A vulnerability scanning is the art of using one computer to look for weaknesses in the
security of another computer - so that you can find and fix the weaknesses in your systems
before someone else finds that there is a security weakness and decides to break in. Its a bit
like a shop keeper making sure all the doors and windows are closed and locked, the money
is in the safe and the alarm is set, before closing up for the evening (Houghton, 2003).
1
There are three major types of vulnerability scanning to find network soft
spots:
2
Part TWO: Carry Out Vulnerability Scanning & Analyse Scanning Results
Our network environment is Local Area Network (LAN). We believe it has various severity,
risk, or priority level.
We use Nessus web application scanner to scan for available vulnerabilities at the chosen
network and system. As a result, we have discovered 3 CVE ID (Common Vulnerability
Exposure Identification). They are CVE 2003-0533 ( Stack-based buffer overflow in
certain Active Directory service functions in LSASRV.DLL of the Local Security Authority
Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4,
XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME) , CVE 2008-4835
(SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003
SP1 and SP2, Vista Gold and SP1, and Server 2008) , and CVE 2005-2120 ( Stack-based
buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft
Windows 2000 SP4, and XP SP1 and SP2 ).
3
2.1 CVE 2003-0533
2.1.1 Definition
Stack-based buffer overflow in certain Active Directory service functions in
LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in
Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003,
NetMeeting, Windows 98, and Windows ME, allows remote attackers to
execute code via a packet that causes the DsRolerUpgradeDownlevelServer
function to create long debug entries for the DCPROMO.LOG log file, as
exploited by the Sasser worm (Mitre, 2015).
4
2.1.4 Possible Attack Risks
A remote unauthenticated attacker could exploit this vulnerability to execute
arbitrary code on the vulnerable system (Cert, 2004). An attacker who successfully
exploited the most severe of these vulnerabilities could take complete control of
an affected system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges. (Microsoft, 2004).
Many security attacks are a numbers game; that's why the large number of
attacks against TCP port 445 is no surprise. Along with ports 135, 137 and 139,
port 445 is a traditional Microsoft networking port. Specifically, TCP port 445 runs
Server Message Block (SMB) over TCP/IP. This is a core means for communication
on a Microsoft-based LAN. If you look at practically any modern Windows host on
your network (e.g., via netstat -an|more from a command prompt), you'll see that
port 445 is open and available. Many attacks against port 445 take place via the
LAN. Malware seeking to exploit undersecured Windows systems is a likely
source. However, these attacks can also originate outside the network and reach
any system for which port 445 has been opened on the firewall (O'Reilly, 2002)
5
2.2 CVE-2008- 4835
2.2.1 Description
SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server
2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to
execute arbitrary code via malformed values of unspecified "fields inside the SMB
packets" in an NT Trans2 request, related to "insufficiently validating the buffer size,"
aka "SMB Validation Remote Code Execution Vulnerability" (Mitre, CVE-2008-4835,
2015). This vulnerability, which is part of Boundary Condition Error class, commonly
found in Avaya Messaging Application Server, Microsoft Windows, and Nortel
Networks (SecurityFocus, 2009).
The remote host is affected by a memory corruption vulnerability in SMB that may
allow an attacker to execute arbitrary code or perform a denial of service against the
remote host (Nessus, 2015).
The vulnerability is caused by the Microsoft Server Message Block (SMB) Protocol
software insufficiently validating the buffer size before writing to it. Microsoft Server
Message Block (SMB) Protocol is a Microsoft network file sharing protocol used
in Microsoft Windows (Microsoft, 2009).
6
2.2.3 Severity Level
Windows Server 2003 with SP1 for Itanium- based Critical Critical
Systems and Windows Server 2003 with SP2 for Remote Code Execution
Itanium-based Systems
.
7
2.2.4 Possible Attack Risks
2.3.1 Description
8
Part THREE: Countermeasure / Mitigation Plan / Remedial Measures
3.1 Countermeasure
9
3.2 Mitigation Plan
10
3.3 Remedial Measures
Step 1: Open Metasploits with Kali Linux OS then type command msfconsole
Step 2: type command use Auxiliary/dos/windows/smd/Ms09_001_write
Step 3: type Show actions Then type set ACTION <action-name>
Step 4: type command show option then type command run
11
4. Conclusion
Statistics show that system compromises are on the rise so we must guard against them using
the methods available to us. Vulnerability scanners are one tool available for ensuring secure
systems. However, scanners should not be the only weapon in the security arsenal. They
should be used in addition to firewalls, intrusion detection tools, good security policies, and
all the other defenses noted in this paper. Ideally, scanners should be used as a last defense to
complement the security practices already in place. Just keep in mind that a good follow-up
plan to correct any vulnerabilities found is just as important as detecting them (Cima, 2001)
References
Cert. (2004, April 13). Vulnerability Note VU#753212. Retrieved from Cert | Software Engineering
Institute: http://www.kb.cert.org/vuls/id/753212
Cert. (2004, April 13). Vulnerability Note VU#753212. Retrieved from Cert | Software Engineering
Institute: http://www.kb.cert.org/vuls/id/753212
Drew, S. (2015, August 4). Vulnerability Assessments versus Penetration Tests. Retrieved from
SecureWorks: http://www.secureworks.com/resources/blog/vulnerability-assessments-
versus- penetration-tests/
Edwards, J. (2008, June 5). The Essential Guide to Vulnerability Scanning. Retrieved from IT Security:
http://www.itsecurity.com/features/essential-guide-vulnerability-scanning-
Institute.
Mitre. (2015). CVE-2008-4835. Retrieved from Mitre Common Vulnerabilities and Exposures:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4835
O'Reilly. (2002). Common Internet File System (CIFS) and Server Message Block (SMB).
Retrieved from O'Reilly | Building Internet Firewalls:
http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch14_04.htm
Schmittling, R., & Munns, A. (2010). Performing a Security Risk Assessment. Retrieved from ISACA |
Trust
In, and value from, Information Systems:
http://www.isaca.org/Journal/archives/2010/Volume-
1/Pages/Performing-a-Security-Risk-Assessment1.aspx
SecurityFocus. (2009, January 27). Microsoft Windows SMB NT Trans2 Remote Code Execution
Vulnerability. Retrieved from SecurityFocus: http://www.securityfocus.com/bid/33122
Sejati. (2015). Security Posture Assessment (SPA). Retrieved from Sejati | Your IT Partner of Choice:
12
http://sejati2u.com.my/services/security/security-posture-assessment-spa/
The Government of the Hong Kong Special Administrative Region. (2008). An Overview of
Vulnerability
Scanners. The Government of the Hong Kong Special Administrative Region
13