Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS04-011 EXPLOITS Published - Please quickly patch


  • Please log in to reply
4 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:03 AM

Posted 15 April 2004 - 04:53 PM

This bulletin from the Internet Storm Center advises everyone to get patched quickly. Some of the patches have been reverse engineered into exploits and there is the potential for "Blaster-like" worms to emerge.

MS04-011 EXPLOITS Published - Please quickly patch up

http://www.incidents.org/diary.php?isc=216...4c736c2bd23ecec

Exploits Available For MS04-11 Vulns – **PATCH NOW**

MS04-11 Exploits Released

Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:

http://lists.immunitysec.com/pipermail/dai...ril/000500.html

The LSASS.EXE vulnerability can be exploited to run arbitrary code with “system” privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with “system” privileges using this vulnerability:

    http://www.eeye.com/html/Research/Advisori...D20040413C.html

Immunity’s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.

IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.



BC AdBot (Login to Remove)

 


#2 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:03 AM

Posted 21 April 2004 - 08:55 AM

Exploit for Windows SSL Flaw Circulating
http://www.internetnews.com/dev-news/article.php/3343011

And here's yet another indication that something big might be coming (although I hope not) :thumbsup:

VeriSign said it's alerting customers that a big Internet worm may be coming, based on traffic anomalies and other data gleaned at its SOCs (Secure Operations Centers).

Engineers said they have noticed increased traffic on port 443 and port 1025 traffic, indicating possible attacks in the works. Also, there is evidence of two vulnerabilites being exploited, one involving SSL and the other RPC, and reports of a working exploit for the ASN.1 Windows vulnerability announced by Microsoft earlier this year, according to VeriSign.

"While we can never predict with true certainty the next big Slammer or Blaster, our statistical traffic modeling surrounding the past weeks traffic has all the telltale markers of a big worm coming," a spokesperson for VeriSign's managed security services said Friday.



#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:03 AM

Posted 21 April 2004 - 09:14 AM

This could get ugly. I remember when the dcom/rpc exploit came out and how easy it was to use right before msblaster came out. Then discovered it on a friends machine before any antivirus companies were even talking about it yet. Created an interesting topic on antinonline.com to say the least :thumbsup:

#4 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:03 AM

Posted 23 April 2004 - 08:38 AM

This link below offers some of the best information I've seen on the detailed vulnerabilities and their potential impacts on unpatched systems.

Trend Micro - Indepth Information on the vulnerabilities patched under MS04-011
http://www.trendmicro.com/vinfo/virusencyc...WINDOWS&VSect=T

This cumulative release from Microsoft covers the following newly discovered vulnerabilities:

LSASS Vulnerability
LDAP Vulnerability
PCT Vulnerability
Winlogon Vulnerability
Metafile Vulnerability
Help and Support Center Vulnerability
Utility Manager Vulnerability
Windows Management Vulnerability
Local Descriptor Table Vulnerability
H.323 Vulnerability
Virtual DOS Machine Vulnerability
Negotiate SSP Vulnerability
SSL Vulnerability
ASN.1 “Double-Free” Vulnerability
Refer to the Technical Details section for details on these vulnerabilities.


The vulnerabilities covered under this release affect the following software:

Microsoft Windows NT® Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server™ 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft NetMeeting
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), Microsoft Windows Millennium Edition


The patch released for these vulnerabilities cover highly critical security holes. It should be applied immediately. Access the patch and additional information in the following Microsoft page:

http://www.microsoft.com/technet/security/...n/ms04-011.mspx

#5 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:03 AM

Posted 23 April 2004 - 08:46 AM

Special warning on MS04-011 From Microsoft:

- Microsoft is aware of code available on the Internet that seeks to exploit vulnerabilities addressed as part of our April 13th security updates. We are investigating the situation to help protect our customers. Specifically, the reports detail exploit code that attempts to use the IIS PCT/SSL vulnerability on servers running Internet Information Services with the Secure Socket Layer authentication enabled. This vulnerability is addressed by bulletin MS04-011.
Customers who have deployed MS04-011 are not at risk from this exploit code.

- Microsoft considers these reports credible and serious and continues to urge all customers to immediately install the MS4-011 update as well as the other critical updates provided on April 13th.

- Customers who are still evaluating and testing MS04-011 should immediately implement the workaround steps detailed for the PCT/SSL vulnerability detailed in the MS04-011. In addition, Microsoft has published a knowledge base article KB187498 at

http://support.microsoft.com/default.aspx?...kb;en-us;187498

which provides additional details on SSL and how to disable PCT without applying MS04-011.

- We expect to see additional exploits and proof-of-concept code targeting the April 2004 security bulletin release in coming days and weeks, potentially including worm or virus examples.

If you have any questions regarding the security updates or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users