Detecting ASN.1 buffer overflow attack
Wed, 20 Aug 2008

Introduction

I am posting for the first time at my recently opened blog. Hope issues discussed here will be interesting for OSSIM users and probably for some other people.


First thing I will try to explain is how to test OSSIM generating real time attacks, such as exploiting a buffer overflow against a non patched host. For this purpose we will use Micrososft ASN.1 library buffer overflow vulnerability, whose details can be found at http://www.phreedom.org/solar/exploits/msasn1-bitstring/ We can even find here an exploit called kill-bill to take advantage of the mentioned vulnerability ;-)


Now lets see steps in order to get an alarm with OSSIM and execute an action-response policy...


OSSIM configuration

1.- Detecting the intrusion with snort rules. In this case it's done by the rule "NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt". I paste it here, copied from the /etc/snort/rules/netbios.rules file:

netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3000; rev:4;)

2.- Next step is to create a simple directive to feed the correlation engine. It can be done at /etc/ossim/server/generic.xml. The one I have created is: 

<directive id="24" name="Buffer overflow attempt against DST_IP" priority="9">
   <rule type="detector" name="Buffer overflow rule matched" reliability="9"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1001"
   plugin_sid="2383"/>
</directive>

This is the simplest form of a directive, but if we want, we can use different levels to detect more complex attacks (i.e. we can add rules matching port scans or session duration...). Here is an example of a port scan with an open port found directive (I also use it for the video demo you will find below): 

<directive id="25" name="TCP Portscan against DST_IP" priority="6">
   <rule type="detector" name="TCP Portscan" reliability="5"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1122"
   plugin_sid="1">
      <rules>
         <rule type="detector" name="portscan: Open Port" reliability="+3"
         occurrence="1" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY"
         plugin_id="1122"
         plugin_sid="27"/>
      </rules>
   </rule>
</directive>

3.- Last thing is to configure an action (for example sending a mail) to execute when the alarm is generated. We can use the web framework to do it in a easy way.

Video demo

Well, at the end, I have decided to upload a video demo which has been made as a proof of concept of all I have been talking before. Its duration is 10:33, it has no sound but I think it's quite self explanatory. Hope you will enjoy it.


This text will be replaced

posted at: 16:30 | path: /ossim/tests | permanent link to this entry | 8 comments |



Categories

/ (2)
    ossim/ (2)
        conferences/ (1)
        tests/ (1)


Santiago Gonzalez
(feel free to get in touch)
Friend's blogs:



August 2008 >
MoTuWeThFrSaSu
     1 2 3
4 5 6 7 8 910
11121314151617
18192021222324
25262728293031



Archives

2009-Mar
2008-Aug



RSS



Tags

None



Made with PyBlosxom