Exploit available for ms02-045
Results 1 to 9 of 9

Thread: Exploit available for ms02-045

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    748

    Exploit available for ms02-045

    For those on the ntbugtraq mailing list, you should have gotten this earlier. If you are not on that list, here is a copy of the message. I am not taking credit for this, just posting it here.

    Make sure you install the appropriate hotfix if you have not already done so. I broke the link to the script so that the totally clueless cannot download it. If you are intelligent, you can easily notice how it was broken.



    Kevin Gennuso <goosey@ICUBED.COM>
    Sent by: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>

    08/27/2002 10:01 AM
    Please respond to Windows NTBugtraq Mailing List

    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    cc:
    Subject: MS02-045 exploit is out




    Hi all,

    I haven't seen much noise on this list about MS02-045 (Unchecked Buffer in
    Network Share Provider Can Lead to Denial of Service (Q326830)), but the
    implications are very nasty. Any unpatched WinNT/2K/XP or .NET machine on
    your network that's listening on port 139 and/or 445 can be crashed in
    about two seconds with a malformed SMB packet. I highly disagreed with
    Microsoft's assessment that this was only a "moderate" threat level to
    intranet and desktop systems because the exploit is so easy to perform.

    It was bad enough in theory, but now a script-tot friendly GUI version of
    the exploit has been posted on PacketStorm, and it works against all of
    the above. You can try for yourself at
    http://packetstorm.decepticons/0208-exploits/SMBdie.zip

    We worked through the weekend to get a large percentage of our boxen
    patched - you may have to do the same.

    The old "WinNuke" from the evil days of Win95 is back.

    Thanks for listening,

    Kevin

  2. #2
    Member
    Join Date
    Jul 2002
    Posts
    49
    Wow another winuke

  3. #3
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    If you run net bios you might as well set up a big sign that says "hack me".
    Its not software piracy. Iím just making multiple off site backups.

  4. #4
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Very nice post. All you need to do is stop sharing the IPC$ folder and the exploit will not work.

  5. #5
    Member
    Join Date
    Apr 2002
    Posts
    45
    Very good to know ! I did not eared about it before your post ! Very interesting, kind of a big security issue.

    XP box with the latest patches and SP are not vulnerable ! But the rest of them... watchout !

    Very nice post. All you need to do is stop sharing the IPC$ folder and the exploit will not work.
    You're right about this CXGJarrod, but the IPC$ can be very usefull for the network administrator.

    I've tried the exploit on my computer and noticed that you can keep your IPC# share active and still not be vulnerable if you disable the Anonymous logon. You can restrict this by giving a value of 2 to the registry key that follows:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    "restrictanonymous" = "2"


    My advice to you all, make sure all your servers and pcs have the anonymous login disabled !

    Tks for the great post mohaughn

  6. #6
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    DBEAUCHAMP: The registry edit did not work for me on Win2k Advanced Server.

  7. #7
    Member
    Join Date
    Apr 2002
    Posts
    45
    Originally posted here by CXGJarrod
    DBEAUCHAMP: The registry edit did not work for me on Win2k Advanced Server.
    Have you rebooted your server or refresh the security policies on your computer before doing it ! I've experimented, that before being secured on this I had to reboot the server after the registry change ?

  8. #8
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    DBEAUCHAMP: You were right, after reboot the registry edit worked.

    Thanks.

  9. #9
    Member
    Join Date
    Apr 2002
    Posts
    45
    Originally posted here by CXGJarrod
    DBEAUCHAMP: You were right, after reboot the registry edit worked.

    Thanks.
    I'm glad it did !

    One thing though, IPC$ is used by Domain Controllers to synchronize with other controllers and all kind of stuff. Also, if I'm correctly informed, the Anonymous login is also used by computers to see the shares of a computer, the printers shared, etc...

    So disabling either one of them could affect the normal process of our servers. We could easily disable the anonymous on computers but on servers ? I'm not sure yet !

    Also, I don't exactly know how the SMBdie.exe file was created. I imagine that it does a anonymous logon to the IPC$ share and then sends the malicious SMB packet. So if we disable the anonymous login we can block it.

    But what if a malicious hacker would create the same kind of .EXE that would first try to use the Current User token and use the anonymous only if didn't work, what then ? Anyway user that are authorize to connect to the server could still crash it using it's credentials instead of the anonymous ones !

    So the only real way to stop it is disabling the IPC$ !

    Does anyone know a better way to kill this ?

    Again, this is a very great post ! Tks for the info mohaughn !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •