[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief 75/04 - NISCC - Exploit for Windows ASN.1 Vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 75/04 dated 14.02.04  Time: 19:50
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Exploit code for Microsoft Windows ASN.1 Vulnerabilities


Detail
======
Further to Uniras Brief 63/04 and Alert 04/04, departmental and organisational
security officers should be aware that exploit code has been published on the
Internet.

This exploit has been published as commented source code and claims to create
a Denial of Service (DoS) condition in the LSASS process on the target computer.
Examination of the source code indicates that it causes this DoS by sending a
malformed NetBIOS message to TCP port 139 or 445.  It is apparently written to
operate against Windows 2000 and later  platforms.

Whilst NISCC has not compiled and tested this exploit code, a code review
indicates that it is likely to operate successfully.  A good knowledge of Windows
programming would be required to take this code a step further in order to return
a shell on the target computer, and therefore take full control of it.  It should
be noted, however, that the original researchers of these vulnerabilities, eEye
Digital Security, claim that they have achieved remote system compromise after
developing and executing proof of concept exploits.

Mitigation against this specific exploit is consistent with established good
practice of blocking access to TCP ports 139 and 445 from untrusted networks.
Further information on mitigation and patches is available from the Microsoft
advisory located at:
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp.


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQC6DF4pao72zK539AQG4IQQAii8o4acLJY7UpF16VtQ3gDN3yvbHYmIK
z1UU5LkO3M7zC2jCh7RPAXfsoxpnFYfbrmTWYqAadTx6ws54MCjqlEhM79wbw73D
qYHJrOOfjK75ALTY0rt10F7XcdBYKmMXW0NXl2lBEZ+YNMMEfgwhni53Cbkws//V
mttYMyXNzws=
=pWwL
-----END PGP SIGNATURE-----