Threat Level: green Handler on Duty: Russ McRee

SANS ISC: LSASS exploit, SSL PCT exploits, port 559 (tcp) proxy hunter, Bagle.Z SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
LSASS exploit, SSL PCT exploits, port 559 (tcp) proxy hunter, Bagle.Z
LSASS Exploit (MS04-011 / CAN-2003-0533)

An exploit targeting the recently released vulnerability in Windows' Active Directory service functions in LSASRV.DLL (LSASS: Local Security Authority Subsystem Service) was made public today.

The exploit is effective against some versions of Windows 2000 with SP3 or SP4
installed. The patch released earlier this month as part of MS04-011 will fix this vulnerability.

If you have not done so already, please apply the MS04-011 patch as soon as possible. Even if no worm is released, we expect that all Internet facing systems will be probed with this exploit over the next couple of days.

The exploit will allow full remote control via a remote shell. The port used by the remote shell can be changed via a command line option.

(update: we just received a report of the exploit being used in the wild.)

More SSL PCT exploits

We did receive more reports about exploits of systems using the IIS SSL PCT exploit (CAN-2003-0719, MS04-011). So far, it appears that the exploit is
only used against IIS servers. But the observations indicate that networks
are systematically scanned and vulnerable systems are exploited immediately,
indicating an automated tool.

The exploit will leave the following message in your windows event log:

" The security package Microsoft Unified Security Protocol Provider generated an exception. The package is now disabled. The exception information is the data. "

While a reboot of the system will restart IIS and permit access to the https site, it will not necessarily remove code uploaded by the attacker.

DShield data shows an increase in port 443 scanning, further supporting the widespread use of the SSL PCT exploit against IIS servers.
However, the number of observed sources for these scans is still small.

Port 559

Our sensors noted a significant increase in scans against port 559

Simple netcat honeypots on selected sensors revealed that these scans are searching for open proxy servers. At this point, we do not know if any of the recent viruses or trojans will open proxy servers on this port.


A new version of Bagle was released today, bringing Bagle up to version Z.


Johannes Ullrich,


3914 Posts
ISC Handler
Apr 27th 2004

Sign Up for Free or Log In to start participating in the conversation!