Story of an Attack

Our windows 2000 server honeypot in the NoAH testbed was attacked on 2nd June 2008. This is the story of this attack. The rough picture is:

  • The attacker connected from 80.60.158.116 to our win2k server honeypot.
  • Aim was to exploit a vulnerability in the WINS service at port 42.
  • Date was 2nd June 2008 18:45 GMT +0200.
  • The attack was not detected by the snort IDS.
  • Argos raised an alert of type “RET”.
  • The EBP contained the value 0×90909090 which results obviously from a stack buffer overflow. Thus, a false positive can be excluded.

Analysis of the attack

First step in my analysis was to find all known vulnerabilities/advisories affecting this service. The search results in the Microsoft advisory MS04-045. A more detailed explanation has been published by immunitysec.com. This seems to be the only severe vulnerability in this service. In addition, multiple exploits exist targeting at this vulnerability.

The first look at the packet dump of the attack using wireshark reveals that according to the MS advisory the WINS replication service was attacked. The first three 4-Byte words in the tcpstream of the attack correspond to the “packet” as referenced by immunitysec: “size of packet” “XX XX FF XX”, and “real address pointer”. The vulnerability exists because the “real address pointer” can be manipulated by the attacker and user data is subsequently written to this location. In our Argos CSI data it points at a memory location which is marked as tainted. Thus, the behavior of the exploit is consistent with the description of the vulnerability.

Attack verification

To verify that the vulnerability attacked is the one found by immunitysec.com I tested the corresponding exploit in the metasploit suite against our honeypot and compared both results. The comparison with the traces of the real attack was surprising. First, the payload size of the attack was much smaller than the size of the metasploit attack. Moreover, the three bytes that are characteristic for the exploitation of the vulnerability are different.  They start at the memory location 0000002d: packet lenght: 0×208, “00 00 78 00″, “05 37 1e 90″. Thus, the critical Byte “FF” in the second word is missing as seen in the metasploit attack. Moreover, the bytes at the address 0×05371e90 do not seem to be tainted which is in contrast to the metasploit attack. Thus, I am confident that this vulnerability is definitely not the one published by immunitysec. Further analysis of this attack will follow.

Screenshots

Packet dump of the attack

Packet dump of the attack

TCP stream data of the attack payload

TCP stream data of the attack payload

TCP stream data of the metasploit attack data

TCP stream data of the metasploit attack data

Tags: , , , , , ,

Leave a Reply