[Owasp-delhi] Attack Scenerio

Parmendra Sharma s.parmendra at gmail.com
Fri Feb 6 06:57:15 EST 2009


Sir,

Thanks for your answer..

I am worry about the OUTGOING connection that is blocked by the firewall
and If i am right then an OUTGOING connection is that for which the first
request (A SYN packet to complete the TCP three way handshaking) is sent
from from internal network to the external machine.

Now if an Excel file is there on the Server then to accessing that file by
the attacker or someone else (a user) would create an INCOMING CONNECTION
with the server to exploit the vulnerability within the excel file and for
this NO OUTGOING CONNNECTION IS REQUIRED.

Please clarify......:-)

On Thu, Feb 5, 2009 at 5:09 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

>  I am not really sure about the practical scenario due to no access to
> server/IPS logs but just making a blind guess to your problem:
>
>
>
> -> What can be the possible thing that is making the oubound connection to
> the malicious server.
>
>    - Basic and stupid answer could be "false positive" J
>    - Possibility could be that there is some Excel file located in web
>    server path and whenever, a request is made from the client, web server
>    returns the excel file and IPS triggers an alert. This would be outbound
>    traffic for the IPS.
>    - If you can check the web server logs for the timestamp when IPS alert
>    was generated and you don't see any log entry where Excel file was served to
>    some external client then above point is ruled out. Look for other programs
>    making connection to external web servers and you may use SysInternal tools
>    to dig further
>
>
>
> -> If IPS is capable of detecting the abovementioned signatures for the
> outgoing requests, then why it doesnot blok the same request for the
> incoming request so that the attack can be blocked at the Perimeter.
>
> I think this is not some network/web attack coming that can be launched
> towards the web server as such till the time your web application doesn't
> allow users to upload excel files into the application. The attack is
> crafted on the top of the function HrShellOpenWithMonikerDisplayName in
> hlink.dll that overflows the stack due to long URIs [Refer: CVE-2006-3086].
> Such malicious excel files could infect the server/client when a user opens
> the excel file and clicks on long URIs. Now, source for such excel files
> could be FTP, Website, Mail, SMB Share, other media, etc. Obviously, excel
> files could be embedded in Word/PPT files to fool around the users and make
> the investigation more time consuming.
>
>
>
> Hope helpful!
>
>
>
> Many Thanks,
>
> Dhruv
>
>
>  ------------------------------
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Parmendra Sharma
> *Sent:* Thursday, February 05, 2009 2:23 PM
> *To:* owasp-delhi at lists.owasp.org
> *Subject:* [Owasp-delhi] Attack Scenerio
>
>
>
> Hello OWASP Members,
>
>
>
> Please clarify the Attack that is done by the Attacker on the WebServer in
> the belowmentioned scenerio:
>
>
>
> Network description:
>
>
>
> Network threat protection (IPS) installed as a part of Symantec endpoint
> protection on Microsoft ISA firewall.
>
>
>
> Now there are certain requests that are blocked by the firewall which are
> making the OUTGOING connections (which are malicious) and IPS detected those
> attack signatures as "[SID=21672] HTTP MS Excel Unicode HLINK BO Detected".
>
>
>
> Now my question are:
>
> -> What can be the possible thing that is making the oubound connection to
> the malicious server.
>
> -> If IPS is capable of detecting the abovementioned signatures for the
> outgoing requests, then why it doesnot blok the same request for the
> incoming request so that the attack can be blocked at the Perimeter.
>
>
>
>
>
> --
> Thanks and Regards:
>
> Parmendra Sharma
> Indian Computer Emergency Response Team (CERT-In)
> Ministry of Information Technology
> Government of India
> 6 C.G.O Complex
> Lodhi Road
> New Delhi
>



-- 
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090206/2dd2920f/attachment-0001.html 


More information about the Owasp-delhi mailing list