what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Nov 6, 2000
Authored by Loki, f8labs | Site f8labs.com

RealSecure by ISS v5.0 fails to detect attacks using the year old IIS 5 RDS bug and the recent UNICODE hole.

SHA-256 | 453d10fa616c5ee68f11a6790756532a25384881a2177d18253ce60f36c2c773


Change Mirror Download
/| | . |
/ | : : : : : : |
| | :: ------ :: : :: | :: - |-----
| | :: : :: . : | | :: : |
| | : . |------| | : |
| | ------^ : | / | .
| ;----------"---------------^------ / ------'---------------------
| / / / /----' / /
|'----------'---------------'------' --------'---------------------'


Advisory .........: RealSecure or Real"un"Secure <RealSecure Can Not Detect RDS and recent Unicode Exploit>
Release Date .....: 10-31-00
Application ......: RealSecure by ISS
Version ..........: All versions prior to and including 5.0 of all sensors
Vendor Status ....: Contacted - no responses
By ...............: Fate Research Labs
WWW ..............: www.f8labs.com


RealSecure by Internet Security Systems recently released version 5.0 of their
Intrusion Detection System software. ISS markets RealSecure as a collection of
detection modules with unique attack recognition and response capabilities,
otherwise known as sensors. The network class of sensors monitors the raw,
unfiltered traffic on enterprise networks, looking for patterns, protocol
violations, and repeated access attempts that indicate malicious intent. The OS
sensor performs real-time intrusion monitoring, detection, and prevention of
malicious activity by analyzing kernel-level events and host logs.

When RealSecure detects unauthorized activity, it can respond in a number of ways,
automatically recording the date, time, source, and target of the event,
recording the content of the attack, notifying the system administrator,
reconfiguring a firewall or router, suspending a user account, or terminating
the attack.


Despite all of the wonderful, feature rich, value add functionality of RealSecure,
their remains one catch. In no place within the management console are you allowed
to add your own custom signatures. This is the very thing that makes this product
so weak. With all of the open source Intrusion Detection Systems, including some
commercial ones offered by other companies, the user is allowed to add his own
custom signatures to the database. Our question is why would ISS not want their
customers to have that same luxury. The administrator finds himself in a GUI hell
filled with icons of signatures provided by ISS when administering the signatures.

A year old advisory called RDS by Rain Forrest Puppy, which is a popular toy by skript
kiddies is one of the most common tools used to compromise NT-based machines. I quote
from the original RDS advisory released 10-12-99.

"it...is direct, immediate, and almost 100% guaranteed
-Russ Cooper, NTBugtraq

"This exploit also does *not* require the presence of
any sample web applications or example code...the
issue affects at least 50% of the IIS servers I have
-Greg Gonzalez, NTBugtraq

/* -- snip from bugtraq id: 529 -- */

MDAC (Microsoft Data Access Components) is a package used to integrate web and
database services. It includes a component named RDS (Remote Data Services).
RDS allows remote access via the internet to database objects through IIS. Both
are included in a default installation of the Windows NT 4.0 Option Pack, but
can be excluded via a custom installation.

RDS includes a component called the DataFactory object, which has a vulnerability
that could allow any web user to:

--Obtain unauthorized access to unpublished files on the IIS server
--Use MDAC to tunnel ODBC requests through to a remote internal or external location,
thereby obtaining access to non-public servers or effectively masking the source of an
attack on another network.

The main risk in this vulnerability is the following:
--If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed,
a user could use the shell() VBA command on the server with System privileges.
(See the Microsoft JET Database Engine VBA Vulnerability for more information).
These two vulnerabilities combined can allow an attacker on the Internet to run
arbitrary commands with System level privileges on the target host.

/* -- snap end bugtraq desc. of rds exploit -- */

With such a dangerous tool on the loose, and the amount of sites compromised using
it not declining, the need to detect and prevent such an attack is detrimental. To
our surprise, the newest version and new set of signatures provided by ISS would not
detect our RDS attacks on remote networks being protected by RealSecure. With so many
large corporations and even Security Operation Centers deploying this product, it is
the belief of F8 Labs that the customers of this product are made aware of its
handicap. If a popular exploit that was released last year has not yet been added to
their signature database, what else has not that we haven't tested?

It has also been discovered that the recent Unicode exploit goes undetected by
RealSecure as well.

------ snip // unicode --------

An anonymous person posts that they can run arbitrary commands on IIS 5
(Win 2000) using the following URL:


It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity
getting the better of me, I tried it on IIS 4. Uh oh, works there too.

------ snap // unicode --------


For those of you out there who would like to know if RealSecure is protecting a
remote site, try looking for a service running on port 2998. This is the administration
port that a remote console would use to connect to the remote sensor.


Fate Research suggests that ISS allow customers the ability to modify built-in signatures
as well as add signatures. The inability to add new signatures for exploits as they
are released puts full control in the hands of ISS in hopes that they are protecting your
network against commonly used new threats. A task that they are failing miserably at, at the
time of this writing.

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    19 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By