Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-04-26 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

LSASS exploit, SSL PCT exploits, port 559 (tcp) proxy hunter, Bagle.Z

Published: 2004-04-26
Last Updated: 2004-04-27 00:57:52 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
LSASS Exploit (MS04-011 / CAN-2003-0533)

An exploit targeting the recently released vulnerability in Windows' Active Directory service functions in LSASRV.DLL (LSASS: Local Security Authority Subsystem Service) was made public today.

The exploit is effective against some versions of Windows 2000 with SP3 or SP4
installed. The patch released earlier this month as part of MS04-011 will fix this vulnerability.

If you have not done so already, please apply the MS04-011 patch as soon as possible. Even if no worm is released, we expect that all Internet facing systems will be probed with this exploit over the next couple of days.

The exploit will allow full remote control via a remote shell. The port used by the remote shell can be changed via a command line option.

(update: we just received a report of the exploit being used in the wild.)

More SSL PCT exploits

We did receive more reports about exploits of systems using the IIS SSL PCT exploit (CAN-2003-0719, MS04-011). So far, it appears that the exploit is
only used against IIS servers. But the observations indicate that networks
are systematically scanned and vulnerable systems are exploited immediately,
indicating an automated tool.

The exploit will leave the following message in your windows event log:

" The security package Microsoft Unified Security Protocol Provider generated an exception. The package is now disabled. The exception information is the data. "

While a reboot of the system will restart IIS and permit access to the https site, it will not necessarily remove code uploaded by the attacker.

DShield data shows an increase in port 443 scanning, further supporting the widespread use of the SSL PCT exploit against IIS servers.
http://isc.sans.org/port_details.php?port=443
.
However, the number of observed sources for these scans is still small.

Port 559

Our sensors noted a significant increase in scans against port 559
http://isc.sans.org/port_details.php?port=559
.

Simple netcat honeypots on selected sensors revealed that these scans are searching for open proxy servers. At this point, we do not know if any of the recent viruses or trojans will open proxy servers on this port.

Bagle.Z

A new version of Bagle was released today, bringing Bagle up to version Z.

-----

Johannes Ullrich, jullrich_AT_sans.org

Keywords:
0 comment(s)
Diary Archives