|
-
August 12th, 2005, 02:46 PM
#1
MS05-039 Exploit Code in The Wild
That didn't take long...
2 to 1 that we have a worm by next week.
Read on.
Alert: Exploits for Plug and Play Vulnerability Released
eEye Digital Security is alerting administrators to the existence of exploit code for the recently added Plug and Play Service vulnerability, which Microsoft patched this week as part of the August Security Update (security bulletin MS05-039). Specific information on this particular vulnerability can be found towards the end of this announcement. As a service to the network security community eEye has released a scanning utility, free of charge, which will identify vulnerable systems and provide remediation instructions. This tool can be downloaded immediately at:
http://www.eeye.com/html/resources/d...its/index.html
About the Exploit
Today, several instances of exploit code targeting the vulnerability discussed in MS05-039 were released to the world. The eEye Research Team, upon discovering two instances of exploit code online, conducted thorough testing to confirm that both present a legitimate threat to Windows 2000 systems (completely patched SP 4 with all hotfixes). One exploit, released by an anonymous author, will bind a command prompt to TCP port 8721.
eEye reiterates our original position that users should consider this patch highly critical, and that it should be installed as soon as possible. For networks with multiple versions of Windows operating systems, eEye recommends allocating resources to remediate systems in this order:
Windows 2000 (All Service Packs)
Windows NT
Windows XP
Windows 2003
As a refresher, the vulnerability is an unchecked buffer in the Plug and Play service that can be exploited as a privilege escalation or to run remote code as SYSTEM. Users running Windows 2000 are vulnerable to a potential worm attack that would take advantage of this flaw. The Microsoft patch updates the Plug and Play service code to validate the length of a message before it passes it to the allocated buffer.
MS05-039
Vulnerability in Plug and Play Could Allow Remote code Execution and Elevation of Privilege (899588)
Microsoft Severity Rating: Critical
http://www.microsoft.com/technet/sec.../MS05-039.mspx
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 12th, 2005, 10:34 PM
#2
A new similar dcom exploit ? 
Exploit worked/tested on my own server : Windows 2000(patched),XP(SP2),Windows 2003 Enterprise Server(SP1).
I think for some people/kiddies.. they already scanning vurlnerable server
Not an image or image does not exist!
Not an image or image does not exist!
-
August 13th, 2005, 12:13 AM
#3
Hi thehorse_13,
I'm patched...but...if I wanted to check to see if I'm vunerable ( curiousity sake ) which of these ' tools ' would I use for my home computer ?
Eg 
-
August 13th, 2005, 12:17 AM
#4
Ahhhhhhhhhhhhh dcom
Direct, compromisation, owning, method
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
August 13th, 2005, 05:20 AM
#5
Originally posted here by Egaladeist
Hi thehorse_13,
I'm patched...but...if I wanted to check to see if I'm vunerable ( curiousity sake ) which of these ' tools ' would I use for my home computer ?
Eg
TH looks like he's off-line so ill jump on and say....its the first one, on the top of the page (for ms05-039). i just compiled the exploit in mdk if you have any use for the binary
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
August 13th, 2005, 06:38 AM
#6
Hi Tedob1,
Thanks ! I wasn't sure as they all seemed to be for multiple set-ups.
i just compiled the exploit in mdk if you have any use for the binary
My old-tech mind deciphers that as : you got the little bu@@er trapped, and would I like to see it for testing or curiousity ( close? ).
Well...I'm not that curious ...and I wouldn't have the foggiest what to do with it anyways...so...I'll leave that up to you and other much more proficient computer professionals...this old man has a long way to go before he starts tackling that sort of thing...but I do appreciate the offer.
Eg
-
August 13th, 2005, 07:30 AM
#7
I think some of ISP's already block port 445 (from the last worm), maybe is hard to find vurnerable IP's (maybe some kiddies got lucky) or dumb admin open that port and I just tried that exploit on my own vmware server...cause..I am to "chicken" to try it on someone else server 
Not an image or image does not exist!
Not an image or image does not exist!
-
August 13th, 2005, 10:45 AM
#8
Disabling port 445 permanently
goto to registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
set the TransportBindName string value to nothing
-
August 15th, 2005, 01:15 AM
#9
What did I tell ya. What did that take? 4 days?
Zotob
http://isc.sans.org/diary.php?date=2005-08-14
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote