Possible MS05-027 Exploit?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Possible MS05-027 Exploit?

  1. #1
    Member
    Join Date
    Dec 2003
    Posts
    97

    Possible MS05-027 Exploit?

    Saw this article on e-week. I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.

    E-Week Article

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Considering this was a privately found exploit by a company that I really couldn't see releasing the technical details, this seems pretty fast to have a live exploit already... then again... there's a lot of people out there with nothing better to do..

    The scary part is the fact that this is a pre-auth problem, so anyone can exploit it.

    I'd be more inclined to think that this was the result of the recent release of an exploit for MS05-011 which also targets SMB... It's quite possible that they're seeing the increase of traffic from this new toy and because of the recent announcement of MS05-027 it's be interpreted as an exploit for it..

    I guess only time will tell... but if it is live already, I'd appreciate any information anyone has on it.. There has been a thread regarding this exploit on GSO and the most popular opinion is that it'll be Worm time again... and I could see it happening, so when the exploit is released it'd be nice to have a bit of a heads up to start watching for the worm...

    Anyways... thanks for the article

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Considering this was a privately found exploit by a company that I really couldn't see releasing the technical details, this seems pretty fast to have a live exploit already... then again... there's a lot of people out there with nothing better to do..
    Actually the bigger problem is that while the company found the exploit they were probably not the first person to find it. The problem comes right there because the first, (few), people to find it probably used it - for a while - and didn't tell anyone.

    The "quiet" crackers have their "private" 0 days that they use at will and often for profit. Their biggest fear for their private 0 days is someone with ethics finding them and publicise them so that they are patched against. Once that happens some will publish for "props" in the community... Might as well get one last "gasp" out of thier work I suppose....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    All you need is the patch itself. It provides a perfect roadmap to the vulnerable code, once the patch is out, exploits are right behind it.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  5. #5
    Member
    Join Date
    Dec 2003
    Posts
    97
    According to the SANS internet Storm Center, it looks like it's most likely exploit for MS05-011, since that was released yesterday. Everyone should be patches against that (right?), so it's less of a concern than if it's -027.

  6. #6
    Except NT machines are potentially vulnerable (again).

    That particular exploit indicated that it was for Windows 2000 - it didn't mention XP. Since I guess most Windows 2000 clients are sitting behind corporate firewalls, then that would limit its use somewhat.

    Still.. keep auditing and patching, eh?

  7. #7
    Member
    Join Date
    Dec 2003
    Posts
    97
    Patching, as always.

    And how many times have we all been bitten by a small hole (such as VPN) in our corporate perimeter being used as an infection vector to compromise all of our unpatched PCs?

  8. #8
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Found this, thought it underscored my point perffectly.

    http://www.sabre-security.com/produc...ndiff_png.html


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  9. #9
    Member
    Join Date
    Jun 2005
    Posts
    55

    Re: Possible MS05-027 Exploit?

    Originally posted here by Timmy77
    I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.

    Hi,

    Pretty much is fud! SMB is designed for sharing resources on a LAN and I can't think of any reason why you would want to open it up at the firewall. If you have left it open, you are already owned and should be spending time drawing up your CV rather than trying to block the gaping mousehole you have left in your system.

    Port scanning is just foo you have to deal with and if you have detected it increasing then whoever's smurfing you out doesn't know diddly from squat so you are probably ok. it's the ones you don't detect you have to worry about.
    No one can foresee the consequences of being clever.

  10. #10
    But even if you block SMB ports on the firewall (which I have to admit you would be STUPID not to do), all it takes is one user who get's his laptop 0wned while on the internet at home to bring it into the office and you are comprehensively stuffed.

    We are also seeing viruses now that drop an LSASS or DCOM worm behind the firewall after being delivered by email, so it's possible that any publically available exploit could be delivered in that way.

    It's not just MS05-027 that is a risk (although it's the biggest risk) as there are a whole batch of holes announced so far this year that are worrying.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •