Lsasrv.dll RPC buffer overflow remote exploit

[Platypus]

It's running wild on our networks today, this is going to be worse than MSblast was.

I also heard some pretty scary stuff from users today about still getting exploited even with a fully patched system.


Full exploit link

 

[Jzero]

Even patched systems?! Crap, and I'm on pager duty this week :|:|:|

 

[hevnsnt]

is it a phatbot variant that you are seeing?

Please give details on what you are seeing.

Is it dropping msiwin84.exe?

 

[Shockwave]

Originally posted by: Jzero
Even patched systems?! Crap, and I'm on pager duty this week :|:|:|

LOL!
Teh Winnar!! 😀

 

[hevnsnt]

Please.. What kind of traffic are you seeing.. It is important.

 

[Platypus]

Originally posted by: hevnsnt
Please.. What kind of traffic are you seeing.. It is important.

We don't know yet but we've been seeing a lot of traffic on port 445. There is already proof of concept code which takes advantage of a buffer overflow.

 

[DanTMWTMP]

ARG DAMN IT!!! AND I JUST GOT RID OF THAT STUPID PHATBOT LAST WEEK..NOW THIS?!...friggin hell

and any of you know how in the hell this stupid prog called "dameware" got into the computers @ work..wtf...

i had to reformat nearly all of them....

 

[Platypus]

This needs some stickage

 

[Confused]

Originally posted by: CorporateRecreation
This needs some stickage

Have PMed the Mods regarding this.


Confused

 

[Jzero]

Originally posted by: Shockwave

Originally posted by: Jzero
Even patched systems?! Crap, and I'm on pager duty this week :|:|:|

LOL!
Teh Winnar!! 😀

Actually, as manager of info. security, I'm going to get called in the middle of the night whether I'm on pager duty or not...so I guess I'm just eliminating the middle man who will get a page, do some investigation, realize it's a worm flooding the network and call me anyway.
😉

So far so good, though.

In actuality, we have been safe from prior worms except for our own employees. Our experiences with Slammer and Blaster came from dookers bringing their laptops in and plugging them into the network.

 

[dullard]

Could this be related to one computer here at work? It randomly gives 30 seconds to reboot with no chance to stop it and then after a reboot it says that LSA shell crashed. My thread in technical support forum.

 

[Kadarin]

Originally posted by: CorporateRecreation

Originally posted by: hevnsnt
Please.. What kind of traffic are you seeing.. It is important.

We don't know yet but we've been seeing a lot of traffic on port 445. There is already proof of concept code which takes advantage of a buffer overflow.

Out of curiosity, why do you not yet know? Open up Ethereal and find out.

 

[jfall]

ah.. the joys of running linux

 

[Xionide]

Originally posted by: jfall
ah.. the joys of running linux

You say that like its supperior or something. I mean if linux were top dog there would be virus' like this for it too.

-Xionide

 

[Regs]

Slammer and Blaster came from dookers bringing their laptops in and plugging them into the network

lol....

*hides his lap top

And I knew I had it too yet I plugged my lap top in anyway. Oh the humanity ! I thought I was safe because I wasn't logged onto a domain. Yet it didn't matter, especially considering the nature of the virus. It was W32.Gaobot using TCP 445. I knew it was a virus because I had an extra background task called directx32.exe using 50-100% of the resources.


Now I have Norton AV updating every hour, MS security auto update, with a firewall. I also disabled e mail on my lap top.

 

[jfall]

Originally posted by: Xionide

Originally posted by: jfall
ah.. the joys of running linux

You say that like its supperior or something. I mean if linux were top dog there would be virus' like this for it too.

-Xionide

I doubt it. Unless the person running Linux doesn't know what they are doing and runs unknown software as root

I have heard your theory many times.. same as the IE / Mozilla debate. Think about it, Linux/Unix generally runs most of the worlds top servers. Any type of real `hacker` guns for exploiting Linux. Windows hackers are mostly script kiddies, a real hacker/coder that actually knows what they are doing exploits unix. Say what you want, but there is no doubt in my mind that Linux is much more secure than Windows will ever be.

 

[Platypus]

Originally posted by: dullard
Could this be related to one computer here at work? It randomly gives 30 seconds to reboot with no chance to stop it and then after a reboot it says that LSA shell crashed. My thread in technical support forum.

Yes they are related. We had an entire subnet do this yesterday.

 

[Platypus]

Originally posted by: Astaroth33

Originally posted by: CorporateRecreation

Originally posted by: hevnsnt
Please.. What kind of traffic are you seeing.. It is important.

We don't know yet but we've been seeing a lot of traffic on port 445. There is already proof of concept code which takes advantage of a buffer overflow.

Out of curiosity, why do you not yet know? Open up Ethereal and find out.

Well yes that was already taken care of yesterday, unfortunately for my job safety I cannot post the results. This attack does indeed rely on port 445 because it needs to establish a null session and port 445 is the only one that can do that.

I posted the full exploit in my full post with an edit, you should have everything you need now.

 

[NogginBoink]

Do any of the affected machines have MS04-011 installed?

 

[Platypus]

Originally posted by: NogginBoink
Do any of the affected machines have MS04-011 installed?

It's hard to tell at this point, we have reports of users saying even with this installed they're still getting affected. I personally doubt it most likely their PCs were hacked before they got this installed. I'll let you know as more info about this comes in.

 

[Regs]

If I added 445 to my firewall deny list, would that help?

 

[Platypus]

Originally posted by: Regs
If I added 445 to my firewall deny list, would that help?

Yes.

 

[NogginBoink]

Before this thread gets out of hand: I have contacts in the security group at Microsoft. I am finding out if MS04-011 protects against this from the horse's moth. I suspect that MS04-011 does protect against this, since MS04-011 does include a patch for an lsass vulnerability.

 

[Platypus]

Originally posted by: NogginBoink
Before this thread gets out of hand: I have contacts in the security group at Microsoft. I am finding out if MS04-011 protects against this from the horse's moth. I suspect that MS04-011 does protect against this, since MS04-011 does include a patch for an lsass vulnerability.

It wouldn't be the first time. I highly doubt the patch is faulty, I just don't know enough about the entire situation to say that right now. As I work on more compromised PCs I'll post my findings here. Let's as you said try to keep people from freaking out thinking the patch doesn't work.

 

[SaigonK]

Originally posted by: NogginBoink
Before this thread gets out of hand: I have contacts in the security group at Microsoft. I am finding out if MS04-011 protects against this from the horse's moth. I suspect that MS04-011 does protect against this, since MS04-011 does include a patch for an lsass vulnerability.

I checked with my Microsoft sources, 04-011 is made to fight this exploit.

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Patch your machines..you should be all set.