MS08 067

Information on MS08-067

Patch your systems!

Revision 3: 11-2-08

Creative Commons License: Attribution-Noncommercial-Share Alike 2.0

ContributorsTim Krabec http://www.kracomp.comChris Mills http://www.securabit.comChris Gerling Tim Holmes http://www.mcaschool.netCarl Hester http://www.dontpanictech.com Stephen Moore http://stephenrmoore.blogspot.com

Thank you to everyone in the IRC channels who helped with Screen shots and web links, etc.#crcerror http://www.crcerror.net #dshield http://www.dshield.org/indexd.html#pauldotcom http://www.pauldotcom.com#securabit http://www.securabit.com

Worm Exploiting this Flaw!!

Finish patching Very SOON. http://www.f-secure.com/weblog/archives/00001526.html  http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110306-2212-99&tabid=2

Scope

MS08-67 vulnerability is a flaw in the default implementation of the remote procedure call (RPC) as it relates to the use of the Server message block (SMB) protocol.  This vulnerability is in all Windows systems from Windows 2000 to Windows 7 Pre-Beta.   (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)

Exploitation of this vulnerability will result in the attacker gaining free and unrestricted access to the exploited computer with the ability to run arbitrary code.  http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

There are confirmed rumors that this exploit (which is at this time in the wild) may be "weaponized" to form some type of worm at least comparable in scope to the Blaster Worm.

Scope continued

The chances of this affecting any given computer are very good given the depth of the vulnerability, and the widespread nature of the Microsoft Windows operating system.   It is also important to note that this vulnerability exists in all versions of Windows from Windows 2000 onward, including the latest pre-beta versions of Windows 7.   Obviously this bit of code is integral to the Windows OS and has not been changed much over the multiple generations of the software.

IT Response

The key to an effective response is defense in depth

1. Patch all affected systems -- which basically means if it runs Windows -- patch it (If you have systems with history of problems with Windows Updates, test then patch, or call you vendor today).

2. Make sure your perimeter firewalls (and internal firewalls if you use them) block the following ports 137,138(udp) 139(tcp) and 445(tcp) Test the new rules by scanning known systems for open ports. nmap scan: nmap -vv -P0 -p U:137,138,T:139,445 host(s) 3. Educate your users on how to protect their home and mobile systems.

'Home' Response

1. Update your computers -- explained on slides 11-19 2. If you are not using a firewall - you need to be - if you have a high speed connection (cable or DSL) you need a firewall router in addition to your windows firewall.  Many routers Support NAT  which helps mitigate incoming traffic problems

3. Update your anti-virus systems 

Methods of Compromise

Malicious download from compromised web site1.Highly likely2.This method has already been seen in the wild and is actively in use3.Current known malicious sites have been requested to block Malicious file opened from E-Mail1.Possible, but less likely2.Requires users to manually open file Unpatched systems 1. If unpatched and otherwise unprotected, very likely (obviously) 

Known Exploits to the Vulnerablility

•http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html

•http://www.milw0rm.com/exploits/6824 •https://www.immunityinc.com/downloads/immpartners/ms08_067.tgz

Immunity INC. (Login required)•Securityfocus POC

Technical Infomation

Snort Rules Emerging threats:http://www.snort.org/pub-bin/snortnews.cgi#819

Emerging Threats:http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067

Code:  http://www.phreedom.org/

A good matrix of what is affected:http://blogs.technet.com/swi/

From Microsoft:http://www.microsoft.com/security/portal/Entry.aspx?name=Exploit%3aWin32%2fMS08067.gen!A

Intrusion Prevention Releases

Tippingpoint Filter # 6515Provided via Digital Vaccine 7582.Released 10/23/2008 @ 1:51pm EST.*Default action for this filter is DISABLED*Tippingpoint TMC Release (required registration)

Sourcefire Snort SEUReleased 10/23/2008 @ 1:59pmAdvisory Press Release

Early Trojan InformationEarly Trojan named Gimmiv.APropagates automatically, self installs files at the endpointAttempts to exploit other machines by sending them a malformed RPC request to Server service •“\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”  

•the malware drops a DLL component (Gimmiv.A)

Searches the endpoint  for: •computer name, MSN/Outlook credentials, various user names\passwords, patch

information, and more  Connects to remote server at: 

•http://59.106.145.58/[…].php?abc=1?def=2 Encrypts information prior to sending!... and more to come.   ref: http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vulnerability/

Updating Windows XP    

Navigate to http://www.windowsupdate.com

Choose Custom

What if you only see SP3?If you recieve the message below, choose Review Other Updates.   While installing Service Pack 3 is important, it is imparative that this other update gets installed, Service Pack 3 is less critical and generally requires more testing.

The update is available for Windows XP

Windows XP: Update is not visable

What Should I do?

 On the left Click on Review your upate history

Patched Windows XP Machine

This computer has alrady had it applied see Security Update for Windows XP (KB958644) has a Green check next to it

The Update is available through Autoupdate

Updating Vista

Microsoft released the Vista patch as Important (because of ASLR), not Critical as with the other Operating Systems.

Windows Server 2008

Again its KB958644

Windows 2000 SP4

Look another KB958644

Verifying Patch Installation

 Manual methods:

Log onto machine, pull up Add/Remove programs and check the "Show Updates" box.  Verify KB958644 is in the list, which should be near the bottom.

Or

Log onto machine, pull up system32 folder and depending on your OS, you're looking for Net32api.dll or wnet32api.dll to have a certain version.  Full table is here:  http://support.microsoft.com/kb/958644

Here is an Autoit3 script to scan a subnet or part there of.  Exe of said code will be at www.kracomp.com/gimmivscan.exe The code could use  bit more editing. Please feel free to contribute. 

;I added 3 input boxes so one doesnt have to hardcode the ip subnet and start/stop ip's in the code.

;Revision3#Region ;**** Directives created by AutoIt3Wrapper_GUI ****#AutoIt3Wrapper_outfile=c:\test.exe#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****#include <GUIConstantsEx.au3>

$subnet = 0$startIP = 0$endIP = 0

$subnet = InputBox("subnet","type in your subnet (xxx.xxx.xxx)","10.10.104")$startIP = InputBox("startIP","Please enter the starting IP","25")$endIP = InputBox("endIP)","Please enter the ending IP", "250")

$ip = $startIP + 1

;Using an ArrayDim $winfolders[2]$winfolders[0]="\c$\windows\system32"$winfolders[1]="\c$\winnt\system32"; increment the Dim number above by the number of elements you are adding;$aArray[2]="insert path here"

Dim $BadFiles[12]$BadFiles[0] = "\wbem\sysmgr.dll"$BadFiles[1] = "\wbem\winbaseInst.exe"$BadFiles[2] = "\wbem\winbase.dll"$BadFiles[3] = "\wbem\svicon.dll"$BadFiles[4] = "\wbem\basesvc.dll"$BadFiles[5] = "basesvc.dll"$BadFiles[6] = "inetproc02x.cab"$BadFiles[7] = "install.bat"$BadFiles[8] = "scm.bat"$BadFiles[9] = "syicon.dll"$BadFiles[10] = "winbase.dll"$BadFiles[11] = "winbaseInst.exe"

;Dim $GoodFiles[3];$GoodFiles[0] = ;$GoodFiles[1] = ;$GoodFiles[2] = ;$GoodFiles[3] =

MsgBox (0,"Done","starting")

;For $ip = $startIP to $endip step 1    FOR $folder IN $winfolders        if FileExists("\\"&$subnet&"."&$ip&$folder) then;            MsgBox(0, "test!", "$folder exists")            for $file IN $BadFiles                If FileExists($subnet&$ip&$folder&$file) Then                    MsgBox(0, "Infected!", "$ip has $file")                Else                    MsgBox(0,"Clean",$file)                EndIf            next  ;        Else;            MsgBox(0, "test!", "\\"&$subnet&"."&$ip&$folder)        EndIf;            Next    NEXT  ;next  

MsgBox(1,"Done","Done")    ;End