Information on MS08-067
Patch your systems!
Revision 3: 11-2-08
Creative Commons License: Attribution-Noncommercial-Share Alike 2.0
ContributorsTim Krabec http://www.kracomp.comChris Mills http://www.securabit.comChris Gerling Tim Holmes http://www.mcaschool.netCarl Hester http://www.dontpanictech.com Stephen Moore http://stephenrmoore.blogspot.com
Thank you to everyone in the IRC channels who helped with Screen shots and web links, etc.#crcerror http://www.crcerror.net #dshield http://www.dshield.org/indexd.html#pauldotcom http://www.pauldotcom.com#securabit http://www.securabit.com
Worm Exploiting this Flaw!!
Finish patching Very SOON. http://www.f-secure.com/weblog/archives/00001526.html http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110306-2212-99&tabid=2
Scope
MS08-67 vulnerability is a flaw in the default implementation of the remote procedure call (RPC) as it relates to the use of the Server message block (SMB) protocol. This vulnerability is in all Windows systems from Windows 2000 to Windows 7 Pre-Beta. (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)
Exploitation of this vulnerability will result in the attacker gaining free and unrestricted access to the exploited computer with the ability to run arbitrary code. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
There are confirmed rumors that this exploit (which is at this time in the wild) may be "weaponized" to form some type of worm at least comparable in scope to the Blaster Worm.
Scope continued
The chances of this affecting any given computer are very good given the depth of the vulnerability, and the widespread nature of the Microsoft Windows operating system. It is also important to note that this vulnerability exists in all versions of Windows from Windows 2000 onward, including the latest pre-beta versions of Windows 7. Obviously this bit of code is integral to the Windows OS and has not been changed much over the multiple generations of the software.
IT Response
The key to an effective response is defense in depth
1. Patch all affected systems -- which basically means if it runs Windows -- patch it (If you have systems with history of problems with Windows Updates, test then patch, or call you vendor today).
2. Make sure your perimeter firewalls (and internal firewalls if you use them) block the following ports 137,138(udp) 139(tcp) and 445(tcp) Test the new rules by scanning known systems for open ports. nmap scan: nmap -vv -P0 -p U:137,138,T:139,445 host(s) 3. Educate your users on how to protect their home and mobile systems.
'Home' Response
1. Update your computers -- explained on slides 11-19 2. If you are not using a firewall - you need to be - if you have a high speed connection (cable or DSL) you need a firewall router in addition to your windows firewall. Many routers Support NAT which helps mitigate incoming traffic problems
3. Update your anti-virus systems
Methods of Compromise
Malicious download from compromised web site1.Highly likely2.This method has already been seen in the wild and is actively in use3.Current known malicious sites have been requested to block Malicious file opened from E-Mail1.Possible, but less likely2.Requires users to manually open file Unpatched systems 1. If unpatched and otherwise unprotected, very likely (obviously)
Known Exploits to the Vulnerablility
•http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html
•http://www.milw0rm.com/exploits/6824 •https://www.immunityinc.com/downloads/immpartners/ms08_067.tgz
Immunity INC. (Login required)•Securityfocus POC
Technical Infomation
Snort Rules Emerging threats:http://www.snort.org/pub-bin/snortnews.cgi#819
Emerging Threats:http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067
Code: http://www.phreedom.org/
A good matrix of what is affected:http://blogs.technet.com/swi/
From Microsoft:http://www.microsoft.com/security/portal/Entry.aspx?name=Exploit%3aWin32%2fMS08067.gen!A
Intrusion Prevention Releases
Tippingpoint Filter # 6515Provided via Digital Vaccine 7582.Released 10/23/2008 @ 1:51pm EST.*Default action for this filter is DISABLED*Tippingpoint TMC Release (required registration)
Sourcefire Snort SEUReleased 10/23/2008 @ 1:59pmAdvisory Press Release
Early Trojan InformationEarly Trojan named Gimmiv.APropagates automatically, self installs files at the endpointAttempts to exploit other machines by sending them a malformed RPC request to Server service •“\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
•the malware drops a DLL component (Gimmiv.A)
Searches the endpoint for: •computer name, MSN/Outlook credentials, various user names\passwords, patch
information, and more Connects to remote server at:
•http://59.106.145.58/[…].php?abc=1?def=2 Encrypts information prior to sending!... and more to come. ref: http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vulnerability/
Updating Windows XP
Navigate to http://www.windowsupdate.com
Choose Custom
What if you only see SP3?If you recieve the message below, choose Review Other Updates. While installing Service Pack 3 is important, it is imparative that this other update gets installed, Service Pack 3 is less critical and generally requires more testing.
The update is available for Windows XP
Windows XP: Update is not visable
What Should I do?
On the left Click on Review your upate history
Patched Windows XP Machine
This computer has alrady had it applied see Security Update for Windows XP (KB958644) has a Green check next to it
The Update is available through Autoupdate
Updating Vista
Microsoft released the Vista patch as Important (because of ASLR), not Critical as with the other Operating Systems.
Windows Server 2008
Again its KB958644
Windows 2000 SP4
Look another KB958644
Verifying Patch Installation
Manual methods:
Log onto machine, pull up Add/Remove programs and check the "Show Updates" box. Verify KB958644 is in the list, which should be near the bottom.
Or
Log onto machine, pull up system32 folder and depending on your OS, you're looking for Net32api.dll or wnet32api.dll to have a certain version. Full table is here: http://support.microsoft.com/kb/958644
Here is an Autoit3 script to scan a subnet or part there of. Exe of said code will be at www.kracomp.com/gimmivscan.exe The code could use bit more editing. Please feel free to contribute.
;I added 3 input boxes so one doesnt have to hardcode the ip subnet and start/stop ip's in the code.
;Revision3#Region ;**** Directives created by AutoIt3Wrapper_GUI ****#AutoIt3Wrapper_outfile=c:\test.exe#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****#include <GUIConstantsEx.au3>
$subnet = 0$startIP = 0$endIP = 0
$subnet = InputBox("subnet","type in your subnet (xxx.xxx.xxx)","10.10.104")$startIP = InputBox("startIP","Please enter the starting IP","25")$endIP = InputBox("endIP)","Please enter the ending IP", "250")
$ip = $startIP + 1
;Using an ArrayDim $winfolders[2]$winfolders[0]="\c$\windows\system32"$winfolders[1]="\c$\winnt\system32"; increment the Dim number above by the number of elements you are adding;$aArray[2]="insert path here"
Dim $BadFiles[12]$BadFiles[0] = "\wbem\sysmgr.dll"$BadFiles[1] = "\wbem\winbaseInst.exe"$BadFiles[2] = "\wbem\winbase.dll"$BadFiles[3] = "\wbem\svicon.dll"$BadFiles[4] = "\wbem\basesvc.dll"$BadFiles[5] = "basesvc.dll"$BadFiles[6] = "inetproc02x.cab"$BadFiles[7] = "install.bat"$BadFiles[8] = "scm.bat"$BadFiles[9] = "syicon.dll"$BadFiles[10] = "winbase.dll"$BadFiles[11] = "winbaseInst.exe"
;Dim $GoodFiles[3];$GoodFiles[0] = ;$GoodFiles[1] = ;$GoodFiles[2] = ;$GoodFiles[3] =
MsgBox (0,"Done","starting")
;For $ip = $startIP to $endip step 1 FOR $folder IN $winfolders if FileExists("\\"&$subnet&"."&$ip&$folder) then; MsgBox(0, "test!", "$folder exists") for $file IN $BadFiles If FileExists($subnet&$ip&$folder&$file) Then MsgBox(0, "Infected!", "$ip has $file") Else MsgBox(0,"Clean",$file) EndIf next ; Else; MsgBox(0, "test!", "\\"&$subnet&"."&$ip&$folder) EndIf; Next NEXT ;next
MsgBox(1,"Done","Done") ;End