Exploits Available For MS04-11 Vulns ? **PATCH NOW**

Published: 2004-04-15
Last Updated: 2004-04-16 02:58:47 UTC
by Tom Liston (Version: 1)
0 comment(s)
MS04-11 Exploits Released



Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:



http://lists.immunitysec.com/pipermail/dailydave/2004-April/000500.html



The LSASS.EXE vulnerability can be exploited to run arbitrary code with ?system? privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with ?system? privileges using this vulnerability:



http://www.eeye.com/html/Research/Advisories/AD20040413C.html



Immunity?s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.



IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.





OTHER INFORMATION



IIS SSL/TLS DoS : UPDATE #2

We have finally been able to reproduce the DoS against an IIS SSL/TLS server mentioned in yesterday's diary. The following is a VERY preliminary "version 1" snort signature that will log an attempted DoS by the exploit that we know is in the wild. It will survive only the most cursory alteration of the exploit, and better versions are in the works (watch your favorite snort signature site). Caveat Emptor, YMMV, Standard Disclaimers Apply, etc..., etc...



alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"IIS Malformed \

SSL DoS (MS04-011)"; content:"|14e9 667b 5823 a235 0fd4 317c aec6 8764 \

384e abaa|"; offset: 590; rawbytes;reference:cve,CAN-2004-0120; \

reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \

sid:1040414; rev:1;)



IIS SSL/TLS DoS : UPDATE #3 (4/16/04 02:45 UTC)

A much better signature:



alert tcp any any -> $HOME_NET 443 (msg: "ssl_bomb DOS attempt"; \

content: "|1603|"; offset: 0; depth: 2; content: "|01|"; distance: 3; \

within: 1; byte_test: 4,>,2147483647,5,relative;flow: \

to_server,established; classtype:attempted-dos;)





NetSky.V

Various AV vendors are reporting on the latest NetSky variant, NetSky.V, which exploits vulnerabilities in the Outlook/Internet Explorer HTML rendering engine (MS03-032 and MS03-040) to launch itself without requiring the user to click on an attachment. The virus itself arrives as an email message with no attachment, and exploits the vulnerabilities to download and run malicious code.



http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.V

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=46328

http://www.sophos.com/virusinfo/analyses/w32netskyv.html

http://vil.mcafee.com/dispVirus.asp?virus_k=101175

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.v@mm.html

http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38867

http://www.f-secure.com/v-descs/netsky_v.shtml





Thanks to: Erik Fichtner, Ed Skoudis, Mike Poor, and Joshua Wright

-----------------------------------------------------------------------

Handler on duty : Tom Liston - ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)

Comments


Diary Archives