There’s No Day Like 0-day

Hello Childrens!

So it’s been a long while and as I still have people viewing this blog despite the spell of inactivity, I thought it might be best to give any of the regulars an update.

I’ve been pretty busy since I took a new job as a system administrator/in-house security guy but I am really enjoying my job.  I get a fair amount of freedom to “play,” with my security hobbies in the name of work and at the same time, learn a lot from an administrator’s point of view rather than just an attacker.  Recently we began testing a new IDS/IPS and I was more or less put in charge of auditing it and seeing how well it would perform.  My initial impression was that it was simplified enough to provide information directly to the user with no bullshit in between but this impression was given before I had enough time to actually probe the application.  As it turns out, during this testing (in less than 24 hours) 2 zero day vulnerabilities were discovered.  The first vulnerability is one which allows a remote attacker to inject arbitrary data into the hosts list of the application.  This was initially discovered during some automated exploit testing to see how it reported, what it picked up, etc.  After the test(s) concluded, I went to check the logs and noticed that I had some massive Unicode strings under the hosts list.  After examining this further, this string looked like the payload of a buffer overflow.  Based upon this, it became apparent that an attacker could add any information to the hosts list for this particular IDS.  I have also been working to find out if this attack can be leveraged to remove hosts from the list but as of yet, I have not had enough time.

The second 0 day which kind of piggybacks off of the first results DoS condition on the database the IDPS uses or at least its search function.  If you inject 5 of these unicode strings into the target monitoring list, the search function never completes.  That’s right, if you add 5 of these strings, click search, the database hangs and the search never completes rendering the program’s only reporting interface for Linux (the web interface) completely useless.

Both of these exploits can be accomplished remotely, with no authentication required, having no knowledge of anything on the target system.  All you need to do is launch this shit at the IP and it automagically works.

This is particularly disappointing as I was finally starting to like this product more for mass-deployment but this has proved to be a major setback regarding the amount of faith I was willing to put in this application.   For the time being, as I am not an advocate of any disclosure methods, the product and vendor will remain unnamed.  I am working in conjunction with the vendor to patch these issues so that maybe there is still hope for deploying the product but at this point, it is entirely too difficult to tell.

On a final note I am working on my term paper which deals with buffer overflows, polymorphic shellcode and IDS evasion and it will probably be awesome, just like everything else I write.  Maybe I can make it less formal and turn it into a posting series or maybe I can make it too complicated to follow and call it a whitepaper.  I am thinking to go with the first option.

That’s about all I have for now.  Have a great weekend and don’t do anything too stupid.

~ by ohsoninja on October 25, 2008.