Santi 'Log
Detecting ASN.1 buffer overflow attack
Tue, 08 Sep 2009

Introduction

I am posting for the first time at my recently opened blog. Hope issues discussed here will be interesting for OSSIM users and probably for some other people.

First thing I will try to explain is how to test OSSIM generating real time attacks, such as exploiting a buffer overflow against a non patched host. For this purpose we will use Micrososft ASN.1 library buffer overflow vulnerability, whose details can be found at http://www.phreedom.org/solar/exploits/msasn1-bitstring/ We can even find here an exploit called kill-bill to take advantage of the mentioned vulnerability ;-)

Now lets see steps in order to get an alarm with OSSIM and execute an action-response policy...

OSSIM configuration

1.- Detecting the intrusion with snort rules. In this case it's done by the rule "NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt". I paste it here, copied from the /etc/snort/rules/netbios.rules file:

netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3000; rev:4;)

2.- Next step is to create a simple directive to feed the correlation engine. It can be done at /etc/ossim/server/generic.xml. The one I have created is: 

<directive id="24" name="Buffer overflow attempt against DST_IP" priority="9">
   <rule type="detector" name="Buffer overflow rule matched" reliability="9"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1001"
   plugin_sid="2383"/>
</directive>

This is the simplest form of a directive, but if we want, we can use different levels to detect more complex attacks (i.e. we can add rules matching port scans or session duration...). Here is an example of a port scan with an open port found directive (I also use it for the video demo you will find below): 

<directive id="25" name="TCP Portscan against DST_IP" priority="6">
   <rule type="detector" name="TCP Portscan" reliability="5"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1122"
   plugin_sid="1">
      <rules>
         <rule type="detector" name="portscan: Open Port" reliability="+3"
         occurrence="1" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY"
         plugin_id="1122"
         plugin_sid="27"/>
      </rules>
   </rule>
</directive>

3.- Last thing is to configure an action (for example sending a mail) to execute when the alarm is generated. We can use the web framework to do it in a easy way.

Video demo

Well, at the end, I have decided to upload a video demo which has been made as a proof of concept of all I have been talking before. Its duration is 10:33, it has no sound but I think it's quite self explanatory. Hope you will enjoy it.


This text will be replaced

posted at: 11:09 | path: /ossim/tests | permanent link to this entry | 8 comments |



* Posted by David at Mon Aug 25 14:56:33 2008
Glad to read good stuff from you! Welcome to blogging wold :)

Your friend from LogroƱo,

David
* Posted by Paul at Wed Aug 27 16:54:12 2008
Nice shot, i just a question about how you get mirrored the virtual LAN to OSSIM.

regards from colombia
* Posted by paul at Sat Aug 30 01:12:19 2008
May be i was not clear, it is a real LAN or just a simulation on a single PC?
* Posted by Santiago Gonzalez at Mon Sep 1 14:53:24 2008
Hi Paul, it's just a simulation with VMWare Fusion 2.0 beta 2 in my laptop.

There is an option to set the virtual interface in promiscuous mode, so you can do sniffing from all the traffic in your virtual network.

Best regards :-)
* Posted by dctfjy at Mon Sep 8 13:21:42 2008
Very  good, but Micrososft ASN.1 library buffer overflow vulnerability is too old,no one remain  using Windows 2000,Windows xp sp1.I 'd like you to give more up-to-date samples!
* Posted by Santiago Gonzalez at Fri Sep 12 14:05:58 2008
Yes, I have had no time to post any new article but i will do it with more samples ;-)
* Posted by Ali Moreno at Fri Oct 3 12:28:04 2008
Good post Santiago! thnxs ;), i'll be waiting for the other examples!

keep connected... regards from Venezuela.
* Posted by Brian Lavender at Thu Jun 4 18:00:31 2009
Excellent writeup and demo. I was wondering about the mirrored network myself. I wonder if there is a way to do the same using bridge utils in linux? Perhaps with ebtables?

Name:


E-mail:


URL:


Comment:


 Categories

/ (4)
    ossim/ (4)
        configs/ (2)
        events/ (1)
        tests/ (1)


Santiago Gonzalez
(feel free to get in touch)
  • Mail
  • Linkedin
  • Forums

Friend's blogs:
  • /blog/dk
  • /blog/juanma
  • /blog/jaime



RSS



< September 2009 >
MoTuWeThFrSaSu
  1 2 3 4 5 6
7 8 910111213
14151617181920
21222324252627
282930    



Archives

2009-Oct
2009-Sep
2009-Mar



Tags

untagged



Made with PyBlosxom