[Snort-sigs] Existing Detection for Multiple Microsoft Vulnerabilities.

Matthew Watchinski mwatchinski at ...435...
Thu Apr 14 11:22:01 EDT 2005


VRT Advisory - Existing Detection for Multiple Microsoft Vulnerabilities.

Synopsis:
After continuing research into to the Microsoft Security Bulletin
(MS05-019) released on Tuesday April 12 2005, the Sourcefire
Vulnerability Research Team (VRT) has determined that existing rules and
pre-processors will generate events if attempts are made to exploit the
vulnerabilities outlined in the bulletin.

Details:
Spoofed Connection Request Vulnerability - CAN-2005-0688
A Denial of Service vulnerability exists in Microsoft Windows XP Service
Pack 2 and Windows Server 2003 hosts from a specially crafted TCP packet.

To exploit this DoS condition, an attacker sends a TCP SYN packet with
the same source and destination IP address and port. This is known as a
"Land Attack" and while it has been around for many years, most
operating systems have addressed the vulnerability.

Networks that do ingress and egress filtering correctly will not allow a
spoofed packet inbound that has an identical source and destination IP
address.

TCP Connection Reset Vulnerability - CAN-2004-0230
A denial of service vulnerability exists in Microsoft hosts that may
permit an existing TCP connection to be reset.

Many TCP services such as BGP require a persistent TCP connection. A
vulnerability in the core implementation of TCP may make it possible for
an attacker to reset a number of connections and cause a Denial of
Service (DoS) to occur.

The attack is possible because the listening service will accept a TCP
sequence number within a range of what is expected in an established
session. Since BGP and other services rely on an established TCP session
state, guessing a suitable sequence number to reset connections is feasible.

IP Validation Vulnerability - CAN-2005-0048
A denial of service vulnerability exists in Microsoft Windows Windows
98, 98 SE, ME, Windows 2000 and	Windows XP Service Pack 1 hosts that
may cause a denial of service or possibly result in execution of
arbitrary code on a vulnerable host.

The operating systems above fail to properly validate improperly
formatted multi-byte IP options. These options have a standard format of
IP option code, IP option length, and IP option data.

The failure to drop a malformed IP option causes the operating system to
misinterpret the data that follows. This can cause memory access
violations that halt the kernel and cause a DoS condition to occur.
Successful exploitation of this issue may allow an attacker to execute
code of their choosing on an affected host.

Detection:
Spoofed Connection Request Vulnerability - CAN-2005-0688
A Land attack will be detected by the Snort rule with sid 527 and a message
of "BAD-TRAFFIC same SRC/DST".

TCP Connection Reset Vulnerability - CAN-2004-0230
A BGP reset attack will be detected by the signature with sid 2523 and a
message of "DOS BGP spoofed connection reset attempt". While other TCP services
may be vulnerable, they often do not maintain a persistent state or a period
of inactivity where the TCP sequence number does not change.  This makes it more
difficult to reset the connection.

IP Validation Vulnerability - CAN-2005-0048
The Snort decoder recognizes the presence of truncated IP options.

The event will appear in Snort logs as:
  [**] [116:5:1] (snort_decoder): Truncated Ipv4 Options [**]

References:

Microsoft Security Bulletin MS05-019
http://www.microsoft.com/technet/security/Bulletin/ms05-019.mspx





More information about the Snort-sigs mailing list