MS04-22 Exploits

Printable View

August 2nd, 2004, 09:53 AM
dynamoo

MS04-22 Exploits

The ISC is reporting that there's some exploit code available for MS04-22. But I have to admit that I'm still scratching my head on understanding the nature of this security vulnerability.

I've re-read the MS bulletin several times and despite warnings of "remote code execution" it seems to me that the only way of infecting a machine is to send a specially crafted .JOB file to the target PC, presumably via email or some other mechanism. In which case, surely the exploit for this is basically a standard email-based virus rather than a Sasser/Blaster-like worm?

And if the only way to infect a machine is to send a .JOB file through email, then surely a quick and easy defense is to block .JOB files on your mail system? Yes, I know you should patch systems with the relevant KB841873 update but like a lot of real-world organisations it's hard to get 100% of systems patched and secured.

So am I misunderstanding the potential attack vector for MS04-22, or is it really not as bad as some of the reports suggest?

Incidentally, Foundstone have a scanner for this vulnerability here .
August 2nd, 2004, 10:22 AM
SirDice

Don't forget you can also "remotely" exploit machines by placing a .job file on a fileshare and enticing an admin to open that directory.

Note: Yeah, 1000 posts :D
August 2nd, 2004, 10:45 AM
dynamoo

Just by viewing the directory?
August 2nd, 2004, 10:51 AM
SirDice

Quote:

In some circumstances the overflow is triggered automatically when viewing the directory that contains the job file in an explorer window due to the fact that 'shell32.dll' will detect the '.job' file extension, and load 'mstask.dll' allowing the module to examine the file, which is when the overflow occurs.

From http://www.nextgenss.com/advisories/mstaskjob.txt
August 2nd, 2004, 12:12 PM
dynamoo

OK.. yes, I can see that would be a problem.

So, a possible attack mechanism would be to use a standard mass-mailing virus with a .JOB exploit dropper that could then replicate through shares (e.g. on a corporate network).

I guess it's not quite script kiddie stuff though, but using a virus to drop another application/trojan on the victim's PC is fairly common.

Added: congrats on 1000 posts btw :)
August 2nd, 2004, 12:29 PM
SirDice

This one's a bit more dangerous though as you don't need to start anything, just viewing the directory can be enough to get you infected.