This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sarm_Chanatip
Collaborator
‎2020-04-09 12:56 AM

IPS Prevent with wrong signature

Hi Guys,

 

I had a chance to test IPS functional with detecting or preventing in R80.30 version, so my experiment is to use the Metasploit tool in kali with Exploit Eternalblue.

 

After exploited successfully, found that the security gateway was able to block some malicious code with IPS module but the signature is being shown on the screenshot below is MS10-012 ( Microsoft SMB server race condition denial of service)

cp-1.png

 

 

Actually it should be prevented with MS17-010 (SMB Remote Code Execution) 

cp-2.png

 

Does anyone here explain to me regarding this behavior?

 

Thank you in advance.

 

Regards,

Sarm

0 Kudos
3 Replies
Sarm_Chanatip
Collaborator
‎2020-04-10 12:49 AM

Does anyone know?
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-04-10 05:02 AM

First off, the firewall blocked it correctly so it doesn't really matter which IPS signature got matched. 

But to answer your question if I am reading the CVEs correctly, MS10-012 (Microsoft SMB server race condition denial of service- CVE-2010-0021) was the ability to corrupt and crash the system (DoS) through a vulnerability in the SMB v1 server and was revealed in 2010.  MS17-010 (SMB Remote Code Execution - CVE-2017-0143) appears to be very similar in that it is the weaponization of that earlier vulnerability in 2017 that can execute arbitrary code via SMB v1, instead of just cause a DoS.  So to me it looks like the same vulnerability with just different outcomes (DoS in 2010 vs. running arbitrary code in 2017).  In that case it would make sense that the 2010 IPS signature would get triggered, even though your kit was attempting the 2017 code exploit as they are basically the same thing, just different outcomes.  I don't think your exploit got far enough to inject the arbitrary code before the 2010 IPS signature was triggered and stopped it.

Check out this other CheckMates thread which is very similar to your situation:

IPS signature does not match with attack type

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Sarm_Chanatip
Collaborator
‎2020-04-17 07:48 AM
In response to Timothy_Hall

Hi Timthy_Hall

Thank you for sharing.

I appreciate your comment.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top