[Owasp-delhi] Attack Scenerio

Soi, Dhruv dhruv.soi at owasp.org
Thu Feb 5 06:39:41 EST 2009


I am not really sure about the practical scenario due to no access to
server/IPS logs but just making a blind guess to your problem:

 

-> What can be the possible thing that is making the oubound connection to
the malicious server.

*	Basic and stupid answer could be "false positive" :-) 
*	Possibility could be that there is some Excel file located in web
server path and whenever, a request is made from the client, web server
returns the excel file and IPS triggers an alert. This would be outbound
traffic for the IPS. 
*	If you can check the web server logs for the timestamp when IPS
alert was generated and you don't see any log entry where Excel file was
served to some external client then above point is ruled out. Look for other
programs making connection to external web servers and you may use
SysInternal tools to dig further

 

-> If IPS is capable of detecting the abovementioned signatures for the
outgoing requests, then why it doesnot blok the same request for the
incoming request so that the attack can be blocked at the Perimeter.

I think this is not some network/web attack coming that can be launched
towards the web server as such till the time your web application doesn't
allow users to upload excel files into the application. The attack is
crafted on the top of the function HrShellOpenWithMonikerDisplayName in
hlink.dll that overflows the stack due to long URIs [Refer: CVE-2006-3086].
Such malicious excel files could infect the server/client when a user opens
the excel file and clicks on long URIs. Now, source for such excel files
could be FTP, Website, Mail, SMB Share, other media, etc. Obviously, excel
files could be embedded in Word/PPT files to fool around the users and make
the investigation more time consuming.

 

Hope helpful!

 

Many Thanks,

Dhruv

 

  _____  

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Parmendra Sharma
Sent: Thursday, February 05, 2009 2:23 PM
To: owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] Attack Scenerio

 

Hello OWASP Members,

 

Please clarify the Attack that is done by the Attacker on the WebServer in
the belowmentioned scenerio:

 

Network description:

 

Network threat protection (IPS) installed as a part of Symantec endpoint
protection on Microsoft ISA firewall.

 

Now there are certain requests that are blocked by the firewall which are
making the OUTGOING connections (which are malicious) and IPS detected those
attack signatures as "[SID=21672] HTTP MS Excel Unicode HLINK BO Detected".

 

Now my question are:

-> What can be the possible thing that is making the oubound connection to
the malicious server.

-> If IPS is capable of detecting the abovementioned signatures for the
outgoing requests, then why it doesnot blok the same request for the
incoming request so that the attack can be blocked at the Perimeter.

 



-- 
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090205/be7ee01a/attachment.html 


More information about the Owasp-delhi mailing list