-----------------.---------------------------------------------.
  /|                 |                             .               |
 / | :               : :             : :             :             |
|  | ::        ------  ::            : ::          | ::     -      |-----
|  | ::              : ::     .      :      |      | ::            :     |
|  |                 :        .      |------|      |               :     |
|  |           ------^        :      |     /       |                     .
|  ;----------"---------------^------     /  ------'---------------------
| /          /               /      /----'        /                     /
|'----------'---------------'------'     --------'---------------------'
                                www.f8labs.com





INTRODUCTION

Advisory .........: RealSecure or Real"un"Secure <RealSecure Can Not Detect RDS and recent Unicode Exploit>
Release Date .....: 10-31-00
Application ......: RealSecure by ISS
Version ..........: All versions prior to and including 5.0 of all sensors
Vendor Status ....: Contacted - no responses
By ...............: Fate Research Labs
WWW ..............: www.f8labs.com




[ OVERVIEW ]

RealSecure by Internet Security Systems recently released version 5.0 of their 
Intrusion Detection System software. ISS markets RealSecure as a collection of 
detection modules with unique attack recognition and response capabilities, 
otherwise known as sensors. The network class of sensors monitors the raw, 
unfiltered traffic on enterprise networks, looking for patterns, protocol 
violations, and repeated access attempts that indicate malicious intent. The OS 
sensor performs real-time intrusion monitoring, detection, and prevention of 
malicious activity by analyzing kernel-level events and host logs.

When RealSecure detects unauthorized activity, it can respond in a number of ways, 
automatically recording the date, time, source, and target of the event, 
recording the content of the attack, notifying the system administrator, 
reconfiguring a firewall or router, suspending a user account, or terminating 
the attack.




[ ADVISORY ]

Despite all of the wonderful, feature rich, value add functionality of RealSecure, 
their remains one catch. In no place within the management console are you allowed 
to add your own custom signatures. This is the very thing that makes this product 
so weak. With all of the open source Intrusion Detection Systems, including some 
commercial ones offered by other companies, the user is allowed to add his own 
custom signatures to the database. Our question is why would ISS not want their 
customers to have that same luxury. The administrator finds himself in a GUI hell 
filled with icons of signatures provided by ISS when administering the signatures. 

A year old advisory called RDS by Rain Forrest Puppy, which is a popular toy by skript 
kiddies is one of the most common tools used to compromise NT-based machines. I quote 
from the original RDS advisory released 10-12-99.


    "it...is direct, immediate, and almost 100% guaranteed
     to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE
     IS RIDICULOUS!"
                                        -Russ Cooper, NTBugtraq


     "This exploit also does *not* require the presence of
      any sample web applications or example code...the 
      issue affects at least 50% of the IIS servers I have
      seen"
                                        -Greg Gonzalez, NTBugtraq



/* -- snip from bugtraq id: 529 -- */

MDAC (Microsoft Data Access Components) is a package used to integrate web and 
database services. It includes a component named RDS (Remote Data Services). 
RDS allows remote access via the internet to database objects through IIS. Both 
are included in a default installation of the Windows NT 4.0 Option Pack, but 
can be excluded via a custom installation.

RDS includes a component called the DataFactory object, which has a vulnerability 
that could allow any web user to:

--Obtain unauthorized access to unpublished files on the IIS server
--Use MDAC to tunnel ODBC requests through to a remote internal or external location, 
thereby obtaining access to non-public servers or effectively masking the source of an 
attack on another network.


The main risk in this vulnerability is the following: 
--If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, 
a user could use the shell() VBA command on the server with System privileges. 
(See the Microsoft JET Database Engine VBA Vulnerability for more information). 
These two vulnerabilities combined can allow an attacker on the Internet to run 
arbitrary commands with System level privileges on the target host.

/* -- snap end bugtraq desc. of rds exploit -- */



With such a dangerous tool on the loose, and the amount of sites compromised using 
it not declining, the need to detect and prevent such an attack is detrimental. To 
our surprise, the newest version and new set of signatures provided by ISS would not 
detect our RDS attacks on remote networks being protected by RealSecure. With so many 
large corporations and even Security Operation Centers deploying this product, it is 
the belief of F8 Labs that the customers of this product are made aware of its 
handicap. If a popular exploit that was released last year has not yet been added to 
their signature database, what else has not that we haven't tested?

It has also been discovered that the recent Unicode exploit goes undetected by
RealSecure as well. 

------ snip // unicode --------

An anonymous person posts that they can run arbitrary commands on IIS 5
(Win 2000) using the following URL:

http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ 


It seems the values of %c0%af and %c1%9c work for IIS 5. Curiousity
getting the better of me, I tried it on IIS 4. Uh oh, works there too.

------ snap // unicode --------



[ FOR THE KIDDIES ]

For those of you out there who would like to know if RealSecure is protecting a 
remote site, try looking for a service running on port 2998. This is the administration 
port that a remote console would use to connect to the remote sensor.


[ CONCULSION ]

Fate Research suggests that ISS allow customers the ability to modify built-in signatures
as well as add signatures. The inability to add new signatures for exploits as they
are released puts full control in the hands of ISS in hopes that they are protecting your
network against commonly used new threats. A task that they are failing miserably at, at the
time of this writing.