I think we have enoughgh info now to check into this on our end. I
have filed bug: 741 to track this.
I consider this to be serious enough to release a patch....stay tuned.
The work around is to disable the option to copy modified files.
Thanks to asm and matthias for raising and helping to track this down.
Christian
2008/9/24 asm <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
Hi, Christian;
If I enable both capture-network-packets and
collect-modified-files and only set google in the url.txt,
then both server and client are ok, the client won't crash.
But if I add a malicious URL in url.txt which will download
muma.exe,
then both server and client will crash when it upload the muma.exe
to server.
The detail is attached.
url.txt
#several urls. as shown below, one can specify a client application
identifier (iexplore) as well as overwrite the default visitation time for the
url
http://10.0.35.14/ms06-014.htm
http://www.google.cn
------------------------------------------------------------------------
asm
2008-09-24
------------------------------------------------------------------------
*·¢¼þÈË£º* Christian Seifert
*·¢ËÍʱ¼ä£º* 2008-09-24 16:13:29
*ÊÕ¼þÈË£º* General discussion list for Capture-HPC users
*³ËÍ£º*
*Ö÷Ì⣺* Re: Re: Re: [Capture-HPC] No Malicious Sites
what if you have all set to true?
2008/9/24 asm <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
Hi, Christian;
I've enablen network capture and disabled file copy, the
client run stably and the *.pcap files are uploaded to
capture server, the capture.log printed in cmd windows is very
clear and successful.
So it seems that the communication between client and
server is OK, but collect-modified-files is vulnerable?
config:
collect-modified-files="false"
capture-network-packets-malicious="true"
capture-network-packets-benign="true"
Thanks & Regards,
Asm
------------------------------------------------------------------------
asm
2008-09-24
------------------------------------------------------------------------
*·¢¼þÈË£º* Christian Seifert
*·¢ËÍʱ¼ä£º* 2008-09-24 14:32:04
*ÊÕ¼þÈË£º* General discussion list for Capture-HPC users
*³ËÍ£º*
*Ö÷Ì⣺* Re: Re: [Capture-HPC] No Malicious Sites
could you enable network capture and disable file copy. does
it crash then?
On Wed, Sep 24, 2008 at 4:27 AM, asm <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi, Christian;
Running "7za a -tzip test.zip .\logs" in cmd line is
successful.
All of my past experiments didn't enable network capture.
Besides, you're always warmhearted and helpful.
Thanks again.
Thanks & Regards,
Asm
------------------------------------------------------------------------
asm
2008-09-24
------------------------------------------------------------------------
*·¢¼þÈË£º* Christian Seifert
*·¢ËÍʱ¼ä£º* 2008-09-23 23:19:04
*ÊÕ¼þÈË£º* General discussion list for Capture-HPC users
*³ËÍ£º*
*Ö÷Ì⣺* Re: [Capture-HPC] No Malicious Sites
asm, can you try the same and see whether this will
"solve" your problem?
Matthias, when running capture with the server vs just
running the client exe with option -c is the zipping of
the logs dir. I am wondering whether the 7z.exe is causing
your trouble. Can you try running it on the client
manually to zip up the log dir?
Also, what happens if you enable network capture and
copying of client files on the server. Crash?
Thanks for helping me to track this issue down remotely.
Once I have a repro case on my end I will investigate on
my end and release a patch....
Christian
On Tue, Sep 23, 2008 at 5:12 PM, Matthias Luft
<[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
no crash :))
Christian Seifert wrote:
can you disable the copy modified file option in
your config.xml and let me know if it crashes?
On Tue, Sep 23, 2008 at 3:40 PM, Matthias Luft
<[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>> wrote:
Hi,
Christian Seifert wrote:
Getting closer. ...
sounds so ;-)
Can you
1. execute on the client 'CaptureClient.exe
-c',
2. copy a file manually from a to b using
your windows explorer
3. on the capture client window, press q
and then enter
crash or no crash?
no crash, logfile attached.
Also, have you tried out installing winpcap
and 2005 c++ sp1
redist libs?
Aye, I installed both, but it still crashes.
Also, one more question: What exact version
of CaptureClient
are you using?
It's 251-384 for both catpure-server and
capture-client.
Thanks & Regards,
Matthias
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>cd \
C:\>cd "Program Files"
C:\Program Files>cd Capture
C:\Program Files\Capture>CaptureClient.exe -c
PROJECT: Capture-HPC
VERSION: 2.5
DATE: August 6, 2008
COPYRIGHT HOLDER: Victoria University of
Wellington, NZ
AUTHORS:
Christian Seifert
([EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>)
Ramon Steenson([EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>)
Capture-HPC is free software; you can
redistribute it and/or modify
it under the terms of the GNU General Public
License, V2 as
published by
the Free Software Foundation.
Capture-HPC is distributed in the hope that it
will be useful,
but WITHOUT ANY WARRANTY; without even the
implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU
General Public License
along with Capture-HPC; if not, write to the
Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor,
Boston, MA
02110-1301,USA
Option: Collecting modified files
Starting Capture Client 2.5
hereLoaded plugin:
Application_ClientConfigManager.dll
inserted: added application: acrobatreader
inserted: added application: firefox
inserted: added application: opera
inserted: added application: word
inserted: added application: oowriter
Loaded plugin: Application_InternetExplorer.dll
inserted: added application: iexplore
Loaded plugin: Application_InternetExplorerBulk.dll
inserted: added application: iexplorebulk
Loaded plugin: Application_Safari.dll
inserted: added application: safari
Driver already loaded: CaptureProcessMonitor
Driver already loaded: CaptureRegistryMonitor
Loaded filter driver: CaptureFileMonitor
---------------------------------------------------------
Start capturing modified files ...
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Internet Explorer\Toolbar\Locked
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProxyBypass
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet
Settings\ZoneMap\IntranetName
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet
Settings\ZoneMap\UNCAsIntranet
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProxyBypass
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet
Settings\ZoneMap\IntranetName
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet
Settings\ZoneMap\UNCAsIntranet
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Internet
Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
registry: SetValueKey 1284
C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Internet Explorer\Toolbar\Explorer\ITBarLayout
process: created 4294967295 UNKNOWN ->
C:\WINDOWS\explorer.exe 1708
file: Write 1284 C:\WINDOWS\explorer.exe -> -1
C:\Program
Files\Capture\Copy of
COPYING
q
Copying monitored files
Copying file: C:\Program Files\Capture\Copy of
COPYING
... done
Resetting hStopEventResetting
hStopEventResetting hStopEvent
C:\Program Files\Capture>
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
<mailto:Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>>
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
Primary key fingerprint: E979 0D9A 9187 D821 F86F
B712 C8DB 0583 B046 BAEF
------------------------------------------------------------------------
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712
C8DB 0583 B046 BAEF
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB
0583 B046 BAEF
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583
B046 BAEF
------------------------------------------------------------------------
(client.JPG)
------------------------------------------------------------------------
(server.JPG)
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
------------------------------------------------------------------------
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
