Just a few new years day thoughts.

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CANVAS release day is coming up, and as I often do, I checked out the
published reports of IDS coverage for the various vulnerabilities
we're releasing to see what's up. Some companies have really good
internal research teams, and some companies have good relationships
with other vendors and get the information straight from them. But the
companies that don't have either of those have to wait until someone
publishes a proof of concept to write their signatures.

Kostya did a bang up job on the HEROES exploit and now it's
cross-service pack and cross-language. The funny thing with HEROES is
that it's extremely difficult to reverse engineer back from the patch.
There's not, to my knowledge, a good source of information about
HEROES in the outside world (other than Immunity Partners). So it's a
good way to tell who's doing their research (or getting info from MS)
and who's writing sigs from CANVAS exploits.


http://www.snort.org/vrt/advisories/vrt-rules-2006-12-12.html

"""
*Microsoft Security Bulletin MS06-074:*
A vulnerability in the Microsoft SNMP service may allow a remote
attacker to execute code of their choosing on a vulnerable system by
supplying a malformed SNMP request to the service.

Rules to detect attacks targeting this vulnerable service were
previously released and are identified as SIDs 1411 through 1414.

"""

That's misleading since there are lots of rules that say "SNMP traffic
detected" which is something highly different from MS06-074. Perhaps
I'm not up to date on my Snort. I'm sure someone will correct me.
Unless I'm wrong, Snort doesn't protect you from this attack at all.
It just alerts to random SNMP traffic?

NAI says this http://vil.nai.com/vil/Content/v_vul27222.htm :
"""
McAfee Intrushield

This signature provides coverage for this vulnerability. McAfee Avert
Labs will continue to update our coverage, as needed, as new exploit
vectors are discovered and as new threats emerge.

Signature:
    SNMPV2: MicrosoftV2Bulk ValuePair
Signature identifier:
    0x40A03800
Release date:
    12/12/2006

"""

Sounds like it might work. For an IPS to find HEROES in the wild, I'd
expect it to store state. It's a tough bug to find just by looking at
bytes. You can write a signature on our particular exploit, but that's
going to be a losing battle in the medium and long terms. Like all
signature detection, I guess.

I don't see anything here from NFR. Maybe they're busy being bought.
http://nfr.com/solutions/signatures.php

ISS says (http://xforce.iss.net/xforce/bulletins/microsoft/MS06-074):
This bulletin covers an integer underflow vulnerability in Windows SNMP.
They say they released a sig on Dec 13th.

Another thing that popped into my head is that 2006 is closing without
any public remote anonymous exploits against Windows XP SP2. If
Microsoft had decided to separate client-side and true remotes in
their naming system, they'd be able to use that in their advertising!

People get very interested in naming each and every vulnerability, but
exploits are just as interesting. You can name and classify exploits
by which vulnerabilities they use, and by which program features and
protocols they use or abuse. If you want a real picture of your risk,
you need to know the real capabilities of your tools. CVE number is
really just one tiny part of that.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFlraWtehAhL0gheoRAh8UAJ0Zuej5ZDp/ybDwVnywX/y6xTVrXQCdHZlV
5VNE3JlnhRHvSTLlUMhECgY=
=5CCI
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave