HackerView Vulnerability Assessment

HackerView Vulnerability Assessment

Silicon Forest Technology Group

IP Address Analyzed 1.2.3.4 (example purposes only)

Operating System Fingerprint

Multiple

Technical Attention Priority SIGNIFICANT – Remote Access Risk & Unsupported

Operating Systems (Windows 2000)

Type of Analysis

External Scan

Analysis Date July 29, 2011

Document ID #

HV11201-01

THIS IS AN EXAMPLE HACKERVIEW – THIS CONTAINS DATA FOR EXAMPLE PURPOSES ONLY.

HackerView Vulnerability Assessment Page 2 of 17

Table of Contents

HACKERVIEW VULNERABILITY ASSESSMENT OVERVIEW 3 EXECUTIVE SUMMARY 3 SUMMARY FINDINGS 3 ASSESSMENT OF FINDINGS 3 NETWORK VISIBILITY 4

TECHNICAL ANALYSIS 5 IP ADDRESS ANALYSIS 5

ICMP PING RESULTS 5 TRACEROUTE RESULTS 5 DNS RECORDS QUERY RESULTS 6 WEBSITE INFORMATION FROM IP ADDRESS 6

PUBLIC IP & DOMAIN NAME REGISTRIES 6 IP ADDRESS REGISTRATION 6 DOMAIN NAME REGISTRATION 7

ONLINE PUBLIC DATABASE SEARCH 7 LOCATION MAPPING RESULTS 8

SCREENSHOTS OF FINDINGS 8

SUGGESTED NEXT STEPS 10 DEFENSE-IN-DEPTH STRATEGY 10 FIREWALL ANALYSIS 10 REMOTE WORKFORCE PRECAUTIONS 11 ONGOING SECURITY TESTING 11

EDUCATION & REFERENCE 12

INFORMATION SECURITY BASICS 12 UNDERSTANDING VULNERABILITY RISK 12 WHY IS NETWORK SECURITY IMPORTANT? 12 RISK MANAGEMENT 13 TOP MYTHS VS FACTS ABOUT NETWORK SECURITY 14

STANDARDIZED TERMINOLOGY 15 COMMON ACRONYMS 15 SECURITY DEFINITIONS 15

APPENDIX A – NETWORK DEVICES SUMMARY 16

APPENDIX B – RAW SCANNER OUTPUT 17

HackerView Vulnerability Assessment Page 3 of 17

HACKERVIEW VULNERABILITY ASSESSMENT OVERVIEW

Executive Summary This HackerView Vulnerability Assessment (HackerView) is considered a “black box” vulnerability assessment, which measures the “hackability” of a network given an attacker with a certain amount of skill, resources and no prior knowledge of the network being assessed. As such, black box vulnerability assessments are best defined as an outcome -based metric for measuring the security of a network, where the findings point to the most likely avenues for a hacker on the Internet to exploit.

The scope of this analysis was to remotely audit and analyze the system and resources of these subnets. This provides a “hacker’s eye view” of the system to discover its security vulnerabilities and weaknesses to possible hacker pene tration or attack. BlackHat Consultants used multiple tools and tested for thousands of different potential security vulnerabilities.

For this HackerView, I would rate the security of the network at a significant risk for an external compromise. The rating of a significant risk is weighted by the service that is publicly accessible and the potential information that a hacker would fin d on the compromised network.

SERIOUS MODERATE MINOR

During the process of this analysis, BlackHat Consultants discovered numerous weaknesses, which range from misconfigurations, to data leakage, to unsupported operating systems, to general poor security practices.

Summary Findings

Highlights discovered from enumerating and scanning the IP addresses:

 Remote Desktop Protocol (RDP).

o RDP should only be used in conjunction with a Virtual Private Network (VPN) connection, rather than a substitute for it. While RDP does have some security features, it does not create a secure tunnel like a VPN connection establishes and this is a security risk. RDP directly from the Internet is a poor security practice.

o There are well-published “man in the middle” attacks on RDP, where the credentials and entire traffic of RDP sessions can be captured and decrypted. This would provide a hacker unfettered access to your network.

o There is an astonishing amount of data displayed from several of the server RDP pages, which are visible to everyone on the Internet.

 Unsupported Operating System (OS). o Microsoft officially retired Windows Server 2000 on July 13, 2010. This server should have been replaced by

Windows Server 2003 and once again by Windows Server 2008, so it is past due for retirement. o As an unsupported OS, no new software updates or security patches will be released. This means a ny new

vulnerability that comes out affecting the OS will be a permanent risk. o From a liability perspective, running an unsupported OS is a negligent act on behalf of a company since it is a

failure to show due care and due diligence by maintaining only supported systems. The only prudent measure is to decommission this system and use a supported OS.

 Unpatched Firewall. o The Cisco ASA firewall appears to be unpatched and has vulnerabilities associated with the current version. o The associated vulnerabilities affect the security of the VPN and also uptime, since it can lead to a denial of

service.

Assessment of Findings

There are several ways to start, if a hacker was going to attack the network with information available today. A hacker may start with attacks against RDP or Server 2000. If that was unsuccessful, the hacker may go after u sers since they would know the naming convention of the user accounts and it would not be hard to launch a “spear phishing” campaign to send malware – embedded email to an employee and have them open it, such as a PDF attachment or a hyperlink to follow. While there are worse networks out there, as compared to this one, the bottom line is that this network fails to make itself look less appeal ing than other business networks for hackers. By being in the category of “low hanging fruit” for the perceived ease of exploiting, this network rates an elevated risk for hackers to attack.

HackerView Vulnerability Assessment Page 4 of 17

Network Visibility

IP Information – 1.2.3.4

ISP Comcast

HackerView Vulnerability Assessment

Country United States IP: 1.2.3.4 Scan Type: External Country Code US Region Oregon

Page 1 of 1

City Portland Postal Code 97204 Latitude 142.3333 Longitude -65.5506 Area Code 503

Internet

Internal Use Only

Router

Firewall

ISP : Comcast Firewall: Cisco ASA 5500 Series

**UNSUPPORTED OPERATING SYSTEM

DETECTED **

Internal Network

Open Ports on Firewall : 21 – FTP (File Transfer Protocol) 25 – SMTP (Email) 443 – HTTPS (Dead Link – error page) 3389 – RDP (Remote Desktop Protocol)

Findings:

Ports 21, 25, 443 & 3389 Windows 2000 Server

– FTP server allows anonymous connections (see screenshot) – Email server running on port 25 – HTTPS websites are inoperable (see screenshot) – RDP is directly accessible from the Internet (Windows 2000) (see screenshot)

HackerView Vulnerability Assessment Page 5 of 17

TECHNICAL ANALYSIS

The Technical Analysis Report provides documentation and details of the technical -focused analysis conducted for this document. This report includes the technical details of an examination of the discovered security threats and quantifies relational data about the target network. The Technical Analysis Report also provides the in -depth details of each potential security threat discovered during the scan analysis.

This report is purposely technical and the intended audience is technical individuals, technical consultants, technical service providers, or in-house technology/engineering staff. The Technical Analysis Report presents all of the technical details and findings of the Scan analysis. For the intended audience, this report will contain the majority of the relevant information and data.

IP Address Analysis

This section queried the IP address to determine if the address is “live” and can be externally queried from the Internet.

ICMP Ping Results The IP address does respond to ping requests.

Ping 1.2.3.4 Round trip time to 1.2.3.4: 46 ms Round trip time to 1.2.3.4: 46 ms Round trip time to 1.2.3.4: 46 ms Round trip time to 1.2.3.4: 46 ms Round trip time to 1.2.3.4: 46 ms Round trip time to 1.2.3.4: 46 ms Round trip time to 1.2.3.4: 45 ms Round trip time to 1.2.3.4: 45 ms Round trip time to 1.2.3.4: 46 ms Round trip time to 1.2.3.4: 46 ms Average time over 10 pings: 45.8 ms

Traceroute Results The IP address does not return a Fully Qualified Domain Name (FDQN) , but it is associated with a pool IP addresses associated with ACME Internet.

Hop 1

(ms) 0

(ms) 0

(ms) 0

IP Address 206.123.64.46

Host name –

2 0 0 1 8.9.232.73 xe-5-3-0.edge3.dallas1.level3.net 3 0 0 0 4.69.145.126 vlan70.csw2.dallas1.level3.net 4 0 0 0 4.69.151.146 ae-73-73.ebr3.dallas1.level3.net 5 20 20 20 4.69.134.22 ae-7-7.ebr3.atlanta2.level3.net 6 33 34 33 4.69.132.86 ae-2-2.ebr1.washington1.level3.net 7 33 33 33 4.69.134.134 ae-71-71.csw2.washington1.level3.net 8 33 33 33 4.69.134.149 ae-72-72.ebr2.washington1.level3.net 9 47 38 38 4.69.132.102 ae-4-4.ebr2.newark1.level3.net 10 38 38 38 4.69.156.37 ae-21-52.car1.newark1.level3.net 11 38 38 38 4.79.188.53 monmouth-in.car1.newark1.level3.net 12 41 40 40 209.191.13.249 ACME.level3.net 13 45 45 45 209.191.23.39 – 14 46 46 45 1.2.3.4 –

HackerView Vulnerability Assessment Page 6 of 17

DNS Records Query Results There are three Domain Naming Service (DNS) records associated with the IP address. This means there are associated pointers on the Internet to route specific domain traffic to these IP addresses, which would indicate to a hacker that the network belongs to a smaller company that has consolidated IT resources in its main office.

These record ties the IP addresses to the domain name siliconforest.com.

1.2.3.4 mail1.thesiliconforest.com 1.2.3.4 smtp1.thesiliconforest.com 1.2.3.4 vpn.thesiliconforest.com

Website Information From IP Address

THESILICONFOREST.COM

Website appears to be hosted off-site at ACME Hosting Solutions, Inc in California.

Public IP & Domain Name Registries

This section attempted to resolve the domain name. Then, that domain name, if any, was searched in the InterNIC and domain name registry databases. The results of this query should report the owner (and associated contacts) for the domain name, if any. This should probably be your company directly, your ISP, or maybe even your hosting provider (if applicable). The entity listed below is considered the authoritative owner of the domain name:

IP Address Registration This section queried the ARIN IP Address registry for information. The results of this query should show the owner (and associated contacts). This should probably be your company directly, your ISP, or maybe even your hosting provider (if applicable). The entity listed below is considered the authoritative owner of the IP addresses:

The record ties the IP addresses to Silicon Forest Technical Group.

NetRange: 1.2.3.4 CIDR: 1.2.3.4/26 OriginAS: NetName: COMCAST-S33446-0 NetHandle: NET-1-2-3-4 Parent: NET-1-2-3-4 NetType: Reallocated RegDate: 2006-03-30 Updated: 2006-03-30 Ref: http://whois.arin.net/rest/net/NET-1-2-3-4

OrgName: Silicon Forest Technical Group OrgId: WRT-12 Address: 123 Any Street Address: STE 51 City: Your City StateProv: OR PostalCode: 12345 Country: US

HackerView Vulnerability Assessment Page 7 of 17

Domain Name Registration This section queried the domain registry information. The results of this query should show the owner . The entity listed below is considered the authoritative owner of the domain name:

Registrant: Silicon Forest Technology Group 123 Any Street, Suite 51 Your City, OR 12345 US

Domain Name: THESILICONFOREST.COM

Administrative Contact, Technical Contact: jdoe@thesiliconforest.com Silicon Forest Technology Group

123 Any Street, Suite 51 Your City, OR 12345 (123) 123-1234

Record expires on 11-Nov-2010. Record created on 10-Nov-1995. Database last updated on 11-Oct-2010 01:40:07 EDT.

Online Public Database Search

There are various public databases, accessible via the Internet, which may contain information about your network, systems, and company. Under normal circumstances, this information is not confidential and does not contain any errors. How ever, it is also possible for these public databases to contain sensitive and/or incorrect data. If this is the case, the potential impact could vary widely. It may be a simple typo, it may allow your network to be hijacked by hackers, or it may expose proprietary information to the Internet.

Because this information is specific to your network, a hacker cannot automatically determine if this information is correct or not. Please review the results listed below for each of these queries to ensure that the information is both correct and non – confidential.

In this section, the IP address 1.2.3.4 was queried using the Google search engine. Specifically, BlackHat Consultants searched for suspicious public information that may contain confidential details about 1.2.3.4, like password or login information.

Nothing was found from the Google search

HackerView Vulnerability Assessment Page 8 of 17

Location Mapping Results Once a company name can be found, a quick search locates an address and a hacker can also use that information to conduct a physical reconnaissance for a possible physical attack. Office location is shown below:

Screenshot: Image of storefront from Google Street View.

Screenshots of Findings

Screenshot: 1.2.3.4 from PuTTY (no logon banner)

HackerView Vulnerability Assessment Page 9 of 17

Screenshot: 1.2.3.4 from HTTPS (dead website – possible misconfiguration)

Screenshot: 1.2.3.4 from Remote Desktop Protocol (RDP) (outdated OS with no domain)

Appendix A – Network Device Summary

none:[64.39.106.242-64.39.106.249](11)

IP DNS NetBIOS Router OS Approved Scannable Live Netblock

64.39.106.242 demo1.sea.qual XP-SP2 68.177.224 . Windows XP Service Pack 2-3 S L ys.com 180

Discovery Method Port DNS

ICMP

TCP 135 TCP 139 TCP 445

UDP 137

64.39.106.243 demo2.sea.qual 2K-SP4-OE50 68.177.224 . Windows 2000 Service Pack 3-4 S L

ys.com 1 180

Discovery Method Port

DNS ICMP

TCP 25 TCP 80

TCP 135 TCP 139 TCP 443

TCP 445 UDP 135

UDP 137

64.39.106.244 demo3.sea.qual 68.177.224 . Linux 2.4-2.6 / Embedded S L

ys.com 164 Device / F5 Networks Big-IP

Discovery Method Port DNS

ICMP

TCP 22 TCP 111

UDP 111

64.39.106.245 demo4.sea.qual 68.177.224 . Linux 2.4-2.6 / Embedded S L

ys.com 180 Device / F5 Networks Big-IP

Discovery Method Port

DNS ICMP

TCP 22 TCP 111 UDP 111

64.39.106.246 demo5.sea.qual 68.177.224 . Solaris 9-10 S L

ys.com 180

Discovery Method Port

DNS ICMP TCP 21

TCP 22 TCP 23 TCP 25

TCP 111 UDP 111

UDP 161

Appendix B – Raw Scanner Output

Report Summary

Sort by: Host

IP Restriction: 64.39.106.242-64.39.106.244 Hosts Matching Filters: 3 scan/1323728798.4048: 12/12/2011 at 14:26:38 (GMT-0800)

Summary of Vulnerabilities

Vulnerabilities Total 51 Security Risk (Avg) 4.7

by Severity Severity Confirmed Potential Information Gathered Total 5 14 – – 14 4 4 – – 4 3 8 – – 8 2 21 – – 21 1 4 – – 4 Total 51 – – 51

5 Biggest Categories Category Confirmed Potential Information Gathered Total Windows 19 – – 19 Web server 7 – – 7 TCP/IP 7 – – 7 SMB / NETBIOS 6 – – 6 RPC 4 – – 4 Total 43 – – 43

HackerView – Example Raw Scanner Output page 1

HackerView – Example Raw Scanner Output page 2

Vulnerabilities by Severity

Operating Systems Detected

HackerView – Example Raw Scanner Output page 3

Services Detected

Detailed Results

64.39.106.242 (xp-sp2, XP-SP2) Windows XP

Vulnerabilities (8)

5 Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067)

QID: 90464 CVSS Base: 10 Category: Windows CVSS Temporal: 8.3 CVE ID: CVE-2008-4250 Vendor Reference: MS08-067 Bugtraq ID: 31874 Service Modified: User Modified:

02/12/2009 –

Edited: No PCI Vuln: Yes

THREAT: The Microsoft Windows Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.

The Server service is vulnerable to remote code execution issue, due to the service not properly handling specially-crafted RPC requests. Any anonymous user who can deliver a specially-crafted message to the affected system could try to exploit this vulnerability. Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): December 2008 Updates are Available (including for XPe SP3 and Standard) (http://blogs.msdn.com/embedded/archive/2008/12/26/december-2008-updates-are-available-including-for-xpe-sp3-and- standard.aspx)

HackerView – Example Raw Scanner Output page 4

(KB958644)October 2008 Security Updates Include a Bonus (http://blogs.msdn.com/embedded/archive/2008/10/30/october-2008-security-updates-include-a-bonus.aspx) (KB958644)

IMPACT: An attacker who successfully exploits this vulnerability could take complete control of the affected system.

SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775- 6F43C5C2AED3 (http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2- 9775-6F43C5C2AED3) Windows XP Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03 (http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E -9265-44B9-A376-2067B73D6A03) Windows XP Service Pack 3: http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03 (http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E -9265-44B9-A376-2067B73D6A03) Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25 (http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25) Windows XP Professional x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25 (http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25) Windows Server 2003 Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D (http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D) Windows Server 2003 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D (http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D) Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400 (http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400) Windows Server 2003 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F- 4B944A2DE400 (http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42- 9E1F-4B944A2DE400) Windows Server 2003 with SP1 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF (http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC- A85A43077ACF) Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF (http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC- A85A43077ACF) Windows Vista and Windows Vista Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C- CAC7D8713B21 (http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD- AC5C-CAC7D8713B21) For a complete list of patch download links, please refer to Microsoft Security Bulletin MS08-067 (http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx).

EXPLOITABILITY:

Core Security Reference: CVE-2008-4250 Description: MSRPC Server Service Remote Buffer Overflow Exploit (MS08-067) – Core Security Category : Exploits/Remote

Immunity

Reference: CVE-2008-4250 Description: Windows Server Service Underflow (MS08-067) – Immunity Ref : ms08_067 Link: http://qualys.immunityinc.com/home/exploitpack/CANVAS/ms08_067/qualys_user

Metasploit

Reference: CVE-2008-4250 Description: Microsoft Server Service Relative Path Stack Corruption – Metasploit Ref : /modules/exploit/windows/smb/ms08_067_netapi Link: http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

The Exploit-DB

Reference: CVE-2008-4250 Description: MS Windows Server Service Code Execution PoC (MS08-067) – The Exploit-DB Ref : 6824 Link: http://www.exploit-db.com/exploits/6824

Reference: CVE-2008-4250 Description: MS Windows Server Service Code Execution Exploit (MS08-067) – The Exploit-DB Ref : 7104 Link: http://www.exploit-db.com/exploits/7104

HackerView – Example Raw Scanner Output page 5

Reference: CVE-2008-4250 Description: MS Windows Server Service Code Execution Exploit (MS08-067) (2k/2k3) – The Exploit-DB Ref : 7132 Link: http://www.exploit-db.com/exploits/7132

Reference: CVE-2008-4250 Description: Microsoft Server Service Relative Path Stack Corruption – The Exploit-DB Ref : 16362 Link: http://www.exploit-db.com/exploits/16362

ASSOCIATED MALWARE:

Trend Micro Malware ID: WORM_SPYBOT Risk: Low Type: Worm Platform: Windows 98, ME, NT, 2000, XP, Server 2003 Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_SPYBOT.AZI

Malware ID: WORM_NEERIS Risk: Low Type: Worm Platform: Windows ME, NT, 2000, XP, Server 2003, Vista 32 Bit Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_NEERIS.A

Malware ID: WORM_KOLAB Risk: Low Type: Worm Platform: Windows 98, ME, NT, 2000, XP, Server 2003 Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_KOLAB.DL

Malware ID: WORM_STUXNET Risk: Low Type: Worm Platform: Windows 98, ME, NT, 2000, XP, Server 2003, Vista 32-bit Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_STUXNET.A

Malware ID: WORM_DOWNAD Risk: Low Type: Worm Platform: Windows 2000, XP, Server 2003, Vista Aliases: Net-Worm.Win32.Kido.dam.y (Kaspersky), W32/Conficker.worm (McAfee), W32.Downadup (Symantec),

Worm/Conficker.AC (Avira), W32/Downldr2.EXAE (exact) (F-Prot) Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_DOWNAD.A

Malware ID: WORM_CONFICKER Risk: Low Type: Worm Platform: Windows 98, ME, NT, 2000, XP, Server 2003 Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CONFICKER.D

Malware ID: WORM_NETWORM Risk: Low Type: Worm Platform: Windows 98, ME, NT, 2000, XP, Server 2003 Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&amp ;name=WORM_NETWORM.C

Malware ID: WORM_WECORL Risk: Low Type: Worm Platform: Windows 98, ME, NT, 2000, XP, Server 2003 Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_WECORL.A

HackerView – Example Raw Scanner Output page 6

Malware ID: WORM_KERBOT Risk: Low Type: Worm Platform: Windows 98, ME, NT, 2000, XP, Server 2003 Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_KERBOT.A

Malware ID: TROJ_DUCKY Risk: Low Type: Trojan Platform: Windows 2000, XP, Server 2003 Link: http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_DUCKY.N

RESULTS: Detected through MSRPC Interface

5 Microsoft SMB Remote Code Execution Vulnerability (MS09-001)

QID: 90477 CVSS Base: 10 Category: Windows CVSS Temporal: 7.8 CVE ID: CVE-2008-4834, CVE-2008-4835, CVE-2008-4114 Vendor Reference: Bugtraq ID:

MS09-001 –

Service Modified: 03/26/2009 User Modified: – Edited: No PCI Vuln: Yes

THREAT: The Server Message Block (SMB) Protocol is a network file sharing protocol used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It is a client-server implementation and consists of a set of data packets, each containing a request sent by the client or a response sent by the server.

The following remote code execution and denial of service vulnerabilities have been identified in Microsoft SMB protocol which occur when processing specially crafted SMB packets.

1) A vulnerability exists in the way SMB allocates space for a transaction structure and later tries to clear more memory than it should when a TRANS request is processed, allowing an attacker to take control of the system. (CVE-2008-4834)

2) A flaw exists in the way SMB allocates and clears a data structure relating to the OPEN2 command. SMB protocol software insufficiently validates the buffer size before writing to it, allowing attackers to take complete control of the system and allowing remote execution of code. (CVE-2008-4835)

3) A denial of service vulnerability exists due to the way “srv.sys” handles malformed SMB WRITE_ANDX packets sent to an interface that uses a Named Pipe as endpoint. This flaw allows remote attackers to send a specially-crafted network message to a computer running the Server service causing it to stop responding. (CVE-2008-4114)

Attempts to exploit any of the above listed vulnerabilities does not require authentication.

Microsoft has rated the issues as critical for Windows 2000, Windows XP, and Windows Server 2003, and moderate for Windows Vista, and Windows Server 2008. Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): February Security Updates are Now Available (http://blogs.msdn.com/embedded/archive/2009/03/02/february-security-updates-are-now-avaiable.aspx) (KB958687)January 2009 Security Updates for Runtimes Are Available (http://blogs.msdn.com/embedded/archive/2009/01/22/january-2009-security-updates-for-runtimes-are-available.aspx) (KB958687)

IMPACT: An attacker who successfully exploits this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Successful exploitation also results in denial of service which causes the affected system to crash and stop responding.

HackerView – Example Raw Scanner Output page 7

SOLUTION: Workaround: TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability. Impact of workaround: Blocking the ports can cause several windows services or applications using those ports to stop functioning.

Patch: Following are links for downloading patches to fix the vulnerabilities:

Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?familyid=E0678D14 -C1B5-457A-8222-8E7682760ED4&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=E0678D14-C1B5-457A-8222-8E7682760ED4&displaylang=en)

Windows XP SP2 and SP3: http://www.microsoft.com/downloads/details.aspx?familyid=EEAFCDC5-DF39-4B29-B6F1-7D32B64761E1&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=EEAFCDC5-DF39-4B29-B6F1-7D32B64761E1&displaylang=en)

Windows XP Professional x64 Edition and XP Professional x64 Edition SP2: http://www.microsoft.com/downloads/details.aspx?familyid=26898401-F669-4542-AD93- 199ED1FE9A2A&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=26898401 -F669-4542- AD93-199ED1FE9A2A&displaylang=en)

Windows 2003 Server SP1 and SP2: http://www.microsoft.com/downloads/details.aspx?familyid=588CA8E8-38A9-47ED-9C41-09AAF1022E49&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=588CA8E8-38A9-47ED-9C41-09AAF1022E49&displaylang=en)

Windows 2003 Server x64 Edition and 2003 Server x64 Edition SP2: http://www.microsoft.com/downloads/details.aspx?familyid=EE59441C-1E8F-4425-AE8D-DEC14E7F13FB&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=EE59441C-1E8F-4425-AE8D-DEC14E7F13FB&displaylang=en)

Windows 2003 Server with SP1 and SP2 for Itanium based systems: http://www.microsoft.com/downloads/details.aspx?familyid=CAEC9321-FA5B-42F0-9F26- 61F673FE6EEF&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=CAEC9321-FA5B-42F0- 9F26-61F673FE6EEF&displaylang=en)

Windows Vista and Vista SP1: http://www.microsoft.com/downloads/details.aspx?familyid=9179C463 -C10A-452A-990F-B7E37CDD889B&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=9179C463-C10A-452A-990F-B7E37CDD889B&displaylang=en)

Windows Vista x64 Edition and Vista x64 Edition SP1: http://www.microsoft.com/downloads/details.aspx?familyid=6B26952E-B59D-4B0F-A52D-025E45ECD233&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=6B26952E-B59D-4B0F-A52D-025E45ECD233&displaylang=en)

Windows 2008 Server for 32-bit systems: http://www.microsoft.com/downloads/details.aspx?familyid=7245B411-7C9E-41E5-9841-4C586336086C&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=7245B411-7C9E-41E5-9841-4C586336086C&displaylang=en)

Windows 2008 Server for x64-based systems: http://www.microsoft.com/downloads/details.aspx?familyid=A241EAAD-95A0-442B-978F-F21A6F0C7DB4&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=A241EAAD-95A0-442B-978F-F21A6F0C7DB4&displaylang=en)

Windows 2008 Server for Itanium-based systems: http://www.microsoft.com/downloads/details.aspx?familyid=AB7C7015-20BB-4A0C-977A-969F4E2A5189&displaylang=en (http://www.microsoft.com/downloads/details.aspx?familyid=AB7C7015-20BB-4A0C-977A-969F4E2A5189&displaylang=en)

Refer to Microsoft Security Bulletin MS09-001 (http://www.microsoft.com/technet/security/bulletin/MS09-001.mspx) for further details.

EXPLOITABILITY:

Core Security Reference: CVE-2008-4834 Description: Microsoft Windows SMB Trans Buffer Overflow DoS (MS09-001) – Core Security Category : Denial of Service/Remote

Metasploit

Reference: CVE-2008-4114 Description: Microsoft SRV.SYS WriteAndX Invalid DataOffset – Metasploit Ref : /modules/auxiliary/dos/windows/smb/ms09_001_write Link: http://www.metasploit.com/modules/auxiliary/dos/windows/smb/ms09_001_write