This document provides information about the MS08-067 vulnerability, which affects all versions of Windows from Windows 2000 to Windows 7 Pre-Beta. It allows remote code execution and compromise of vulnerable systems. The document discusses the scope of impact, recommended response and mitigation steps, known exploits, and technical details. It also provides guidance on verifying that systems are patched to address this vulnerability.
1. Information on MS08-067
Patch your systems!
Creative Commons License: Attribution-Noncommercial-Share Alike 2.0
Revision 3: 11-2-08
2. Contributors
Tim Krabec http://www.kracomp.com
Chris Mills http://www.securabit.com
Chris Gerling
Tim Holmes http://www.mcaschool.net
Carl Hester http://www.dontpanictech.com
Stephen Moore http://stephenrmoore.blogspot.com
Thank you to everyone in the IRC channels who helped with
Screen shots and web links, etc.
#crcerror http://www.crcerror.net
#dshield http://www.dshield.org/indexd.html
#pauldotcom http://www.pauldotcom.com
#securabit http://www.securabit.com
3. Worm Exploiting this Flaw!!
Finish patching Very SOON.
http://www.f-secure.com/weblog/archives/00001526.html
http://www.symantec.com/business/security_response/writeup.jsp?d
4. Scope
MS08-67 vulnerability is a flaw in the default implementation of
the remote procedure call (RPC) as it relates to the use of the
Server message block (SMB) protocol. This vulnerability is in all
Windows systems from Windows 2000 to Windows 7 Pre-Beta.
(http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)
Exploitation of this vulnerability will result in the attacker gaining
free and unrestricted access to the exploited computer with the
ability to run arbitrary code.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
There are confirmed rumors that this exploit (which is at this time
in the wild) may be "weaponized" to form some type of worm at
least comparable in scope to the Blaster Worm.
5. Scope continued
The chances of this affecting any given computer are very good
given the depth of the vulnerability, and the widespread nature of
the Microsoft Windows operating system.
It is also important to note that this vulnerability exists in all
versions of Windows from Windows 2000 onward, including the
latest pre-beta versions of Windows 7.
Obviously this bit of code is integral to the Windows OS and has
not been changed much over the multiple generations of the
software.
6. IT Response
The key to an effective response is defense in depth
1. Patch all affected systems -- which basically means if it runs
Windows -- patch it (If you have systems with history of problems with
Windows Updates, test then patch, or call you vendor today).
2. Make sure your perimeter firewalls (and internal firewalls if you use
them) block the following ports 137,138(udp) 139(tcp) and 445(tcp)
Test the new rules by scanning known systems for open ports.
nmap scan: nmap -vv -P0 -p U:137,138,T:139,445 host(s)
3. Educate your users on how to protect their home and mobile
systems.
7. 'Home' Response
1. Update your computers -- explained on slides 11-19
2. If you are not using a firewall - you need to be - if you have a high
speed connection (cable or DSL) you need a firewall router in addition
to your windows firewall. Many routers Support NAT which helps
mitigate incoming traffic problems
3. Update your anti-virus systems
8. Methods of Compromise
Malicious download from compromised web site
1.Highly likely
2.This method has already been seen in the wild and is actively
in use
3.Current known malicious sites have been requested to block
Malicious file opened from E-Mail
1.Possible, but less likely
2.Requires users to manually open file
Unpatched systems
1. If unpatched and otherwise unprotected, very likely
(obviously)
9. Known Exploits to the Vulnerablility
• http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.htm
• http://www.milw0rm.com/exploits/6824
• https://www.immunityinc.com/downloads/immpartners/ms08_067.tgz
Immunity INC. (Login required)
• Securityfocus POC
10. Technical Infomation
Snort Rules Emerging threats:
http://www.snort.org/pub-bin/snortnews.cgi#819
Emerging Threats:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-0
Code:
http://www.phreedom.org/
A good matrix of what is affected:
http://blogs.technet.com/swi/
From Microsoft:
http://www.microsoft.com/security/portal/Entry.aspx?name=Exploit%3aWin32%2fMS
11. Intrusion Prevention Releases
Tippingpoint Filter # 6515
Provided via Digital Vaccine 7582.
Released 10/23/2008 @ 1:51pm EST.
*Default action for this filter is DISABLED*
Tippingpoint TMC Release (required registration)
Sourcefire Snort SEU
Released 10/23/2008 @ 1:59pm
Advisory
Press Release
12. Early Trojan Information
Early Trojan named Gimmiv.A
Propagates automatically, self installs files at the endpoint
Attempts to exploit other machines by sending them a malformed
RPC request to Server service
•“c....AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
•the malware drops a DLL component (Gimmiv.A)
Searches the endpoint for:
•computer name, MSN/Outlook credentials, various user namespasswords, patch
information, and more
Connects to remote server at:
•http://59.106.145.58/[…].php?abc=1?def=2
Encrypts information prior to sending!
... and more to come.
ref: http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vulnerability/
14. What if you only see SP3?
If you recieve the message below, choose Review Other
Updates.
While installing Service Pack 3 is important, it is imparative that
this other update gets installed, Service Pack 3 is less critical and
generally requires more testing.
22. Verifying Patch Installation
Manual methods:
Log onto machine, pull up Add/Remove programs and check the
"Show Updates" box. Verify KB958644 is in the list, which
should be near the bottom.
Or
Log onto machine, pull up system32 folder and depending on
your OS, you're looking for Net32api.dll or wnet32api.dll to have
a certain version. Full table is here:
http://support.microsoft.com/kb/958644
23. Here is an Autoit3 script to scan a subnet or part there of. Exe of said code will
be at www.kracomp.com/gimmivscan.exe The code could use bit more editing.
Please feel free to contribute.
;I added 3 input boxes so one doesnt have to hardcode the ip
subnet and start/stop ip's in the code.
;Revision3
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_outfile=c:test.exe
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <GUIConstantsEx.au3>
$subnet = 0
$startIP = 0
$endIP = 0
$subnet = InputBox("subnet","type in your subnet