lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D523331@pivxwin2k1.secnet.pivx.com>
Date: Thu, 29 Apr 2004 12:31:36 -0700
From: "Thor Larholm" <thor@...x.com>
To: "Tony Abell" <TonAbe@...tool.com>, <bugtraq@...urityfocus.com>
Cc: <ntbugtraq@...tserv.ntbugtraq.com>
Subject: RE:  New Worm??? - High level of activity on port 445


MS04-011 fixed 14 different vulnerabilities but the two that have
received most attention are the PCT and LSASS vulnerabilities. Both have
publicly available exploit code and are fairly trivial to automate.

You are most likely experiencing traffic caused by the LSASS
vulnerability. To successfully exploit this vulnerability either locally
or remotely, one has to acquire the handle of a running user session.
Remote exploits and worms can only exploit the LSASS vulnerability
anonymously by using a NULL session, which is retrieved over the
microsoft-ds port 445.

It has long been a good practice to disable NULL sessions, and Microsoft
has documented how to accomplish this in several Knowledge Base
articles:

How to Use the RestrictAnonymous Registry Value in Windows 2000
http://support.microsoft.com/?kbid=246261
Restricting information available to anonymous logon users
http://support.microsoft.com/?kbid=143474
RestrictAnonymous Access Enabled Lets Anonymous Connections Obtain the
Password Policy
http://support.microsoft.com/?kbid=129457

The RestrictAnonymous policy can have some impact on functionality in
mixed-domain environments, in which case one can set the
RestrictAnonymous value to 1 instead of 2, as detailed in the following
Knowledge Base articles:

The "RestrictAnonymous" Registry Value May Break the Trust to a Windows
2000 Domain
http://support.microsoft.com/?kbid=296405
The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain
Environment
http://support.microsoft.com/?kbid=296403


The PCT vulnerability is exploited over port 443 which have led many to
believe that it was intrinsically linked with SSL - it is not, it is a
separate protocol and can be separately disabled. (The PCT/SSL confusion
gave a dilemma as some production servers naturally rely on SSL but
could not implement the patch as it has several functionality
regressions).

When IIS receives a request for a secure communication channel over port
443 it tries several independent protocols in the following order: PCT
1.0, SSL 2.0, SSL 3.0 and TLS 1.0. Disabling the PCT protocol itself
does not impact SSL functionality and can be accomplished by specifying
a binary value of 00000000 in the following value:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SC
HANNEL\Protocols\PCT 1.0\ServerEnabled

This has also been documented in Knowledge Base article 187498

Disable PCT 1.0, SSL 2.0, or SSL 3.0 on IIS
http://support.microsoft.com/?kbid=187498


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (OTCBB:DRIL)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>



-----Original Message-----
From: Tony Abell [mailto:TonAbe@...tool.com] 
Sent: Thursday, April 29, 2004 9:45 AM
To: 'bugtraq@...urityfocus.com'
Subject: New Worm??? - High level of activity on port 445


Since late yesterday 4/28/04 afternoon around 4pm our firewall started
throwing alarms on netprobes. We are seeing a large amount of probes
coming from one machine that is probing random IPs on port 445. The
source port is random as well. We traced it back to a Japanese Win2K
machine w/SP4 installed. No idea if it's fully patched or not, I have no
desire to put it back on my network to patch it until I get this figured
out. I scanned the machine in safe mode as well as booting normally
using SAV 8.1 with 4/28/04 Rev 38 defs and came up with nothing.

Is anyone else seeing anything like this? 

Tony Abell
Network Administrator
OSG Tap & Die



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ