Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-10-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Possible Patch Problems

Published: 2005-10-15
Last Updated: 2005-10-15 12:26:47 UTC
by Lorna Hutcheson (Version: 2)
0 comment(s)
We have had a report of problems with MS05-051.  Here is what we have received.  If anyone else is experiencing problems, please let us know.

UPDATE:  See http://www.microsoft.com/technet/security/advisory/909444.mspx for Microsoft's discussion of this.  (ms, 1225UTC)

A number of people have reported weird problems with one of the MS patches released yesterday, specifically MS05-051 Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400).

Symptoms include, but are not limited to:

- Inability to visit Windows Update
- Inablility to use the Search tool off the Start Menu
- blank screen (no icons) upon login
- Symantec LiveUpdate stops working
- SpySweeper stops working
- problems with Office apps
- VirtualPC becomes extremely sluggish

Lee said he had spoken to a Microsoft engineer about this.  From what he could tell:

"this issue is only affecting people with very specific NTFS permissions. If the C:WinntRegistration folder is locked down and cannot be written to by COM+ you will have errors similar to those listed in your alert. All of those tasks use COM+ in one way or another."

Another perspective from Microsoft:

Update: This URL is now live.
'The solution will be available at http://support.microsoft.com/?id=909444,
and will be linked to from the MS05-051 bulletin - hopefully within the
hour.  Feel free to communicate the cacls solution to anyone you come across
until then. This is not a "known issue" or "problem" with the patch, but a
"complexity with the increased security provided by the patch when running
on systems where settings have been incorrectly changed from the default
settings".'

Uninstalling patch 902400 seems to do the trick for most folks.  You may need to check the "Show Updates" box under Add/Remove Programs to see the hotfixes.  The better answer is calling Microsoft directly; this should be a free call if the issue is problems with a patch.  The US number is 866-727-2338.  Outside of the US, see http://support.microsoft.com/common/international.aspx?rdpath=4 .


Keywords:
0 comment(s)

FrSIRT exploits for MS05-044, MS05-045, and MS05-048

Published: 2005-10-14
Last Updated: 2005-10-14 17:09:13 UTC
by William Stearns (Version: 1)
0 comment(s)
    Within two days, we already have proof-of-concept exploit code for MS05-044, MS05-045, and MS05-048.  The three can be found at:
http://www.frsirt.com/exploits/20051013.ms05-048.c.php
Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)
http://www.frsirt.com/exploits/20051013.ms05-045.c.php
Microsoft Windows Network Connection Manager Local DoS Exploit (MS05-045)
http://www.frsirt.com/exploits/20051013.ms05-044.c.php
Microsoft Windows FTP Client File Location Tampering Exploit (MS05-044)
    Many thanks to John Otterson and Eric Griswold for noticing this.

Keywords:
0 comment(s)

Weekend Predictions.

Published: 2005-10-14
Last Updated: 2005-10-14 14:18:58 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Remember Zotob? In Internet-Security time, it was a long long time ago. Almost 2 months now. The Friday before Zotob hit the news we went to infocon yellow, in order to warn people about the upcoming storm.

Now this week started in a very similar way, with a large number of microsoft patches. In particular the MS DTC vulnerability (MS05-051) has a lot of promisse. Like the PnP vulnerability used for Zotob, it could target Win2k quite efficiently. At this point, the only thing missing is a widely available exploit, but given that there are a number of private/commercial exploits, a public one is probably right around the corner.

So what should you do today before you head home for the weekend:

The obvious thing is to apply patch MS05-051 on at least your Win2k systems. We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you can't patch, at least make sure port 3372 is closed. Windows 2000 does not come with its own host based firewall. But you can use IPSec policies to acchive the same effect. See this paper by David Taylor for details.

What will happen this weekend? I invited other handlers to add their own opinions/predications to this story. In my opinion, we will not see widespread exploits. This can change quickly, but is also dangerous in its own way. Zotob showed very nicely how an exploit will not get too much attention until it hits a couple of high profile targets. The scenario I am most afraid of is the use of an exploit by a small group to attack high value targets. Remember the "russian key logger" episode (Berbew)? A group exploited a number of well known web sites using the IIS ssl vulnerability, and came back months later to plant an Internet Explorer exploit. We are "ripe" for a repeat of this scenario, in particular the rich selection of new client exploits released.

What should you do this weekend? Stay close to your pager. In particular, don't consider yourself safe as long as CNN isn't reporting about it. Make sure your IDS is setup with MS05-051 signatures, see if you can just log all port 3372 traffic. Use the rest of today to collect some data so you have a baseline if things turn bad. I don't like to recommend to turn systems off. but well, there is nothing more secure then a system diconnected from power.

Please use our forum to share your own opinions and predictions.


Keywords:
0 comment(s)

MS05-051 exploit info and rumors

Published: 2005-10-14
Last Updated: 2005-10-14 14:14:07 UTC
by Patrick Nolan (Version: 2)
0 comment(s)
Patch yesterday folks. So far we're aware that an MS05-051 exploit is in the hands of immunitysec Canvas customers - "October 11, 2005: MS05-051 (MS DTC) Trigger for the bug in MS DTC on Windows 2000"

Correction, "Immunity chief executive Justine Aitel said the proof-of-concept has been released to IDS (intrusion detection companies) and larger penetrating testing firms......"

In addition we're seeing reports of non-specific exploit warnings from managed security service providers to their customers. And some rumors.

McAfee Vulnerability Information says that they have protection against exploits of MS Vulnerability MS05-051, "Entercept's Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability."

ISS says they have protection out for an exploit, it's announcement is here.

NFR says they have protection out for an exploit. their announcement is here.

Here's some pre-vuln announcement facts, see the DShield data on Port 3372 scanning, ymmv.

We'll post anything else that's specific and critical when we get it.
Keywords:
0 comment(s)
Diary Archives