Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.
Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated attacker on Windows 2000, Windows XP, and Windows 2003. But, it is not exploitable on default configurations of Windows XP because the Windows Firewall blocks connect attempts to the required RPC interface. However, if the firewall is disabled, or the firewall is enabled but file/printer sharing is also enabled, then the issue is remotely exploitable on Windows XP. An attacker would need to authenticate to Windows Vista and Windows Server 2008 in order to exploit this issue.
Several public exploits are currently available that leverage this issue. Typically an exploit needs to be reliable for a worm to incorporate the exploit into its propagation routines. The nature of this vulnerability made it difficult for exploit authors to construct a single exploit that would successfully leverage the issue for all versions of Microsoft Windows at once. So, exploits were released that targeted specific versions of Microsoft Windows first, and the first public exploit to surface that wasn't a simple crash proof-of-concept leveraged the issue on Microsoft Windows platforms that were localized for traditional Chinese markets. Over the past month, exploit authors have discovered far more reliable methods to exploit this vulnerability and have released more stable exploits. The most reliable public exploit is incorporated into the Metasploit Framework—it contains many configurations that can be used to leverage this issue for a large array of Windows versions.
When we first noticed worm-like malicious applications exploiting this vulnerability they were using the primitive exploits that were available at the time. In other words, exploits that targeted Chinese Windows systems. However, over the last 24 hours we are observing a new worm. It exploits MS08-067, but it uses the routine from the Metasploit Framework to universally exploit computers that are running Microsoft Windows 2000. The worm targets TCP port 445 to exploit the issue, and if it successfully exploits the issue, the worm then creates an HTTP server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]/[RANDOM STRING]
The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.
We are currently observing an increase in IPs generating activity over TCP port 445 and we believe that this activity is at least in part related to the propagation of this malicious code:
SANs are also reporting a spike in activity on TCP port 445. However, this was not the main reason behind our ThreatCon update. The aggressive propagation of this malicious threat in our honeypot network was the main reason behind the update. We decided that the activity was significant enough to remind our customers of the importance of installing the MS08-067 updates. Symantec antivirus currently detects this threat as W32.Downadup, so please make sure that your antivirus software is up to date.
We also recommend that the following mitigating strategies are applied:
• Block access to TCP port 139 and 445 at network perimeters.
• Ensure that computers that are connected to the network have host-based firewall software installed.
• Ensure that antivirus software is installed on all clients connected to the network and that the software is up to date.
And, please install the update from MS08-067 as soon as possible. Microsoft has suggested a number of additional workarounds in the security bulletin, such as disabling the browser service. We advise customers to review their suggestions as well.
* Update
Symantec IPS will detect and block this attack with the following signatures:
• MSRPC Server Service Buffer Overflow
• RPC Server Service BO2
Message Edited by SR Blog Moderator on 11-25-2008 04:37 AM