Microsoft is disappointed
Update: It looks like the press wars are starting. Network World and
Information Week have published mostly one-sided articles about our exploit release, while The Channel Insider/PC Mag/eWeek/TechWorld articles cover both sides and even link back to this blog. A few of the articles are so wrong as to be funny, such asTechSpot (they fixed it), which claims that Microsoft released the exploit code. If you have worked with the MSRC in the past and would like to share your experiences, please post a comment!
On June 22nd, we released three new modules for the Metasploit Framework, one of which covered the recent Remote Routing and Access service vulnerability (MS06-025). Today, I received two email messages. One from a Microsoft Security Response Center (MSRC) team member and another from the primary author of the module we released.
The email from MSRC reads: "I recently saw your addition to the framework concerning MS06-025. In talking to REDACTED he mentioned that you may have also identified some addition issues with RRAS that were not addressed by this months release. I just thought I would check in with you and see if it would be possible to get additional details so we investigate and address them accordingly. I hope all is well and appreciate any insight you may be willing to share."
No problem there, a friend of mine relayed that there were some unfixed issues in RRAS, and the MSRC team member is doing their job and following up. I was starting to enjoy getting email from MSRC that didn't end in a vague threat. I replied back with some information about a still-present vulnerability in this service.
Then I read the next email. Nicolas points me to a new Microsoft security advisory and specifically mentions the third paragraph:
Microsoft Security Advisory (921923)
"Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users. We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities."
This sounds familiar...
Lets take a closer look at this paragraph:
"Microsoft is disappointed that certain security researchers..."
This is easy enough, there is only one publicly available exploit, it was written by Nicolas and myself. Lets assume they are referring to us.
"...have breached the commonly accepted industry practice of withholding vulnerability data..."
Microsoft claims that there is a "commonly accepted industry practice", but my own experience contradicts this. To support this statement, lets review the business services of a few companies in the security industry:
Verisign pays for exclusive rights to new vulnerabilties and sells a limited version of this data to their subscribers. Digital Armaments pays for exclusive rights to new vulnerabilities and then shares the data with its members. Immunity sells access to exploits and vulnerability information, often before the vendor is notified.
This covers the direct sale of information, but what about product vendors that include detailed vulnerability information with their subscription services? A vulnerability scanner can disclose vulnerability details through the act of checking for the flaw. IDS vendors that provide user-visible signatures disclose the exploit vector through the structure and content of their signatures. The vendors behind the two most popular products in each of these categories (Snort and Nessus) both charge for timely access to the most recent plugins and signatures.
A large portion of all vulnerabilities are discovered by "security researchers". How many of these researchers publish detailed vulnerability information on the same day that the vendor releases a patch? A quick review of the last 50 OSVDB entries shows that in almost every case, complete vulnerability details were available on or before the day that a vendor solution was released. The exceptions? Large proprietary software vendors.
We have identified three primary sources of vulnerability information; information brokers, security software vendors, and security researchers. The defacto standard seems to be quite different from what the MSRC is calling the "industry standard". Could it be that they are referring to the commercial software industry and not the security industry? Microsoft has coerced a handful of software vendors to join their Organization for Internet Safety (OIS). The OIS initially consisted of 12 companies, but this has dwindled down since the software vendors began aquiring the security service companies. The result is a group of vendors that actively suppress vulnerability disclosure within their organizations. Jericho (of Attrition/OSVDB) published an excellent description of how the OIS was formed, before the official name of the organization was even known.
"...so close to update release and have published exploit code, potentially harming computer users."
The vulnerability was disclosed on June 13th and the Metasploit exploit was released on June 22nd. This nine day period is a significant delay in the security world and nine days longer than nearly all of the recent vulnerabilties added to the OSVDB. Even dial-up users can complete an automated update in nine days.
To make things interesting, the exploit we released was actually for a different bug than the one mentioned in the advisory. Nicolas discovered this flaw while trying to figure out the vector for the "official" vulnerability. This is a common occurrence with proprietary software vendors, since the process of looking for one bug often turns up a dozen more that were never mentioned in any public documents.
Microsoft never mentioned this specific vulnerability in the advisory or to the Microsoft 0-Day Club (Microsoft Security Support Alliance), which meant that no intrusion detection systems were able to detect the Metasploit module at the time of this writing.
The mitigating factors for the RRAS vulnerabilties prevent an anonymous user from exploiting any version of Windows 2000 and all versions of Windows XP that have been upgraded to Service Pack 2. The anonymous cracker risk is limited to Windows XP users that have not upgraded to Service Pack 2 and were unable to install the latest updates during a nine day period.
"We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities."
Totally irrelevant. We didn't report this bug and nine days is a longer grace period than most vendors receive.
The point of this rant is that Microsoft is doing themselves a disservice by asking for vulnerability information on one hand and then condemning the folks who provide it with the other. The MSRC obviously has some communication issues to resolve and we should take any commentary in their advisories with a large grain of salt.
Information Week have published mostly one-sided articles about our exploit release, while The Channel Insider/PC Mag/eWeek/TechWorld articles cover both sides and even link back to this blog. A few of the articles are so wrong as to be funny, such as
On June 22nd, we released three new modules for the Metasploit Framework, one of which covered the recent Remote Routing and Access service vulnerability (MS06-025). Today, I received two email messages. One from a Microsoft Security Response Center (MSRC) team member and another from the primary author of the module we released.
The email from MSRC reads: "I recently saw your addition to the framework concerning MS06-025. In talking to REDACTED he mentioned that you may have also identified some addition issues with RRAS that were not addressed by this months release. I just thought I would check in with you and see if it would be possible to get additional details so we investigate and address them accordingly. I hope all is well and appreciate any insight you may be willing to share."
No problem there, a friend of mine relayed that there were some unfixed issues in RRAS, and the MSRC team member is doing their job and following up. I was starting to enjoy getting email from MSRC that didn't end in a vague threat. I replied back with some information about a still-present vulnerability in this service.
Then I read the next email. Nicolas points me to a new Microsoft security advisory and specifically mentions the third paragraph:
Microsoft Security Advisory (921923)
"Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users. We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities."
This sounds familiar...
Lets take a closer look at this paragraph:
"Microsoft is disappointed that certain security researchers..."
This is easy enough, there is only one publicly available exploit, it was written by Nicolas and myself. Lets assume they are referring to us.
"...have breached the commonly accepted industry practice of withholding vulnerability data..."
Microsoft claims that there is a "commonly accepted industry practice", but my own experience contradicts this. To support this statement, lets review the business services of a few companies in the security industry:
Verisign pays for exclusive rights to new vulnerabilties and sells a limited version of this data to their subscribers. Digital Armaments pays for exclusive rights to new vulnerabilities and then shares the data with its members. Immunity sells access to exploits and vulnerability information, often before the vendor is notified.
This covers the direct sale of information, but what about product vendors that include detailed vulnerability information with their subscription services? A vulnerability scanner can disclose vulnerability details through the act of checking for the flaw. IDS vendors that provide user-visible signatures disclose the exploit vector through the structure and content of their signatures. The vendors behind the two most popular products in each of these categories (Snort and Nessus) both charge for timely access to the most recent plugins and signatures.
A large portion of all vulnerabilities are discovered by "security researchers". How many of these researchers publish detailed vulnerability information on the same day that the vendor releases a patch? A quick review of the last 50 OSVDB entries shows that in almost every case, complete vulnerability details were available on or before the day that a vendor solution was released. The exceptions? Large proprietary software vendors.
We have identified three primary sources of vulnerability information; information brokers, security software vendors, and security researchers. The defacto standard seems to be quite different from what the MSRC is calling the "industry standard". Could it be that they are referring to the commercial software industry and not the security industry? Microsoft has coerced a handful of software vendors to join their Organization for Internet Safety (OIS). The OIS initially consisted of 12 companies, but this has dwindled down since the software vendors began aquiring the security service companies. The result is a group of vendors that actively suppress vulnerability disclosure within their organizations. Jericho (of Attrition/OSVDB) published an excellent description of how the OIS was formed, before the official name of the organization was even known.
"...so close to update release and have published exploit code, potentially harming computer users."
The vulnerability was disclosed on June 13th and the Metasploit exploit was released on June 22nd. This nine day period is a significant delay in the security world and nine days longer than nearly all of the recent vulnerabilties added to the OSVDB. Even dial-up users can complete an automated update in nine days.
To make things interesting, the exploit we released was actually for a different bug than the one mentioned in the advisory. Nicolas discovered this flaw while trying to figure out the vector for the "official" vulnerability. This is a common occurrence with proprietary software vendors, since the process of looking for one bug often turns up a dozen more that were never mentioned in any public documents.
Microsoft never mentioned this specific vulnerability in the advisory or to the Microsoft 0-Day Club (Microsoft Security Support Alliance), which meant that no intrusion detection systems were able to detect the Metasploit module at the time of this writing.
The mitigating factors for the RRAS vulnerabilties prevent an anonymous user from exploiting any version of Windows 2000 and all versions of Windows XP that have been upgraded to Service Pack 2. The anonymous cracker risk is limited to Windows XP users that have not upgraded to Service Pack 2 and were unable to install the latest updates during a nine day period.
"We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities."
Totally irrelevant. We didn't report this bug and nine days is a longer grace period than most vendors receive.
The point of this rant is that Microsoft is doing themselves a disservice by asking for vulnerability information on one hand and then condemning the folks who provide it with the other. The MSRC obviously has some communication issues to resolve and we should take any commentary in their advisories with a large grain of salt.
posted by hdm at 8:49 PM
20 Comments:
YEAH STICK IT TO THE MAN! GO HD!
Gee, that sounds familiar. I commented on this same hostile, confrontational tone in advisory 911302 on DOM in December:
http://blogs.securiteam.com/?p=133
I thought Microsoft had done away with that language after I gave a few of their people a repeated hammering for using it.
Unfortunately, it seems this was not the case. Could it be that they elected to criticize because so many customers have had problems with the MS06-025 update? Maybe what they really meant to say was...
"Some of our customers can't apply the patch because it breaks their systems. These same customers are left without IDS signatures, because we yet again silently patched bugs. And now, Metasploit is releasing EXPLOIT CODE?!?!?! This is too much!"
Were it not for that, it's completely ridiculous for them to issue such a grand-standing advisory on MS06-025 and not do it the dozens of other times researchers have released PoC code for much more easily-exploited vulnerabilities. MS06-006, anyone?
Another case of people getting burned by a silent (broken) patch from Microsoft. When will they ever learn?
Com'on, we all know ; If they would not program such a crap and/or if the programing bitches at MS would get more bucks or other motivations to write clean code, such a security hole would never happen. I think this is one of the badest they ever made. lets wait for the next viri's and we will see . . .
Folks at metasploit, thx for your great job and forget this sh* they wrote about the exploit, , , go on and write more exploitz, this is the only way they will learn to write better code.
Anybody that has reported a bug to MSRC more than just a few times has a story like yours. The distinctive features are:
1. You find a bug and work with MSRC for months to get to the point where they are ready to release a fix (after missing their own deadlines more than a few times)
2. Originally they asked for, and you provided them, exploit code to MSRC so they could repro the bug
3. They seem to be thankful on private email and promise to be more so if you play by their rules
4. Yet their PR machine goes after your throat if you dare publish any technical detail or publish the same exploit that they asked for and obtained to repro the bug. However, everything is fine if you just sell or give out the details or exploit code to any given closed group with some alleged legitimacy.
The situation does not get any better when you did not report the bug orginally but merely tried to write a PoC to verify that your deployed fixes (or ids/ips signatures)do work based on the information in their bulletins or advisories. There are no technical details in them so unless you're part of their 0-day club you are on your own trying to infer what really was the bug they fixed.
After some research and patch reverse engineering you find one bug and write PoC for it, later it turns out that you found a different bug from the one officially disclosed. The one you found had been silently patched without any public notification.
What is really damaging here is not that MSFT's products are buggy (all software has bugs) but the arrogant and authoritarian attitude adopted by MSFT in fixing them. One would think that 4 years after starting off their "security push" on the wrong foot with Scott Culp's information anarchy diatribe and the "responsible disclosure" circus, they would become more humble, transparent and reasonable but no such luck. Old habits die hard.
This blogentry is also mentioned at heise.de (very large German IT news-site).
And I may add that I don't think that MS should speak about "standards"...
After reading the MSBS (Microsoft Bulls---) And IU have not had a chance to review the Framework release. Is this exploitable over the Internet or just through dial-up?
This vulnerability is exploitable over any TCP/IP link - our exploit code uses named pipes over the SMB service (TCP ports 139 and 445), but there may be other avenues as well.
You suck - you are ruining the world. You are a no-good terroist. I'm sure you really work for Bin Laden.
Your blog says that Windows 2000 systems are NOT vulnerable to an anonymous attack, like a worm. However, this is different than what Microsoft says in their bulletin. They say that both Windows 2000 and XP SP0/SP1 are vulnerable without authentication. Can you clarify your comment, or am I missing something?
A few other people mentioned this, so I took a closer look. On Windows 2000, the RRAS service shares the same process space with a handful of other services. A quick check with ProcessExplorer shows that the following named pipes are owned by this process:
EVENTLOG
NTSVCS
ROUTER
SAMR
SVCCTL
WMIEP_240
Winsock2\CatalogChangeListener-240-0
net\NtControlPipe4
Any of these pipes should allow access to the vulnerable service, but anonymous users are only alllowed access to one of them (SAMR). So, taking the stock Metasploit module and setting the SMBPIPE option to SAMR, we get... Nothing. The RPC bind request fails for the vulnerable UUID, even though we are allowed access to the pipe.
The "official" bug has the same issue and the unpatched bug (in UUID 8f09f000-b7ed-11ce-bbd2-00001a181cad) is restricted over the SAMR pipe.
In summary, I stand by my statement that these flaws are not exploitation without a valid user account on Windows 2000. I would love Microsoft to prove me wrong on this, but they seem a little tight-lipped lately...
I would love to see them prove you wrong as well...but I think they are a little busy with Office vulnerabilities right now. =)
Open a spreadsheet and I get owned? What type of "commonly accepted industry practice" is that??
hah, are you joking? they should feel lucky you didn't release it sooner. their commentary in this advisory just shows their complete lack of maturity in dealing with these types of issues. that kind of comment should never have been allowed to make it into a public advisory, in the end it will only serve to perpetuate MS's image as a misguided company in the face of security threats.
I'm curious if after all it would be possible to supply each exploit with a map of files involved and UML diagram to show the relation between these files as well as objects, procedures, systemcalls,apicalls etc used in the attack vector.
This way one might get a true picture of the way exploits are 'grouped' or 'chained' into the application itself.
mailto: joris744 At hotmail d.t com
I think the "industry standard for vulnerability
disclosure" that MS was mentioning is http://www.dhs.gov/interweb/assetlibrary/vdwgreport.pdf
I'm not saying that your points are invalid, or that
MS is right, just that there is a standard that
can be held up. Perhaps there is something in
it you can use?
The DHS report is not an industry standard. It was written by the vendors who produce flawed software and the CERT organizations that handle the reports. It was NOT written by the folks who actually find the vulnerabilities or write the exploits. It doesn't matter how much the software industry wants to shut down disclosure - taking government money and writing recommendations doesn't bring them any closer to controlling what researchers post.
keep up the good work hdm.
the fact is that if you follow their rules... it will take forever and a day for these things to be fixed. by not following their rules, you are forcing them to fix things quickly.
(but could you target osx & safari alittle more?, i want their security team to hurry up as well... 3 months to fix a vulnerably in their browser)
always is the same history: "microsoft hide..", "microsoft denny.." bla bla bla.
The framework actually include more since this tag is posted on the blog, w2003 and vista have some serious mistakes on "the memory buffer and protocol" is reffer.. take a look for the TCP, his "sinc" technique is the most bad who i see since M$ release Nt4
you'll see :<
from wininet develop, listed here:
!IFNDEF WININET_PCH
PRECOMPILED_OPTION=/Fp..\inc\$(_OBJ_DIR)\*\wininetp.pch /Yuwininetp.h
PRECOMPILED_CXX=1
!ENDIF
CONDITIONAL_INCLUDES = \
winwlm.h \
macwin32.h \
ia64inst.h \
pshpck16.h \
rpcerr.h \
rpcmac.h \
macname1.h \
macpub.h \
macapi.h \
macname2.h\
protocol.c
we see specially protocol.c
" Contains functions to negotiate data connections with, send commands to and
receive data from, the FTP server"
Author:
Heath Hunnicutt
this code:
DEBUG_ENTER((DBG_FTP,
Dword,
"ReceiveFtpResponse",
"%#x, %#x, %#x, %B, %#x",
Socket,
lpBuffer,
lpdwBufferLength,
fEndOfLineCheck,
prcResponse
));
INET_ASSERT(lpBuffer != NULL);
INET_ASSERT(lpdwBufferLength != NULL);
if (fEndOfLineCheck) {
INET_ASSERT(prcResponse != NULL);
}
causes a "overflow" error when the client is linux system or mac.
this error has been reported for Metasploit project, i think in the first or second security advisors...
The case is that: these style of develop persist on the actually systemns released, the question is: what is new? in crackenfind think for that and the result is simple, M$ have a staff with the same mistakes, there don't renew for developpers or designers...
his errors are on the future calling for more sofisticated o simple exploits work...
greetz
AzRaEL
[NuKE] high council
www.crackenfind.net
always is the same history: "microsoft hide..", "microsoft denny.." bla bla bla.
The framework actually include more since this tag is posted on the blog, w2003 and vista have some serious mistakes on "the memory buffer and protocol" is reffer.. take a look for the TCP, his "sinc" technique is the most bad who i see since M$ release Nt4
you'll see :<
from wininet develop, listed here:
!IFNDEF WININET_PCH
PRECOMPILED_OPTION=/Fp..\inc\$(_OBJ_DIR)\*\wininetp.pch /Yuwininetp.h
PRECOMPILED_CXX=1
!ENDIF
CONDITIONAL_INCLUDES = \
winwlm.h \
macwin32.h \
ia64inst.h \
pshpck16.h \
rpcerr.h \
rpcmac.h \
macname1.h \
macpub.h \
macapi.h \
macname2.h\
protocol.c
we see specially protocol.c
" Contains functions to negotiate data connections with, send commands to and
receive data from, the FTP server"
Author:
Heath Hunnicutt
this code:
DEBUG_ENTER((DBG_FTP,
Dword,
"ReceiveFtpResponse",
"%#x, %#x, %#x, %B, %#x",
Socket,
lpBuffer,
lpdwBufferLength,
fEndOfLineCheck,
prcResponse
));
INET_ASSERT(lpBuffer != NULL);
INET_ASSERT(lpdwBufferLength != NULL);
if (fEndOfLineCheck) {
INET_ASSERT(prcResponse != NULL);
}
causes a "overflow" error when the client is linux system or mac.
this error has been reported for Metasploit project, i think in the first or second security advisors...
The case is that: these style of develop persist on the actually systemns released, the question is: what is new? in crackenfind think for that and the result is simple, M$ have a staff with the same mistakes, there don't renew for developpers or designers...
his errors are on the future calling for more sofisticated o simple exploits work...
greetz
AzRaEL
[NuKE] high council
www.crackenfind.net
I suppose SANS is jumping on the carrot biting bandwagon... Here is some nice disinformation tactics from them on this recent topic of MS vulnerabilities.
"The huge number of critical new vulnerabilities disclosed by Microsoft
on Tuesday *do not* appear to reflect increased failures by their
development process. Instead, the numerous discoveries of Microsoft
programming flaws are a result of the recent upsurge in organized
criminal hacker activity that has already shown up in 450% increases
in bank losses due to cyber fraud (since the first half of 2005),
broad penetration of US government (and other governments') computers
as well as those of military contractor systems. The number of people
engaged in cyber crime as a full-time "profession" in Eastern Europe
and, especially, in Asia is skyrocketing.
The increasing threat level makes this a particularly important time to
ensure your security people have current, hands-on technical skills so
they can find the penetrations, clean them up, and build sensible
defenses. By far the best way to do that is to encourage them to attend
one of the "national" SANS training programs."
Standard MS talk; we're supposed to think that .NET is better than a JVM. Maybe only in Redmond's banks. Thank you for the tangible evidence of the holes in the bottom of the MS boat while there's still time to plug some of them.
Post a Comment
Links to this post:
Create a Link
<< Home