OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Björn Fröb (B.Froebe_at_gai-netconsult.de)
Date: Thu Jan 30 2003 - 03:09:00 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    I already had many discussions with ISS about the "admin rights" problem.
    For some checks (mainly the IIS ones) I made tests to find out how these
    checks were performed. Most of them just queried the registry of
    the server to find out wether the corresponding patch was installed
    or not and sometimes tried to find out the version of the vulnerable
    dll or exe file. So there was nearly always a false negativ if no NetBIOS
    access to the server was possible.

    And certainly this method just works on Windows Boxes...

    As much as i appreciate the release of the new check and the really
    nice commandline scanner, but in my opinion this should have been done
    BEFORE the Worm hits the internet!! We had exactly the same problem with
    CodeRed, the Internet Scanner IisIsapiIdqBo check was just a patch check
    and so did not work if the scanner could not connect to the server via
    SMB / NetBIOS. After CodeRed hits the net, ISS provided a flex check for
    testing via HTTP.

    So to sum it up, IMHO if there is a serverside vulnerability which can be
    exploited WITHOUT any privileges on the attacked host, it MUST be possible
    to check for it without any privileges.

    Regards
    Bjoern

    -----Original Message-----
    From: Chontzopoulos Dimitris [mailto:dchontzoabc.gr]
    Posted At: Wednesday, January 29, 2003 9:43 PM
    Posted To: ISS Mailingliste
    Conversation: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation
    Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation

    "These are actually pretty interesting questions as to the admin rights
    needed on machines. In a way, I can understand why admin rights would
    be needed. But there are numerous checks out there that require admin
    rights to check for it, but to exploit it, anybody can do it."

    I believe that it is a good point that the Security Scanner requires
    administrative rights in order to make some checks. Just imagine what
    could happen if the Security Scanner required no administrative rights
    in order to identify certain security issues. It could be THE unbeatable
    tool for any Hacker/ Cracker/you-name-it around the globe. The fact that
    exploits can be run without (in some, not all cases) administrative
    privileges has nothing to do with having administrative privileges in
    order to identify certain security issues. I also believe that the
    Security Scanner is not a mere application able to *crash* a machine by
    exploiting some security issues it may have, it is THE tool in order to
    identify the problem as it is and NOT provide you with a "False
    Positive" or "False Negative" just like Nessus does in some cases (at
    least for me, I don't know about other people). I really feel a lot
    better when I come to think that you HAVE to HAVE administrative rights
    in order to identify certain Security issues, I don't know about you
    people. Just try for yourself and contrast between Security Scanner and
    Nessus; you will find that only certain checks require administrative
    privileges, regarding the Security Scanner, and that Nessus can identify
    less Security Issues (although they exist on the scanned machine) and
    that it produces more "False Positives". In my opinion, Security Scanner
    is THE most comprehensive and professional Security/Vulnerability
    Assessment tool that exists in the market today. The thing is that it
    has dependencies regarding the checks it performs in order to give you
    true results. Again, Security Scanner is not a tool to "Blue Screen"
    your machines (although it can also do that), it is a tool to assess
    your current environment. There are other tools out there that are
    designed *just* to "Blue Screen" your machines.

    Cheers,

    Dimitris

    -----Original Message-----
    From: issforum-adminiss.net [mailto:issforum-adminiss.net] On Behalf
    Of Wisniewski, Michael
    Sent: Tuesday, January 28, 2003 7:06 PM
    To: 'Cindy_CHEEida.gov.sg'; CRoulandiss.net
    Cc: issforumiss.net; issforum-adminiss.net; TIHORACFcluster.NYU.EDU;
    xforceiss.net
    Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm
    Propagation

            These are actually pretty interesting questions as to the admin
    rights needed on machines. In a way, I can understand why admin rights
    would be needed. But there are numerous checks out there that require
    admin
    rights to check for it, but to exploit it, anybody can do it.

            I would like to suggest that maybe there should be an option
    that
    will run the checks, admin or not, and give you the results. One of my
    gripes was with open writable netbios shares. If the "everyone" group
    is
    able to right to it, then isn't it an open share? Shouldn't this be
    flagged
    as a vulnerability? Why would I need to login to the machine as an
    "admin"
    in order to detect a share the whole world can write to? Luckily, I
    have
    been working with Tech support to resolve this issue. It works, but
    just
    lists the IP/host that has a writable share, and not what the share
    actually
    is.

            I think there's many checks like this that should be performed
    regardless if you're an admin or not. I could understand if you're an
    admin
    of a small 25 node LAN, but when you have hundreds and thousands of
    hosts,
    it is impossible to be an admin of every one of them....or even the
    majority
    of them.

    Mike

    -----Original Message-----
    From: Cindy_CHEEida.gov.sg [mailto:Cindy_CHEEida.gov.sg]
    Sent: Monday, January 27, 2003 8:23 PM
    To: CRoulandiss.net
    Cc: issforumiss.net; issforum-adminiss.net; TIHORACFcluster.NYU.EDU;
    xforceiss.net
    Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm
    Propagation

    Does it mean that if you have no admin rights on the targeting host,
    although you selected to check this, it will not run? How do I execute
    the
    check with admin rights? Isn't it dangerous to execute the check with
    admin
    rights where the scan traffic is all in clear (plain text)?

    I was also very curious about this particular check 'MssqlPreauthBo'
    which
    require admin rights too. The actual exploit for this doesn't require
    any
    admin rights if your TCP port 1433 is open and the no correct patch
    applied,
    it should be vulnerable. Can you explain why for this particular check
    'MssqlPreauthBo' need admin rights?

    In this case, if checks are not being run (becos without admin rights),
    it
    won't reflect the actual vulnerabilites state of the machine and most
    critical ISS ckecks required admin rights. Can someone pls answer me??

    Regards,
    Cindy

     

                          "Rouland, Chris

                          (ISSAtlanta)" To: "Stephen Tihor"
    <TIHORACFcluster.NYU.EDU>, "ISS XForce" <xforceiss.net>
                          <CRoulandiss.ne cc:
    <issforumiss.net>

                          t> Subject: RE: [ISSForum]
    ISS
    Security Brief: Microsoft SQL Slammer Worm Propagation
                          Sent by:

                          issforum-admini

                          ss.net

     

     

                          01/27/2003 04:52

                          AM

     

     

    Stephen,

    The MssqlMs02039Patch (SecChkId 9666) check for Internet Scanner works
    by
    reading the path to where SQLServer is installed and then gets the
    version
    resource from ssnetlib.dll. If the version is less than 636, we flag
    the
    target as vulnerable.

    You will need admin rights on the target to detect this.

    -Chris

    -----Original Message-----
    From: Stephen Tihor [mailto:TIHORACFcluster.NYU.EDU]
    Sent: Saturday, January 25, 2003 2:14 PM
    To: ISS XForce
    Cc: issforumiss.net
    Subject: Re: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm
    Propagation

    Interestingly enough if have ISS internet scanner upda toe date with all
    XPU's and scanned a machine Friday which turned out to be vulnerable
    today.
    It was a stable production node so I doubt they enabled anything new.
    Which
    suggests the ISS was not on point or was a Denial of Service test since
    those were not
    run against the machine being tested. Could someone tell
    me which was the case?

    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
    https://atla-mm1.iss.net/mailman/listinfo
    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
    https://atla-mm1.iss.net/mailman/listinfo

    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
    https://atla-mm1.iss.net/mailman/listinfo

    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
    https://atla-mm1.iss.net/mailman/listinfo

    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
    _______________________________________________
    ISSForum mailing list
    ISSForumiss.net

    TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo