Sunday, December 28, 2008

Microsoft hit by new SQL attack

Microsoft is now warning users of a serious bug in its SQL Server database software, just days after patching a critical flaw in its Internet Explorer browser.


Microsoft has issued a security advisory, saying that the bug could be exploited to run unauthorised software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.
Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.
Desktop users running the Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express could be at risk in some circumstances, Microsoft said.
The bug lies in a stored procedure called "sp_replwritetovarbin," which is used by Microsoft's software when it replicates database transactions. It was publicly disclosed on 9 December by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.

"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue," Microsoft said in its advisory.
This is the third serious bug in Microsoft's software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. "It is rather low risk given other vulnerabilities that exist," he said. "There are a lot of better ways to currently compromise windows systems."
After seeing the Internet Explorer flaw used in a growing number of online attacks, Microsoft rushed out an emergency patch for the issue last Wednesday. The company says it has also seen "limited and targeted attacks" exploiting a serious bug in the WordPad Text Converter for Word 97 files. As with the SQL bug, this WordPad converter vulnerability has not been patched, but is a prime candidate to be fixed in Microsoft's upcoming 13 January security updates.

Saturday, December 27, 2008

DoS / DDoS Attacks-part1


Denial of Service (DoS) attack is one of the most simple and common attacks today. DoS attacks are not targeted at stealing, modifying or destroying information, but to prevent legitimate users from using a service. A DOS attack comes in many forms, from simply cutting of the power to a system, or flooding a system with seemingly legitimate network traffic, anything that will results in a denial of service. The public nature of the Internet makes it particularly vulnerable to DoS attacks. The DoS/DDoS attacks described below are all network-based DoS attacks. DoS/DDoS attacks are also active attacks, as the attacker actively attempts to change something, in this case the availability of a server or service.


TCP SYN Flood Attack:


A common example of a DoS attack is the TCP SYN flood attack, in which the attacker exploits behavior inherit to the TCP protocol. A TCP session is established by using a three-way handshake mechanism, which allows the client and the host to synchronize the connection and agree upon the initial sequence numbers. When the client connects to the host, it sends a SYN request to establish and synchronize the connection. The host replies with a SYN / ACK, again to synchronize. Then the client acknowledges it received the SYN/ ACK packet by sending and ACK. When the host receives the ACK the connection will become OPEN, allowing traffic from both sides (full-duplex). The connection remains open until the client or the host issues a FIN or RST packet, or the connection times out.



In a TCP SYN flood attack, the attacker creates half-open TCP connections by sending the initial SYN packet with a forged IP address, and never acknowledges the SYN /ACK from the host with an ACK. This will eventually lead to the host reaching a limit and stop accepting connections from legitimate users as well. Many routers and other network nodes today are able to detect SYN floods by monitoring the amount of unacknowledged TCP sessions and kill them before the session queue is full. They can often be configured to set the maximum allowed number of half-open connections, and limit the amount of time the host waits for the final acknowledgement. Without these preventive measures, the server could eventually run out of memory, causing it to crash entirely.



UDP Flood Attacks:


UDP is a connectionless protocol that doesn’t use a handshake mechanism to establish a connection. This makes it relatively easy to abuse for flood attacks. A common type of UDP flood attack often referred to as a Pepsi attack, is an attack in which the attacker sends a large number of forged UDP packets to random diagnostic ports on a target host. The CPU time, memory, and bandwidth required to process these packets may cause the target to become unavailable for legitimate users. To minimize the risk of a UDP flood attack, disabling all unused UDP services on hosts and block the unused UDP ports if you use a firewall to protect your network.


Ping of Death Attacks:


Another well-known DoS attack is the Ping of Death. It is also targeted at hosts with a weak implementation of the TCP/IP stack. The attacker sends an ICMP Echo request packet with a size larger than 65,535 bytes, causing the buffer at the receiver to overflow when the packet is included in the reassemble process. This can lead to the target system to crash and/or reboot. Especially older Windows versions (95/NT4), but also older MAC and Linux operating systems and other network devices such as routers were vulnerable to the Ping of Death. Modern operating systems and network devices safely disregard these oversized packets. Older systems can usually be updated with a patch.


Smurf Attacks:


A nasty type of DoS attack is the Smurf attack, which is made possible mostly because of badly configured network devices that respond to ICMP echoes sent to broadcast addresses. The attacker sends a large amount of ICMP traffic to a broadcast address and uses a victim’s IP address as the source IP so the replies from all the devices that respond to the broadcast address will flood the victim. The nasty part of this attack is that the attacker can use a low-bandwidth connection to kill high-bandwidth connections. The amount of traffic sent by the attacker is multiplied by a factor equal to the number of hosts behind the router that reply to the ICMP echo packets.


The diagram above depicts a Smurf attack in progress. The attacker sends a stream of ICMP echo packets to the router at 128Kbps. The attacker modifies the packets by changing the source IP to the IP address of the victim’s computer so replies to the echo packets will be sent to that address. The destination address of the packets is a broadcast address of the so-called bounce site, in this case 129.64.255.255. If the router is (mis-)configured to forward these broadcasts to hosts on the other side of the router (by forwarding layer 3 broadcasts to the layer 2 broadcast address FF:FF:FF:FF:FF:FF) all these host will reply. In the above example that would mean 640Kbps (5 x 128Kbps) of ICMP replies will be sent to the victim’s system, which would effectively disable its 512Kbps connection. Besides the target system, the intermediate router is also a victim, and thus also the hosts in the bounce site. A similar attack that uses UDP echo packets instead of ICMP echo packets is called a Fraggle attack.
It is difficult to prevent Smurf attacks entirely because they are made possible by incorrectly configured networks from a third party. The Smurf Amplifier Registry (SAR) http://www.powertech.no/smurf/ Netscan.org is one of several publicly available databases that can be used to configure routers and firewalls to block ICMP traffic from these networks. The Smurf Amplifier Registry (SAR) can be downloaded in Cisco ACL format. If you use Cisco routers, make sure all interfaces are configured with the no ip-directed broadcast command (default since IOS 12.0). The following three DoS attacks are not likely to appear on the Security+ exam, but are listed for completeness. Especially older versions of Windows but many other systems as well were vulnerable to these attacks. As many other attacks, they are aimed at the IP stack. The first two use packet fragmentation and reassembly vulnerabilities in specific. If older systems are patched, they are usually no longer vulnerable.

Sunday, December 21, 2008

Your Computer Is Under Investigation


A mildly amusing sample came in today. The sample itself is a very simple Visual Basic application. When executed, the unlucky user is shown this message:



Clicking the 'Warning' button will play an alarm sound over the computer's speakers. Clicking 'FBI' will close the form.The sample also launched the default browser and opened the page www.fbi.gov - the legitimate FBI website. Other than that, it seems to have no malicious intent and may have been a prank. Seems rather old-fashioned, considering today's more monetized threat landscape.

Monday, November 17, 2008

Social engineering


Social engineering is a scheme using social techniques to attempt to gain information or access. An attacker may claim to be someone authorized to access the system such as a help desk technician, vendor or contractor and attempt to get the victim to reveal his user ID or passwords, or even request the set up of a new account for the attacker himself. An attacker may also call the organisation's help desk impersonating an authorized user to gain information about the system (e.g. requesting the help desk to change the original system password to one designated by the attacker).

Wednesday, November 12, 2008

LAN Security and local attacks-part 1



Traffic Eavesdropping
• Easy on shared media LANs
• Still possible on switched LANs
• e.g. flood or trick the bridge address table
• Easy on wireless LANs
• Possible to install physical splitter/tap/hub/bridge
• Would you see a physical something?
• Does the link bounce? Would you notice that?


LAN Bridge/Switch Attacks
• Overflow MAC address tables to cause flooding
• Typical gear can hold a few thousand addresses
• MAC addresses = 48 bits or >> a few thousand
• Spoof spanning tree BPDU messages
• Take over as root/designated bridge
• Cause continuous topology recomputations
• Forge VLAN, priority or aggregation tags
• Spoof PAUSE (flow control) frames (gig only)
• DDoS/floods, broadcast storms


Preventing LAN Bridge Attacks
• Monitor MAC address tables
• Manually set root bridge and monitor
• Use knobs like Cisco's BPDU and Root Guard
• Manually set and prune trunked switch ports
• Use 802.1x port authentication


ARP-based Attacks
• ARP request spoofing
• Responders to a request cache the sender's info
• As do others who already have the sender's info
• ARP update spoofing (gratutious ARP)
• Thinking out loud:
• Is UNARP widely used? No.
• Can we poison ARP entries to = group address?


Preventing ARP-based Attacks
• Use LAN switches with one port per end host
• Enable port security to limit source MAC addresses
• Use 802.1x port authentication
• Enable (get) knobs on end hosts to validate ARPs
• How to best do this?
• Monitor LAN bridge/switch address tables
• Monitor router ARP tables
• Keep history of address/ARP tables
• FYI... vendors must support knobs (at line rate)

Tuesday, November 11, 2008

An Introduction to Arp Spoofing Attacks


ARP spoofing is a method of exploiting the interaction of IP and Ethernet protocols. It is only applicable to Ethernet networks running IP.


A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the network card,called the MAC address. The MAC, in theory, is a globally unique and unchangeable address which is stored on thenetwork card itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth,independent of whatever application protocols are used on top of it. Ethernet builds “frames” of data, consistingof 1500 byte blocks. Each frame has an ethernet header, containing the MAC address of the source and thedestination computer.


When an Ethernet frame is constructed, it must be built from an IP packet. However, at the time ofconstruction, Ethernet has no idea what the MAC address of the destination machine is, which it needs to createan Ethernet header. The only information it has available is the destination IP from the packet’s header. Theremust be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destinationIP.This is where ARP, the Address Resolution Protocol, comes in.


ARP operates by sending out “ARP request” packets. An ARP request asks the question, “Is your IPaddress x.x.x.x? If so, send your MAC back to me.” These packets are broadcast to all computers on the LAN,even on a switched network. Each computer examines the ARP request, checks if it is currently assigned thespecified IP, and sends an ARP reply containing its MAC address.To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies.When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.


ARP spoofing involves constructing forged ARP request and reply packets. By sending forged ARP replies,a target computer could be convinced to send frames destined for Attacker to instead go to computer A. Whendone properly, Attacker will have no idea that this redirection took place. The process of updating a targetcomputer’s ARP cache with a forged entry is referred to as “ARP poisoning”.


by ARP Spoofing, Attacker can do two type of another attacks: 1.Sniffing Attacks 2.Session Hijacking Attacks.



ARPoison is a command-line tool for UNIX which creates spoofed ARP packets. Users can specify thesource and destination IP/MAC addresses.



following procedures:

-Injecting characters into connections

Sniffing encrypted SSH sessions

-Password collection

-OS fingerprinting

-Connection killing.