-----------------.---------------------------------------------. /| | . | / | : : : : : : | | | :: ------ :: : :: | :: - |----- | | :: : :: . : | | :: : | | | : . |------| | : | | | ------^ : | / | . | ;----------"---------------^------ / ------'--------------------- | / / / /----' / / |'----------'---------------'------' --------'---------------------' www.f8labs.com INTRODUCTION Advisory .........: RealSecure or Real"un"Secure Release Date .....: 10-31-00 Application ......: RealSecure by ISS Version ..........: All versions prior to and including 5.0 of all sensors Vendor Status ....: Contacted - no responses By ...............: Fate Research Labs WWW ..............: www.f8labs.com [ OVERVIEW ] RealSecure by Internet Security Systems recently released version 5.0 of their Intrusion Detection System software. ISS markets RealSecure as a collection of detection modules with unique attack recognition and response capabilities, otherwise known as sensors. The network class of sensors monitors the raw, unfiltered traffic on enterprise networks, looking for patterns, protocol violations, and repeated access attempts that indicate malicious intent. The OS sensor performs real-time intrusion monitoring, detection, and prevention of malicious activity by analyzing kernel-level events and host logs. When RealSecure detects unauthorized activity, it can respond in a number of ways, automatically recording the date, time, source, and target of the event, recording the content of the attack, notifying the system administrator, reconfiguring a firewall or router, suspending a user account, or terminating the attack. [ ADVISORY ] Despite all of the wonderful, feature rich, value add functionality of RealSecure, their remains one catch. In no place within the management console are you allowed to add your own custom signatures. This is the very thing that makes this product so weak. With all of the open source Intrusion Detection Systems, including some commercial ones offered by other companies, the user is allowed to add his own custom signatures to the database. Our question is why would ISS not want their customers to have that same luxury. The administrator finds himself in a GUI hell filled with icons of signatures provided by ISS when administering the signatures. A year old advisory called RDS by Rain Forrest Puppy, which is a popular toy by skript kiddies is one of the most common tools used to compromise NT-based machines. I quote from the original RDS advisory released 10-12-99. "it...is direct, immediate, and almost 100% guaranteed to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE IS RIDICULOUS!" -Russ Cooper, NTBugtraq "This exploit also does *not* require the presence of any sample web applications or example code...the issue affects at least 50% of the IIS servers I have seen" -Greg Gonzalez, NTBugtraq /* -- snip from bugtraq id: 529 -- */ MDAC (Microsoft Data Access Components) is a package used to integrate web and database services. It includes a component named RDS (Remote Data Services). RDS allows remote access via the internet to database objects through IIS. Both are included in a default installation of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation. RDS includes a component called the DataFactory object, which has a vulnerability that could allow any web user to: --Obtain unauthorized access to unpublished files on the IIS server --Use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non-public servers or effectively masking the source of an attack on another network. The main risk in this vulnerability is the following: --If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. (See the Microsoft JET Database Engine VBA Vulnerability for more information). These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host. /* -- snap end bugtraq desc. of rds exploit -- */ With such a dangerous tool on the loose, and the amount of sites compromised using it not declining, the need to detect and prevent such an attack is detrimental. To our surprise, the newest version and new set of signatures provided by ISS would not detect our RDS attacks on remote networks being protected by RealSecure. With so many large corporations and even Security Operation Centers deploying this product, it is the belief of F8 Labs that the customers of this product are made aware of its handicap. If a popular exploit that was released last year has not yet been added to their signature database, what else has not that we haven't tested? It has also been discovered that the recent Unicode exploit goes undetected by RealSecure as well. ------ snip // unicode -------- An anonymous person posts that they can run arbitrary commands on IIS 5 (Win 2000) using the following URL: http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity getting the better of me, I tried it on IIS 4. Uh oh, works there too. ------ snap // unicode -------- [ FOR THE KIDDIES ] For those of you out there who would like to know if RealSecure is protecting a remote site, try looking for a service running on port 2998. This is the administration port that a remote console would use to connect to the remote sensor. [ CONCULSION ] Fate Research suggests that ISS allow customers the ability to modify built-in signatures as well as add signatures. The inability to add new signatures for exploits as they are released puts full control in the hands of ISS in hopes that they are protecting your network against commonly used new threats. A task that they are failing miserably at, at the time of this writing.