Sunday, December 28, 2008

Microsoft hit by new SQL attack

Microsoft is now warning users of a serious bug in its SQL Server database software, just days after patching a critical flaw in its Internet Explorer browser.


Microsoft has issued a security advisory, saying that the bug could be exploited to run unauthorised software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.
Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.
Desktop users running the Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express could be at risk in some circumstances, Microsoft said.
The bug lies in a stored procedure called "sp_replwritetovarbin," which is used by Microsoft's software when it replicates database transactions. It was publicly disclosed on 9 December by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.

"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue," Microsoft said in its advisory.
This is the third serious bug in Microsoft's software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. "It is rather low risk given other vulnerabilities that exist," he said. "There are a lot of better ways to currently compromise windows systems."
After seeing the Internet Explorer flaw used in a growing number of online attacks, Microsoft rushed out an emergency patch for the issue last Wednesday. The company says it has also seen "limited and targeted attacks" exploiting a serious bug in the WordPad Text Converter for Word 97 files. As with the SQL bug, this WordPad converter vulnerability has not been patched, but is a prime candidate to be fixed in Microsoft's upcoming 13 January security updates.

Saturday, December 27, 2008

DoS / DDoS Attacks-part1


Denial of Service (DoS) attack is one of the most simple and common attacks today. DoS attacks are not targeted at stealing, modifying or destroying information, but to prevent legitimate users from using a service. A DOS attack comes in many forms, from simply cutting of the power to a system, or flooding a system with seemingly legitimate network traffic, anything that will results in a denial of service. The public nature of the Internet makes it particularly vulnerable to DoS attacks. The DoS/DDoS attacks described below are all network-based DoS attacks. DoS/DDoS attacks are also active attacks, as the attacker actively attempts to change something, in this case the availability of a server or service.


TCP SYN Flood Attack:


A common example of a DoS attack is the TCP SYN flood attack, in which the attacker exploits behavior inherit to the TCP protocol. A TCP session is established by using a three-way handshake mechanism, which allows the client and the host to synchronize the connection and agree upon the initial sequence numbers. When the client connects to the host, it sends a SYN request to establish and synchronize the connection. The host replies with a SYN / ACK, again to synchronize. Then the client acknowledges it received the SYN/ ACK packet by sending and ACK. When the host receives the ACK the connection will become OPEN, allowing traffic from both sides (full-duplex). The connection remains open until the client or the host issues a FIN or RST packet, or the connection times out.



In a TCP SYN flood attack, the attacker creates half-open TCP connections by sending the initial SYN packet with a forged IP address, and never acknowledges the SYN /ACK from the host with an ACK. This will eventually lead to the host reaching a limit and stop accepting connections from legitimate users as well. Many routers and other network nodes today are able to detect SYN floods by monitoring the amount of unacknowledged TCP sessions and kill them before the session queue is full. They can often be configured to set the maximum allowed number of half-open connections, and limit the amount of time the host waits for the final acknowledgement. Without these preventive measures, the server could eventually run out of memory, causing it to crash entirely.



UDP Flood Attacks:


UDP is a connectionless protocol that doesn’t use a handshake mechanism to establish a connection. This makes it relatively easy to abuse for flood attacks. A common type of UDP flood attack often referred to as a Pepsi attack, is an attack in which the attacker sends a large number of forged UDP packets to random diagnostic ports on a target host. The CPU time, memory, and bandwidth required to process these packets may cause the target to become unavailable for legitimate users. To minimize the risk of a UDP flood attack, disabling all unused UDP services on hosts and block the unused UDP ports if you use a firewall to protect your network.


Ping of Death Attacks:


Another well-known DoS attack is the Ping of Death. It is also targeted at hosts with a weak implementation of the TCP/IP stack. The attacker sends an ICMP Echo request packet with a size larger than 65,535 bytes, causing the buffer at the receiver to overflow when the packet is included in the reassemble process. This can lead to the target system to crash and/or reboot. Especially older Windows versions (95/NT4), but also older MAC and Linux operating systems and other network devices such as routers were vulnerable to the Ping of Death. Modern operating systems and network devices safely disregard these oversized packets. Older systems can usually be updated with a patch.


Smurf Attacks:


A nasty type of DoS attack is the Smurf attack, which is made possible mostly because of badly configured network devices that respond to ICMP echoes sent to broadcast addresses. The attacker sends a large amount of ICMP traffic to a broadcast address and uses a victim’s IP address as the source IP so the replies from all the devices that respond to the broadcast address will flood the victim. The nasty part of this attack is that the attacker can use a low-bandwidth connection to kill high-bandwidth connections. The amount of traffic sent by the attacker is multiplied by a factor equal to the number of hosts behind the router that reply to the ICMP echo packets.


The diagram above depicts a Smurf attack in progress. The attacker sends a stream of ICMP echo packets to the router at 128Kbps. The attacker modifies the packets by changing the source IP to the IP address of the victim’s computer so replies to the echo packets will be sent to that address. The destination address of the packets is a broadcast address of the so-called bounce site, in this case 129.64.255.255. If the router is (mis-)configured to forward these broadcasts to hosts on the other side of the router (by forwarding layer 3 broadcasts to the layer 2 broadcast address FF:FF:FF:FF:FF:FF) all these host will reply. In the above example that would mean 640Kbps (5 x 128Kbps) of ICMP replies will be sent to the victim’s system, which would effectively disable its 512Kbps connection. Besides the target system, the intermediate router is also a victim, and thus also the hosts in the bounce site. A similar attack that uses UDP echo packets instead of ICMP echo packets is called a Fraggle attack.
It is difficult to prevent Smurf attacks entirely because they are made possible by incorrectly configured networks from a third party. The Smurf Amplifier Registry (SAR) http://www.powertech.no/smurf/ Netscan.org is one of several publicly available databases that can be used to configure routers and firewalls to block ICMP traffic from these networks. The Smurf Amplifier Registry (SAR) can be downloaded in Cisco ACL format. If you use Cisco routers, make sure all interfaces are configured with the no ip-directed broadcast command (default since IOS 12.0). The following three DoS attacks are not likely to appear on the Security+ exam, but are listed for completeness. Especially older versions of Windows but many other systems as well were vulnerable to these attacks. As many other attacks, they are aimed at the IP stack. The first two use packet fragmentation and reassembly vulnerabilities in specific. If older systems are patched, they are usually no longer vulnerable.

Sunday, December 21, 2008

Your Computer Is Under Investigation


A mildly amusing sample came in today. The sample itself is a very simple Visual Basic application. When executed, the unlucky user is shown this message:



Clicking the 'Warning' button will play an alarm sound over the computer's speakers. Clicking 'FBI' will close the form.The sample also launched the default browser and opened the page www.fbi.gov - the legitimate FBI website. Other than that, it seems to have no malicious intent and may have been a prank. Seems rather old-fashioned, considering today's more monetized threat landscape.