[Owasp-delhi] Attack Scenerio

Parmendra Sharma s.parmendra at gmail.com
Fri Feb 6 09:43:29 EST 2009


Thanks a Lot for resolving the issue. :-)

On 2/6/09, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
>
>  I think for most of the IPS it should be packet/traffic direction and not
> connection direction.
>
>
>
> Many Thanks,
>
> Dhruv
>
>
>  ------------------------------
>
> *From:* Parmendra Sharma [mailto:s.parmendra at gmail.com]
> *Sent:* Friday, February 06, 2009 7:39 PM
> *To:* dhruv.soi at owasp.org
> *Subject:* Re: [Owasp-delhi] Attack Scenerio
>
>
>
> O.K Sir,
>
>
>
> This means that No fresh OUTGOING connection is being made by the server
> but the traffic that is blocked is the response from the server for an
> already maintained connection.
>
>
>
> Is there any mechanism or interface within the IPS which distinguishes
> between the two IN to OUT requests mentioned below:
>
>
>
> A malicious program on the server sends the REQUEST (the first request)
> from IN to OUT and
>
> A response from the server for the request "
> http://www.fileopen.com/open.php?file=someexcel.xls ". Naturally this will
> also be the traffic from IN to OUT
>
>
>
> I mean to say that is there any intelligence within the IPS which let it
> know that the packets that are send from IN to OUT are:
>
> -> a request for a new connection
>
> -> a response for the request for an already maintained connection.
>
>
>
> Waiting for your reply......
>
>
>
>
>
>
>
> On 2/6/09, *Soi, Dhruv* <dhruv.soi at owasp.org> wrote:
>
> Client makes a request à
> http://www.fileopen.com/open.php?file=someexcel.xls towards the server.
> This is incoming request and contains file name in HTTP GET, but filename
> won't bring up an alert.
>
>
>
> Server responds to above request by passing on the XLS file in HTTP Data
> which would be outgoing traffic from server to client. XLS contents will be
> parsed by IPS, signature match will happen and alert will be triggered.
> Connection is for sure INCOMING but the malicious traffic would be outgoing.
> IPS signature would be checking the traffic from IN to OUT in this case, I
> believe.
>
>
>
> Simple way to check this would be to block incoming requests to the server
> from external clients and see if outbound connections are still being made
> from the server. That would clearly tell you if the triggers are due to
> incoming connections made from clients or server is running some malicious
> program and making outbound connections.
>
>
>
>
>
>
>  ------------------------------
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Parmendra Sharma
> *Sent:* Friday, February 06, 2009 5:27 PM
> *To:* dhruv.soi at owasp.org
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Attack Scenerio
>
>
>
> Sir,
>
>
>
> Thanks for your answer..
>
>
>
> I am worry about the OUTGOING connection that is blocked by the firewall
> and If i am right then an OUTGOING connection is that for which the first
> request (A SYN packet to complete the TCP three way handshaking) is sent
> from from internal network to the external machine.
>
>
>
> Now if an Excel file is there on the Server then to accessing that file by
> the attacker or someone else (a user) would create an INCOMING CONNECTION
> with the server to exploit the vulnerability within the excel file and for
> this NO OUTGOING CONNNECTION IS REQUIRED.
>
>
>
> Please clarify......:-)
>
> On Thu, Feb 5, 2009 at 5:09 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
>
> I am not really sure about the practical scenario due to no access to
> server/IPS logs but just making a blind guess to your problem:
>
>
>
> -> What can be the possible thing that is making the oubound connection to
> the malicious server.
>
>    - Basic and stupid answer could be "false positive" J
>    - Possibility could be that there is some Excel file located in web
>    server path and whenever, a request is made from the client, web server
>    returns the excel file and IPS triggers an alert. This would be outbound
>    traffic for the IPS.
>    - If you can check the web server logs for the timestamp when IPS alert
>    was generated and you don't see any log entry where Excel file was served to
>    some external client then above point is ruled out. Look for other programs
>    making connection to external web servers and you may use SysInternal tools
>    to dig further
>
>
>
> -> If IPS is capable of detecting the abovementioned signatures for the
> outgoing requests, then why it doesnot blok the same request for the
> incoming request so that the attack can be blocked at the Perimeter.
>
> I think this is not some network/web attack coming that can be launched
> towards the web server as such till the time your web application doesn't
> allow users to upload excel files into the application. The attack is
> crafted on the top of the function HrShellOpenWithMonikerDisplayName in
> hlink.dll that overflows the stack due to long URIs [Refer: CVE-2006-3086].
> Such malicious excel files could infect the server/client when a user opens
> the excel file and clicks on long URIs. Now, source for such excel files
> could be FTP, Website, Mail, SMB Share, other media, etc. Obviously, excel
> files could be embedded in Word/PPT files to fool around the users and make
> the investigation more time consuming.
>
>
>
> Hope helpful!
>
>
>
> Many Thanks,
>
> Dhruv
>
>
>  ------------------------------
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Parmendra Sharma
> *Sent:* Thursday, February 05, 2009 2:23 PM
> *To:* owasp-delhi at lists.owasp.org
> *Subject:* [Owasp-delhi] Attack Scenerio
>
>
>
> Hello OWASP Members,
>
>
>
> Please clarify the Attack that is done by the Attacker on the WebServer in
> the belowmentioned scenerio:
>
>
>
> Network description:
>
>
>
> Network threat protection (IPS) installed as a part of Symantec endpoint
> protection on Microsoft ISA firewall.
>
>
>
> Now there are certain requests that are blocked by the firewall which are
> making the OUTGOING connections (which are malicious) and IPS detected those
> attack signatures as "[SID=21672] HTTP MS Excel Unicode HLINK BO Detected".
>
>
>
> Now my question are:
>
> -> What can be the possible thing that is making the oubound connection to
> the malicious server.
>
> -> If IPS is capable of detecting the abovementioned signatures for the
> outgoing requests, then why it doesnot blok the same request for the
> incoming request so that the attack can be blocked at the Perimeter.
>
>
>
>
>
> --
> Thanks and Regards:
>
> Parmendra Sharma
> Indian Computer Emergency Response Team (CERT-In)
> Ministry of Information Technology
> Government of India
> 6 C.G.O Complex
> Lodhi Road
> New Delhi
>
>
>
>
> --
> Thanks and Regards:
>
> Parmendra Sharma
> Indian Computer Emergency Response Team (CERT-In)
> Ministry of Information Technology
> Government of India
> 6 C.G.O Complex
> Lodhi Road
> New Delhi
>
>
>
>
> --
> Thanks and Regards:
>
> Parmendra Sharma
> Indian Computer Emergency Response Team (CERT-In)
> Ministry of Information Technology
> Government of India
> 6 C.G.O Complex
> Lodhi Road
> New Delhi
>



-- 
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090206/2794db18/attachment-0001.html 


More information about the Owasp-delhi mailing list