lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1049709988.546.35.camel@bobby>
From: ngregoire at exaprobe.com (Nicolas Gregoire)
Subject: False-negatives in several Vulnerability Assessment tools

------------------------------------------------------------------------
Title : False-negatives in several Vulnerability Assessment tools
Released : April 7th 2003
Location : http://www.exaprobe.com/labs/advisories/esa-2003-0407.html
------------------------------------------------------------------------

General overview
================

Numerous Vulnerability Assessment (VA) tools are available for security
engineers, pen-testers and network administrators.  Their results are
mostly trusted by users since they don't have time nor competences to
validate that output.  

More and more softwares are currently implementing some banners and
error messages that depend on the language. Especially for commercial
softwares, like Microsoft SQL Server or the Windows operating system.

Some VA tools don't integrate this localization feature and so generate
false-negatives. It can thus lead to a false sense of security. Some
exploit work on the English as well as on some non-English versions, it
then constitutes a security breach.

We chose to demonstrate those security exposures on Microsoft SQL Server
with the "SQL Server blank password" vulnerability.

Please note that this is not the only issue :

- Some problems were found when VA tools began to detect the IIS/Unicode
vulnerability, like the unicoder.pl script of HD Moore, which is looking
for the localizable string "Directory of" [1].  

- The admin account on Windows operating systems depends on the
localization. On English-speaking versions, the name is "Administrator",
whereas on French version (for example), it is "Administrateur". This
leads to issues on brute-force attacks.

A pratical example
==================

	Introduction
	============

	Microsoft SQL Server is a perfect choice to test VA tools about
	localization issues because it is widely deployed, it depends on
	the localization and it is vulnerable to some well-known
	security flaws.

	Testing conditions
	==================

	First, we set up default installations of Microsoft SQL Server
	2000 on Win2K SP3, in the following languages :
	- English
	- French
	- German
	- Japan
	The "sa" admin account was set with a blank password.

	We tested every VA tools from our panel on the English version
	looking for the vulnerability CAN-2000-1209 ("MS-SQL blank
	password").  Products which found this breach were then tested
	on the other languages.

	Tested VA tools
	===============

	- ISS Database Scanner 
	- Vigilante SecureScan NX
	- eEye Retina Network Scanner
	- eEye Spida Scanner (dedicated to find blank "sa" accounts)
	- Nessus
	- Sensepost senseql

	Untested (or untestable) VA tools
	=================================

	- ISS Security Scanner (doesn't do this check)
	- Symantec NetRecon (doesn't do this check)
	- NetIQ (doesn't do this check)
	- GFI LANGuard (unreliable results)

	Results
	=======

        +----------------------+-----------------+------------------+
        |       VA Tool        | English version | Others languages |
        +----------------------+-----------------+------------------+
        | ISS Database Scanner |       OK        |        OK        |
        +----------------------+-----------------+------------------+
        | Vigilante Secure NX  |       OK        |  False-negative  |
        +----------------------+-----------------+------------------+
        | eEye Retina Scanner  |       OK        |  False-negative  |
        +----------------------+-----------------+------------------+
        | eEye Spida Scanner   |       OK        |  False-negative  |
        +----------------------+-----------------+------------------+
        | Nessus               |       OK        |  False-negative  |
        +----------------------+-----------------+------------------+
        | Sensepost senseql    |       OK        |  False-negative  |
        +----------------------+-----------------+------------------+

	Notes about the above results
	=============================

	- The eEye Retina Scanner was tested on this point some time
	ago. Amazingly, it used to detect this vulnerability on
	non-English versions of Microsoft SQL Server.
	
	- Informal discussions with nCircle developpers conclude that
	their VA tool shouldn't be affected by this problem.
	
	- The exploit code nammed SQLpoke [2] (used in the
	Worm.SQLSpida.A malware [3]) succeeds to compromize every
	localized Microsoft SQL server. This implementation operates at 
	the application level.

	Editors status
	==============

	- Vigilante Secure NX :
		Work in progress on the editor side ...
	- eEye Retina Scanner :
		Work in progress on the editor side ...
	- Nessus : 
		We provided the Nessus team with some patches which were
		integrated to the related plugins
	- Sensepost senseql : 
		A new release is available at [4]	

Conclusion
==========

In our opinion, it's now up to VA tools editors to take into account the
localization issues when developping pattern matching signatures. Of
course, security engineers and consultants should review every scan
reports for false-positives. They should also run several tools in order
to better detect false-negatives. A good way to avoid these problems
would be to check vulnerabilies at an application level, like the
SQLpoke exploit code.  

Credits
=======

Nicolas Gregoire, security engineer
        - initial discovery of the MS-SQL localization bug
        - testing and redaction

Philippe Conchonnet, security consultant
        - testing of Windows-based VA tools

Christophe Briguet, technical manager
        - review of the document

References
==========

[1] : http://packetstormsecurity.org/NT/scanners/Sqlpoke.zip
[2] : http://lists.insecure.org/lists/pen-test/2001/Jun/0128.html
[3] : http://www.avp.ch/avpve/worms/sqlspida.stm
[4] : http://www.exaprobe.com/labs/downloads/tools/senseql-1.1.tgz

-- 
Nicolas Gregoire ----- Consultant en S?curit? des Syst?mes d'Information
ngregoire@...probe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ