Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-04-15 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Exploits Available For MS04-11 Vulns ? **PATCH NOW**

Published: 2004-04-15
Last Updated: 2004-04-16 02:58:47 UTC
by Tom Liston (Version: 1)
0 comment(s)
MS04-11 Exploits Released

Dave Aitel of Immunity Security has stated publicly that they have released working exploits of two vulnerabilities patched by MS04-011 to their CANVAS customers:

The LSASS.EXE vulnerability can be exploited to run arbitrary code with ?system? privileges on vulnerable servers. eEye Digital Security has more details and also confirms the ability to run arbitrary code with ?system? privileges using this vulnerability:

Immunity?s claim that they have a working ASN.1 exploit has not been directly confirmed, but we have several anonymous confirmations that working exploits exist.

IT IS IMPERATIVE THAT THE PATCHES PROVIDED BY MICROSOFT IN ITS APRIL SECURITY RELEASE BE APPLIED TO SYSTEMS AS SOON AS POSSIBLE. It is our belief that the likelihood of a worm being released SOON that exploits one of the vulnerabilities addressed by these patches is VERY HIGH.



We have finally been able to reproduce the DoS against an IIS SSL/TLS server mentioned in yesterday's diary. The following is a VERY preliminary "version 1" snort signature that will log an attempted DoS by the exploit that we know is in the wild. It will survive only the most cursory alteration of the exploit, and better versions are in the works (watch your favorite snort signature site). Caveat Emptor, YMMV, Standard Disclaimers Apply, etc..., etc...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"IIS Malformed \

SSL DoS (MS04-011)"; content:"|14e9 667b 5823 a235 0fd4 317c aec6 8764 \

384e abaa|"; offset: 590; rawbytes;reference:cve,CAN-2004-0120; \

reference:url,; \

sid:1040414; rev:1;)

IIS SSL/TLS DoS : UPDATE #3 (4/16/04 02:45 UTC)

A much better signature:

alert tcp any any -> $HOME_NET 443 (msg: "ssl_bomb DOS attempt"; \

content: "|1603|"; offset: 0; depth: 2; content: "|01|"; distance: 3; \

within: 1; byte_test: 4,>,2147483647,5,relative;flow: \

to_server,established; classtype:attempted-dos;)


Various AV vendors are reporting on the latest NetSky variant, NetSky.V, which exploits vulnerabilities in the Outlook/Internet Explorer HTML rendering engine (MS03-032 and MS03-040) to launch itself without requiring the user to click on an attachment. The virus itself arrives as an email message with no attachment, and exploits the vulnerabilities to download and run malicious code.

Thanks to: Erik Fichtner, Ed Skoudis, Mike Poor, and Joshua Wright


Handler on duty : Tom Liston - ( )
0 comment(s)
Diary Archives