[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Fun with ISS Fusion Module

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Fun with ISS Fusion Module
From: offtopic <offtopic@xxxxxxx>
Date: Thu, 21 Apr 2005 17:35:33 +0400

Fun with ISS Fusion Module
This module can correlate data from different ISS products and based it can 
give additional info about detected attacks (was it successfully or not, etc). 
For example, if IDS (network sensor)detects exploit in traffic, but scans 
(internet scanner) reports that vulnerability on victim host is patched attack 
is marked as "Failed".

But Fusion doesn't check was vulnerability checked in scan or not. For example, 
if IDS catch attack, but scanner reports that host isn't vulnerable (because 
admin forget to include this check into scanner's policy) Fusion will report 
that attack possible failed regardless of real situation.

How to reproduce:

1. Launch Internet Scanner and scan victim with some low-level policy, such as 
Inventory Level 1 or Level 2. This policy only finds hosts and applications and 
doesn't check any vulnerability (like nmap).
2. Apply appropriate policy to IDS sensor (for example Attack Detector).
3. Attack victim with selected exploit (I used LSASS MS04-011).
4. Check report about attack. You will see "Failure possible. scanned, vuln not 
confirmed"

I don't find any description of "Failure" status but color is green :-)

(c)oded by offtopic@xxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Next by Date: [Full-disclosure] bitchx exploit
Previous by thread: [Full-disclosure] [ GLSA 200504-20 ] openMosixview: Insecure temporary file creation
Next by thread: [Full-disclosure] bitchx exploit
Index(es):
- Date
- Thread