the protocols used by Windows Systems. RPC (Remote Procedure Call)
protocol is used to execute code on a remote system. Microsoft RPC
implementation added specific extensions to the original Open Source RPC
protocol.

According Microsoft "The vulnerability is present in the part of RPC that
deals with message exchange over TCP/IP.The failure results because of
incorrect handling of malformed messages. This particular vulnerability
affects a Distributed Component Object Model (DCOM) interface with RPC, which
listens on TCP/IP port 135. This interface handles DCOM object activation
requests that are sent by client machines (such as Universal Naming
Convention (UNC) paths) to the server."
Impact

==================

This vulnerability can be explored by sending specially formed request to the
remote computer on port 135.

A remote attacker could exploit this vulnerability to execute arbitrary code
with Local System privileges or to cause a denial of service
Solution

==================

If the machine is connected to the Internet, block the access to port 135.
This will prevent access to this port and any attempt to explore this
vulnerability.

Also is highly recommended to apply the patch release by Microsoft, according
the Microsoft Bulleting MS03-026.
Microsoft Patches

==================

* Windows NT 4.0 Server
http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-
DF77A0B9303F&;;;;;;displaylang=en

* Windows NT 4.0 Terminal Server Edition
http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-
C9FAD2DC65CA&;;;;;;displaylang=en

* Windows 2000
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-
220354449117&;;;;;;displaylang=en

* Windows XP 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-
3DE40F69C074&;;;;;;displaylang=en

* Windows XP 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-
C347ADCC4DF1&;;;;;;displaylang=en

* Windows Server 2003 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-
3A212458E92E&;;;;;;displaylang=en

* Windows Server 2003 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-
017E35692BC7&;;;;;;displaylang=en
References

==================

CERT® Advisory CA-2003-16 Buffer Overflow in Microsoft RPC
http://www.cert.org/advisories/CA-2003-16.html

Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS0
3-026.asp

------------------------------------------------------------

Pedro Bueno - SANS Incident Handler

0 Comments

Published: 2003-07-10

Passive OS Fingerprinting Update

This tables is an updated summary of Toby Millers paper about Passive OS
Fingerprinting.

*Windows 95, Windows 98 and Windows XP fingerprint were added
after some lab experiments.

Linux

----------------

Window Size = 5840 (Linux 2.4) or 32120 (Linux 2.2)

Initial TTL = 64

IP ID: Increments randomly at the start of each session

TCP Options: MSS, SackOK, WindowScale, Timestamp, one NOP

Total Packet Length: 60 bytes
OpenBSD

----------------

Window Size = 16384

Inital TTL = 64

IP ID: Completely random

TCP Options: MSS, SackOK, WindowScale, Timestamp, five NOPs

Total Packet Length: 64 bytes

TOS = 0x10
FreeBsd

----------------

Window Size = 65535

Initial TTL = 64

IP ID: Increments by 1

TCP Options: MSS, WindowScale, three NOPs, Timestamp (Fisrt
three SYN tries)

Total Packet Length: 60 bytes (First three SYN tries)

*TCP Options:MSS (after first three SYN tries)

*Total Packet Length: 44 bytes (after first three SYN tries)
Solaris 7

----------------

Window Size = 8760

Initial TTL = 255

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes
AIX 4.3

----------------

Window Size = 16384

Initial TTL = 64

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes

TOS = 0x10
Windows 2000

----------------

Window Size = 16384

Inital TTL = 128

IP ID: Increments by one all of the time

TCP Options: MSS, SackOK, two NOPs

Total Packet Length: 48 bytes
Windows 98

------------------

Windows Size= = 8192

Initial TTL = 128

IP ID: Increments by 256 (?)

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes
Windows 95

-----------------

Windows Size = 8192

Initial TTL = 32

IP ID: increments by 256

TCP Options: MSS

Total Packet Lenght: 44 bytes
Windows XP

-----------------

Windows Size = 64240

Initial TTL = 128

IP ID: Increments by one

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes
References:

Toby Miller Original Paper:

http://www.sans.org/rr/special/passiveos.php

Toby Miller Original Paper - Part 2

http://www.sans.org/rr/special/passiveos2.php
Comments:

Pedro Paulo Ferreira Bueno

bueno@ieee.org

0 Comments

Published: 2003-07-09

EP.net DNS Survey

Currently, another round of the EP.net DNS survey is on the way. You may
see zone transfer requests from 198.32.6.42 and 198.32.4.13 as a result of
this activity. http://www.ep.net/in-addr-audit.html">http://www.ep.net/in-addr-audit.html or http://www.ep.net .

0 Comments

Published: 2003-07-07

Paypal scam site using SSL spotted

A member of our 'handler' group spotted a fake Paypal site with uses a valid
SSL certificate. While this certificate is not issued for 'paypal.com', standard
URL masking techniques make it plausible to untrained users that the site is
a valid Paypal site.

We do receive almost daily reports of fake Paypal or e-bay sites. Usually it is
the goal of these sites to extract information from users which will be used
in identity theft or credit card fraud. The page is usually advertised via
spam and looks just like a regular Paypal/ebay page. The e-mail suggests that
the user should visit the page to confirm billing information.

A standard technique to mask the actual url, and make it more look like a
valid Paypal site, is the addition or user name / password prefixes. HTTP urls
can include user name and passwords for http basic authentication. These are
prepended to the url in the following syntax:

http://username:password@www.somewebsite.com/somepage.html

For example, in order to make "isc.sans.org" look like a paypal site, the following url could be users:

http://www.paypal.com:asldkfjalsdkjflaksjfd@isc.sans.org/index.html

The user name / password is ignored if no authentication is required.

In most cases, these scam sites are easily spotted as they are not using SSL. Sometimes they attempt to hide this fact by increasing the browser window size to push the lower part of the browser window off the screen, so users will not see the open browser lock.

However, this latest site uses a valid SSL certificate. Unless users inspects the certificate in more detail, they will not know see the problem.

The particular URL of the fake paypal site it:
https://ki54ft.worldispnetwork.com/i.CgI

As shown in the spam used to advertise it, it looks like:
https://www.paypal.com:ac=alksdjflakdjflkasdjruoiwehjrlkajdf@KI54fT.WoRlDiSpNeTwOrK.CoM/i.CgI?billing@yourdomain.com

The URL is overly long to hide the actual host name.

After submitting the form, the cgi script redirects the user to the actual Paypal login page, further hiding the fact that the user just used a fake page.

The page uses a wild card certificate for 'worldispnetwork.com'.

-----------
more information? Please let us know: isc@sans.org

0 Comments

Published: 2003-07-03

Defacement Contest

Update: Only few defacements have been reported as a result of the challange.
Zone-h.com, which was supposed to track the defacements is down due to high traffic (real and DDOS). No big surprises at this point. Some security sites used
"self defacements" to protest the media hype around this challange.

After changing web hosts a couple of times, the challange site is now
online again. the time of the content is now set to 9am-3pm Estonian Time (Eastern
European Timezone), which makes it 6am-12pm GMT, or 2am-8am EDT.
Current website URL: http://www.defacers-challenge.com/defeng.htm

An unidentified group announced a "defacement contest" supposed to be
held on July 6th 2003. The goal of the contest is to deface as many sites
as possible during a yet to be announced 6 hour period.

Some security companies reported a decrease in defacements this week, which
was seen as an indication of hackers 'saving' sites for defacement during the
contest.

The Internet Storm Center is at this point not aware of any particular
unusual activity. Defacements occur in large numbers daily and usually use
standardized tools easily obtained by unskilled hackers. Contests like the
one above are held regularly, even though usually without any formal announcement.

However, based on the publicity this announcement received, it is possible that
the defacer community will be more active on Sunday. The actual contest web site
is no longer available.

At this point, we do recommend to review web site security in accordance with your
security policies.

---------------------------------------------------------------

got details? Please send information to isc@sans.org

0 Comments