Re: New http attack?
From: Jason Falciola (falciola_at_us.ibm.com)
To: "Keith T. Morgan" <firstname.lastname@example.org> Date: Wed, 8 Jun 2005 16:08:14 -0400
On Wednesday, June 08, 2005 1:32 PM, "Keith T. Morgan"
] We've seen an attack that triggered a snort bleeding-edge hit for "smb
] over http authentication." This isn't particularly alarming, but, what
] caught my attention is what appears to be a very large buffer in part of
] the packet.
] The ascii decoded capture looks a bit like this:
] GET / HTTP/1.0
] Host: obfuscated
] Authorization: Negotiate <what may be an encrypted password>
] This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming
] went beyond the single packet capture I have.
] The IIS logs indicate a simple GET / with a 401 response code.
] Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit
] floating around out there somewhere? I think chances of this being a FP
] are low since we're not using NTLM or windows native/ad authentication
] on this site.
This is due to exploitation of a vulnerability  in Microsoft's ASN.1
implementation. This issue is patched in MS04-007 , which also fixed
another vulnerability reported by eEye .
We recently notified our clients after observing a surge in this activity
over the past several weeks, often from .edu sources. This which may be
related to the fact that a reliable (on Windows 2000 <= SP4 and XP <= SP1)
and easy to use exploit is available from Solar Eclipse  and has
recently been ported over to the Metasploit framework.   Our lab
testing confirms that the Solar Eclipse exploit generates packets that
match what we're seeing in the wild.
A large amount of the traffic we observe attempting to exploit this
vulnerability is on port 80, although ports 139 and 445 are also exploit
vectors. Attacks on these ports have all been observed in conjunction with
rbot and sdbot variants. Keep in mind that port 25 (Exchange) and UDP 88
(Kerberos) are also potential avenues of attack.
I've included a snippet of the relevant code  from the exploit by Solar
Eclipse . As email@example.com mentioned, the base64 encoding is
responsible for the string of 'AAA's (commonly used to overflow a buffer)
being seen as 'QUFB'.
 <http://www.phreedom.org/solar/exploits/msasn1-bitstring/> - a dir
listing from the parent directory shows this as last modified in late April
- ported from 
Constructing the exploit
"\x60" . asn1( # Application Constructed Object
"\x06\x06\x2b\x06\x01\x05\x05\x02" . # SPNEGO OID
"\xa0" . asn1( # NegTokenInit (0xa0)
"\x30" . asn1( # Constructed Sequence
"\xA1" . asn1( # ContextFlags (0xa1)
"GET / HTTP/1.1\r\n" .
"Authorization: Negotiate " . encode_base64($spnego, "") . "\r\n" .
[$spnego is the result of the above concatenations, which are then encoded
Security Intelligence Analyst
IBM Managed Security Services