[Owasp-delhi] Attack Scenerio

Praveen Darshanam praveen_recker at yahoo.com
Fri Feb 6 10:34:17 EST 2009


Most of the time signatures are pattern based.

In our case, 
we can stop the attack just by analyzing the *request* for malicious file based upon extension (doc,pdf etc).

In the other case we can block the malicious file based upon the file content in *response* packet.

We implicitly mention in the signature file what is the direction (inbound/outbound) that we are looking for. The direction is always relative......depending upon what we are protecting i.e are we protecting client or server?

Best Regards,
Praveen Darshanam

--- On Thu, 2/5/09, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
From: Soi, Dhruv <dhruv.soi at owasp.org>
Subject: Re: [Owasp-delhi] Attack Scenerio
To: "'Parmendra Sharma'" <s.parmendra at gmail.com>, owasp-delhi at lists.owasp.org
Date: Thursday, February 5, 2009, 5:09 PM




 
 

 

 

 

 

 







I am not really sure about the practical
scenario due to no access to server/IPS logs but just making a blind guess to
your problem: 

   

-> What can be the possible thing that is making the oubound connection
to the malicious server. 


 Basic
     and stupid answer could be “false positive” J  
 Possibility
     could be that there is some Excel file located in web server path and
     whenever, a request is made from the client, web server returns the excel
     file and IPS triggers an alert. This would be outbound traffic for the
     IPS.  
 If
     you can check the web server logs for the timestamp when IPS alert was
     generated and you don’t see any log entry where Excel file was
     served to some external client then above point is ruled out. Look for
     other programs making connection to external web servers and you may use
     SysInternal tools to dig further 


   

-> If IPS is capable of detecting the abovementioned signatures for
the outgoing requests, then why it doesnot blok the same request for the incoming
request so that the attack can be blocked at the Perimeter. 

I think this is not some network/web attack
coming that can be launched towards the web server as such till the time your
web application doesn’t allow users to upload excel files into the
application. The attack is crafted on the top of the function HrShellOpenWithMonikerDisplayName
in hlink.dll that overflows the stack due to long URIs [Refer: CVE-2006-3086].
Such malicious excel files could infect the server/client when a user opens the
excel file and clicks on long URIs. Now, source for such excel files could be
FTP, Website, Mail, SMB Share, other media, etc. Obviously, excel files could
be embedded in Word/PPT files to fool around the users and make the
investigation more time consuming. 

   

Hope helpful! 

   

Many Thanks, 

Dhruv 

   









From:
owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On
Behalf Of Parmendra Sharma

Sent: Thursday, February 05, 2009
2:23 PM

To: owasp-delhi at lists.owasp.org

Subject: [Owasp-delhi] Attack
Scenerio 



   



Hello OWASP Members, 





  





Please clarify the Attack that is done by the Attacker on the WebServer
in the belowmentioned scenerio: 





  





Network description: 





  





Network threat protection (IPS) installed as a part of Symantec
endpoint protection on Microsoft ISA firewall. 





  





Now there are certain requests that are blocked by the firewall
which are making the OUTGOING connections (which are malicious) and IPS detected
those attack signatures as "[SID=21672] HTTP MS Excel Unicode HLINK BO
Detected". 





  





Now my question are: 





-> What can be the possible thing that is making the oubound
connection to the malicious server. 





-> If IPS is capable of detecting the abovementioned signatures for
the outgoing requests, then why it doesnot blok the same request for the
incoming request so that the attack can be blocked at the Perimeter. 





  









-- 

Thanks and Regards:



Parmendra Sharma

Indian Computer Emergency Response Team (CERT-In)

Ministry of Information Technology

Government of India

6 C.G.O Complex

 Lodhi Road

 New Delhi 





 

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090206/29b35110/attachment.html 


More information about the Owasp-delhi mailing list