Re: False-negatives in several Vulnerability Assessment tools

From: Geoff Shively (gshively@pivx.com)
Date: 04/08/03

  • Next message: SGI Security Coordinator: "Multiple Vulnerabilities in libc RPC functions on IRIX"
    From: "Geoff Shively" <gshively@pivx.com>
    To: "Nicolas Gregoire" <ngregoire@exaprobe.com>
    Date: Tue, 8 Apr 2003 11:29:26 -0700
    
    

    Nicolas,
    Though I do agree with your analysis of this slew of assessment
    tools I must interject.

    Any administrator or security tech that relies solely upon a VA tool
    to secure a hubed LAN or a corporate enterprise network is asking
    for trouble right there. I even believe that a few of the vendors you
    refer to recommend that their tool not be used as an all-in-one security
    solution.

    Running a VA tool or automated pen testing app should be preformed
    by a seasoned security professional who will not take the output as the
    definitive guideline to what needs securing. Other tools need be included
    to diversify and solidify any good security tech's tool-belt.

    With that said be mindful of the false positives though they shouldn't be
    a big problem if the security team is more than a single VA app and a
    basic sys-admin.

    Cheers,
    Geoff Shively, CHO
    PivX LABS

    http://www.pivx.com

    ----- Original Message -----
    From: "Nicolas Gregoire" <ngregoire@exaprobe.com>
    To: <bugtraq@securityfocus.com>
    Sent: Monday, April 07, 2003 3:06 AM
    Subject: False-negatives in several Vulnerability Assessment tools

    ------------------------------------------------------------------------
    Title : False-negatives in several Vulnerability Assessment tools
    Released : April 7th 2003
    Location : http://www.exaprobe.com/labs/advisories/esa-2003-0407.html
    ------------------------------------------------------------------------

    General overview
    ================

    Numerous Vulnerability Assessment (VA) tools are available for security
    engineers, pen-testers and network administrators. Their results are
    mostly trusted by users since they don't have time nor competences to
    validate that output.

    More and more softwares are currently implementing some banners and
    error messages that depend on the language. Especially for commercial
    softwares, like Microsoft SQL Server or the Windows operating system.

    Some VA tools don't integrate this localization feature and so generate
    false-negatives. It can thus lead to a false sense of security. Some
    exploit work on the English as well as on some non-English versions, it
    then constitutes a security breach.

    We chose to demonstrate those security exposures on Microsoft SQL Server
    with the "SQL Server blank password" vulnerability.

    Please note that this is not the only issue :

    - Some problems were found when VA tools began to detect the IIS/Unicode
    vulnerability, like the unicoder.pl script of HD Moore, which is looking
    for the localizable string "Directory of" [1].

    - The admin account on Windows operating systems depends on the
    localization. On English-speaking versions, the name is "Administrator",
    whereas on French version (for example), it is "Administrateur". This
    leads to issues on brute-force attacks.

    A pratical example
    ==================

    Introduction
    ============

    Microsoft SQL Server is a perfect choice to test VA tools about
    localization issues because it is widely deployed, it depends on
    the localization and it is vulnerable to some well-known
    security flaws.

    Testing conditions
    ==================

    First, we set up default installations of Microsoft SQL Server
    2000 on Win2K SP3, in the following languages :
    - English
    - French
    - German
    - Japan
    The "sa" admin account was set with a blank password.

    We tested every VA tools from our panel on the English version
    looking for the vulnerability CAN-2000-1209 ("MS-SQL blank
    password"). Products which found this breach were then tested
    on the other languages.

    Tested VA tools
    ===============

    - ISS Database Scanner
    - Vigilante SecureScan NX
    - eEye Retina Network Scanner
    - eEye Spida Scanner (dedicated to find blank "sa" accounts)
    - Nessus
    - Sensepost senseql

    Untested (or untestable) VA tools
    =================================

    - ISS Security Scanner (doesn't do this check)
    - Symantec NetRecon (doesn't do this check)
    - NetIQ (doesn't do this check)
    - GFI LANGuard (unreliable results)

    Results
    =======

            +----------------------+-----------------+------------------+
            | VA Tool | English version | Others languages |
            +----------------------+-----------------+------------------+
            | ISS Database Scanner | OK | OK |
            +----------------------+-----------------+------------------+
            | Vigilante Secure NX | OK | False-negative |
            +----------------------+-----------------+------------------+
            | eEye Retina Scanner | OK | False-negative |
            +----------------------+-----------------+------------------+
            | eEye Spida Scanner | OK | False-negative |
            +----------------------+-----------------+------------------+
            | Nessus | OK | False-negative |
            +----------------------+-----------------+------------------+
            | Sensepost senseql | OK | False-negative |
            +----------------------+-----------------+------------------+

    Notes about the above results
    =============================

    - The eEye Retina Scanner was tested on this point some time
    ago. Amazingly, it used to detect this vulnerability on
    non-English versions of Microsoft SQL Server.

    - Informal discussions with nCircle developpers conclude that
    their VA tool shouldn't be affected by this problem.

    - The exploit code nammed SQLpoke [2] (used in the
    Worm.SQLSpida.A malware [3]) succeeds to compromize every
    localized Microsoft SQL server. This implementation operates at
    the application level.

    Editors status
    ==============

    - Vigilante Secure NX :
    Work in progress on the editor side ...
    - eEye Retina Scanner :
    Work in progress on the editor side ...
    - Nessus :
    We provided the Nessus team with some patches which were
    integrated to the related plugins
    - Sensepost senseql :
    A new release is available at [4]

    Conclusion
    ==========

    In our opinion, it's now up to VA tools editors to take into account the
    localization issues when developping pattern matching signatures. Of
    course, security engineers and consultants should review every scan
    reports for false-positives. They should also run several tools in order
    to better detect false-negatives. A good way to avoid these problems
    would be to check vulnerabilies at an application level, like the
    SQLpoke exploit code.

    Credits
    =======

    Nicolas Gregoire, security engineer
            - initial discovery of the MS-SQL localization bug
            - testing and redaction

    Philippe Conchonnet, security consultant
            - testing of Windows-based VA tools

    Christophe Briguet, technical manager
            - review of the document

    References
    ==========

    [1] : http://packetstormsecurity.org/NT/scanners/Sqlpoke.zip
    [2] : http://lists.insecure.org/lists/pen-test/2001/Jun/0128.html
    [3] : http://www.avp.ch/avpve/worms/sqlspida.stm
    [4] : http://www.exaprobe.com/labs/downloads/tools/senseql-1.1.tgz

    --
    Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
    ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
    PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
    

  • Next message: SGI Security Coordinator: "Multiple Vulnerabilities in libc RPC functions on IRIX"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #165
      ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
      (Securiteam)
    • SecurityFocus Microsoft Newsletter #171
      ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #160
      ... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ... Sun Java Virtual Machine Slash Path Security Model Circumven... ...
      (Focus-Microsoft)