VRT Advisories


VRT Rules 2005-04-14

Sourcefire VRT Certified Rule Update

Date: 2005-04-14

Synopsis:

After continuing research into to the Microsoft Security Bulletin (MS05-019) released on Tuesday April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has determined that existing rules and pre-processors will generate events if attempts are made to exploit the vulnerabilities outlined in the bulletin.

Details:

Spoofed Connection Request Vulnerability - CAN-2005-0688
A Denial of Service vulnerability exists in Microsoft Windows XP Service Pack 2 and Windows Server 2003 hosts from a specially crafted TCP packet.

To exploit this DoS condition, an attacker sends a TCP SYN packet with the same source and destination IP address and port. This is known as a "Land Attack" and while it has been around for many years, most operating systems have addressed the vulnerability.

Networks that do ingress and egress filtering correctly will not allow a spoofed packet inbound that has an identical source and destination IP address.

TCP Connection Reset Vulnerability - CAN-2004-0230
A denial of service vulnerability exists in Microsoft hosts that may permit an existing TCP connection to be reset.

Many TCP services such as BGP require a persistent TCP connection. A vulnerability in the core implementation of TCP may make it possible for an attacker to reset a number of connections and cause a Denial of Service (DoS) to occur.

The attack is possible because the listening service will accept a TCP sequence number within a range of what is expected in an established session. Since BGP and other services rely on an established TCP session state, guessing a suitable sequence number to reset connections is feasible.

IP Validation Vulnerability - CAN-2005-0048
A denial of service vulnerability exists in Microsoft Windows Windows 98, 98 SE, ME, Windows 2000 and Windows XP Service Pack 1 hosts that may cause a denial of service or possibly result in execution of arbitrary code on a vulnerable host.

The operating systems above fail to properly validate improperly formatted multi-byte IP options. These options have a standard format of IP option code, IP option length, and IP option data.

The failure to drop a malformed IP option causes the operating system to misinterpret the data that follows. This can cause memory access violations that halt the kernel and cause a DoS condition to occur. Successful exploitation of this issue may allow an attacker to execute code of their choosing on an affected host.

Detection:

Spoofed Connection Request Vulnerability - CAN-2005-0688
A Land attack will be detected by the Snort rule with sid 527 and a message of "BAD-TRAFFIC same SRC/DST".

TCP Connection Reset Vulnerability - CAN-2004-0230
A BGP reset attack will be detected by the signature with sid 2523 and a message of "DOS BGP spoofed connection reset attempt". While other TCP services may be vulnerable, they often do not maintain a persistent state or a period of inactivity where the TCP sequence number does not change. This makes it more difficult to reset the connection.

IP Validation Vulnerability - CAN-2005-0048
The Snort decoder recognizes the presence of truncated IP options.

The event will appear in Snort logs as:
[**] [116:5:1] (snort_decoder): Truncated Ipv4 Options [**]

References:

Microsoft Security Bulletin MS05-019
http://www.microsoft.com/technet/security/Bulletin/ms05-019.mspx

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.