|
-
August 27th, 2002, 05:32 PM
#1
Exploit available for ms02-045
For those on the ntbugtraq mailing list, you should have gotten this earlier. If you are not on that list, here is a copy of the message. I am not taking credit for this, just posting it here.
Make sure you install the appropriate hotfix if you have not already done so. I broke the link to the script so that the totally clueless cannot download it. If you are intelligent, you can easily notice how it was broken.
Kevin Gennuso <[email protected]>
Sent by: Windows NTBugtraq Mailing List <[email protected]>
08/27/2002 10:01 AM
Please respond to Windows NTBugtraq Mailing List
To: [email protected]
cc:
Subject: MS02-045 exploit is out
Hi all,
I haven't seen much noise on this list about MS02-045 (Unchecked Buffer in
Network Share Provider Can Lead to Denial of Service (Q326830)), but the
implications are very nasty. Any unpatched WinNT/2K/XP or .NET machine on
your network that's listening on port 139 and/or 445 can be crashed in
about two seconds with a malformed SMB packet. I highly disagreed with
Microsoft's assessment that this was only a "moderate" threat level to
intranet and desktop systems because the exploit is so easy to perform.
It was bad enough in theory, but now a script-tot friendly GUI version of
the exploit has been posted on PacketStorm, and it works against all of
the above. You can try for yourself at
http://packetstorm.decepticons/0208-exploits/SMBdie.zip
We worked through the weekend to get a large percentage of our boxen
patched - you may have to do the same.
The old "WinNuke" from the evil days of Win95 is back.
Thanks for listening,
Kevin
-
August 27th, 2002, 06:21 PM
#2
Member
-
August 27th, 2002, 07:51 PM
#3
If you run net bios you might as well set up a big sign that says "hack me".
Its not software piracy. I’m just making multiple off site backups.
-
August 27th, 2002, 10:04 PM
#4
Very nice post. All you need to do is stop sharing the IPC$ folder and the exploit will not work.
-
August 28th, 2002, 03:24 PM
#5
Member
Very good to know ! I did not eared about it before your post ! Very interesting, kind of a big security issue.
XP box with the latest patches and SP are not vulnerable ! But the rest of them... watchout !
Very nice post. All you need to do is stop sharing the IPC$ folder and the exploit will not work.
You're right about this CXGJarrod, but the IPC$ can be very usefull for the network administrator.
I've tried the exploit on my computer and noticed that you can keep your IPC# share active and still not be vulnerable if you disable the Anonymous logon. You can restrict this by giving a value of 2 to the registry key that follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"restrictanonymous" = "2"
My advice to you all, make sure all your servers and pcs have the anonymous login disabled !
Tks for the great post mohaughn
-
August 28th, 2002, 03:49 PM
#6
DBEAUCHAMP: The registry edit did not work for me on Win2k Advanced Server.
-
August 28th, 2002, 04:12 PM
#7
Member
Originally posted here by CXGJarrod
DBEAUCHAMP: The registry edit did not work for me on Win2k Advanced Server.
Have you rebooted your server or refresh the security policies on your computer before doing it ! I've experimented, that before being secured on this I had to reboot the server after the registry change ?
-
August 28th, 2002, 04:14 PM
#8
DBEAUCHAMP: You were right, after reboot the registry edit worked.
Thanks.
-
August 28th, 2002, 04:33 PM
#9
Member
Originally posted here by CXGJarrod
DBEAUCHAMP: You were right, after reboot the registry edit worked.
Thanks.
I'm glad it did !
One thing though, IPC$ is used by Domain Controllers to synchronize with other controllers and all kind of stuff. Also, if I'm correctly informed, the Anonymous login is also used by computers to see the shares of a computer, the printers shared, etc...
So disabling either one of them could affect the normal process of our servers. We could easily disable the anonymous on computers but on servers ? I'm not sure yet !
Also, I don't exactly know how the SMBdie.exe file was created. I imagine that it does a anonymous logon to the IPC$ share and then sends the malicious SMB packet. So if we disable the anonymous login we can block it.
But what if a malicious hacker would create the same kind of .EXE that would first try to use the Current User token and use the anonymous only if didn't work, what then ? Anyway user that are authorize to connect to the server could still crash it using it's credentials instead of the anonymous ones !
So the only real way to stop it is disabling the IPC$ !
Does anyone know a better way to kill this ?
Again, this is a very great post ! Tks for the info mohaughn !
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
