||Home : Advisories : RealSecure can not detect RDS and recent unicode exploit|
||RealSecure can not detect RDS and recent unicode exploit
||Fate Research Labs
||1st November 2000
/| | . |
/ | : : : : : : |
| | :: ------ :: : :: | :: - |-----
| | :: : :: . : | | :: : |
| | : . |------| | : |
| | ------^ : | / | .
| ;----------"---------------^------ / ------'---------------------
| / / / /----' / /
Advisory .........: RealSecure or Real"un"Secure
Release Date .....: 11-01-00
Application ......: RealSecure by ISS
Version ..........: All versions prior to and including 5.0 of all sensors
Vendor Status ....: Contacted - no responses
By ...............: Fate Research Labs
WWW ..............: www.f8labs.com
[ OVERVIEW ]
RealSecure by Internet Security Systems recently released version 5.0 of
Intrusion Detection System software. ISS markets RealSecure as a collection
detection modules with unique attack recognition and response capabilities,
otherwise known as sensors. The network class of sensors monitors the raw,
unfiltered traffic on enterprise networks, looking for patterns, protocol
violations, and repeated access attempts that indicate malicious intent. The
sensor performs real-time intrusion monitoring, detection, and prevention of
malicious activity by analyzing kernel-level events and host logs.
When RealSecure detects unauthorized activity, it can respond in a number of
automatically recording the date, time, source, and target of the event,
recording the content of the attack, notifying the system administrator,
reconfiguring a firewall or router, suspending a user account, or
[ ADVISORY ]
Despite all of the wonderful, feature rich, value add functionality of
their remains one catch. In no place within the management console are you
to add your own custom signatures. This is the very thing that makes this
so weak. With all of the open source Intrusion Detection Systems, including
commercial ones offered by other companies, the user is allowed to add his
custom signatures to the database. Our question is why would ISS not want
customers to have that same luxury. The administrator finds himself in a GUI
filled with icons of signatures provided by ISS when administering the
A year old advisory called RDS by Rain Forrest Puppy, which is a popular toy
kiddies is one of the most common tools used to compromise NT-based
machines. I quote
from the original RDS advisory released 10-12-99.
"it...is direct, immediate, and almost 100% guaranteed
to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE
-Russ Cooper, NTBugtraq
"This exploit also does *not* require the presence of
any sample web applications or example code...the
issue affects at least 50% of the IIS servers I have
-Greg Gonzalez, NTBugtraq
/* -- snip from bugtraq id: 529 -- */
MDAC (Microsoft Data Access Components) is a package used to integrate web
database services. It includes a component named RDS (Remote Data Services).
RDS allows remote access via the internet to database objects through IIS.
are included in a default installation of the Windows NT 4.0 Option Pack,
can be excluded via a custom installation.
RDS includes a component called the DataFactory object, which has a
that could allow any web user to:
--Obtain unauthorized access to unpublished files on the IIS server
--Use MDAC to tunnel ODBC requests through to a remote internal or external
thereby obtaining access to non-public servers or effectively masking the
source of an
attack on another network.
The main risk in this vulnerability is the following:
--If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are
a user could use the shell() VBA command on the server with System
(See the Microsoft JET Database Engine VBA Vulnerability for more
These two vulnerabilities combined can allow an attacker on the Internet to
arbitrary commands with System level privileges on the target host.
/* -- snap end bugtraq desc. of rds exploit -- */
With such a dangerous tool on the loose, and the amount of sites compromised
it not declining, the need to detect and prevent such an attack is
our surprise, the newest version and new set of signatures provided by ISS
detect our RDS attacks on remote networks being protected by RealSecure.
With so many
large corporations and even Security Operation Centers deploying this
product, it is
the belief of F8 Labs that the customers of this product are made aware of
handicap. If a popular exploit that was released last year has not yet been
their signature database, what else has not that we haven't tested?
It has also been discovered that the recent Unicode exploit goes undetected
RealSecure as well.
------ snip // unicode --------
An anonymous person posts that they can run arbitrary commands on IIS 5
(Win 2000) using the following URL:
It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity
getting the better of me, I tried it on IIS 4. Uh oh, works there too.
------ snap // unicode --------
[ FOR THE KIDDIES ]
For those of you out there who would like to know if RealSecure is
remote site, try looking for a service running on port 2998. This is the
port that a remote console would use to connect to the remote sensor.
[ CONCULSION ]
Fate Research suggests that ISS allow customers the ability to modify
as well as add signatures. The inability to add new signatures for exploits
are released puts full control in the hands of ISS in hopes that they are
network against commonly used new threats. A task that they are failing
miserably with at the
time of this writing.
Fate Research Labs
BEGIN PGP SIGNATURE