SlideShare a Scribd company logo

MS08 067

Download as PPT, PDF
Tim Krabec
Tim Krabec

This document provides information about the MS08-067 vulnerability, which affects all versions of Windows from Windows 2000 to Windows 7 Pre-Beta. It allows remote code execution and compromise of vulnerable systems. The document discusses the scope of impact, recommended response and mitigation steps, known exploits, and technical details. It also provides guidance on verifying that systems are patched to address this vulnerability.

Technology
1 of 23
Information on MS08-067 Patch your systems! Creative Commons License: Attribution-Noncommercial-Share Alike 2.0 Revision 3: 11-2-08
Contributors Tim Krabec http://www.kracomp.com Chris Mills http://www.securabit.com Chris Gerling Tim Holmes http://www.mcaschool.net Carl Hester http://www.dontpanictech.com Stephen Moore http://stephenrmoore.blogspot.com Thank you to everyone in the IRC channels who helped with Screen shots and web links, etc. #crcerror http://www.crcerror.net #dshield http://www.dshield.org/indexd.html #pauldotcom http://www.pauldotcom.com #securabit http://www.securabit.com
Worm Exploiting this Flaw!! Finish patching Very SOON. http://www.f-secure.com/weblog/archives/00001526.html http://www.symantec.com/business/security_response/writeup.jsp?d
Scope MS08-67 vulnerability is a flaw in the default implementation of the remote procedure call (RPC) as it relates to the use of the Server message block (SMB) protocol. This vulnerability is in all Windows systems from Windows 2000 to Windows 7 Pre-Beta. (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) Exploitation of this vulnerability will result in the attacker gaining free and unrestricted access to the exploited computer with the ability to run arbitrary code. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx There are confirmed rumors that this exploit (which is at this time in the wild) may be "weaponized" to form some type of worm at least comparable in scope to the Blaster Worm.
Scope continued The chances of this affecting any given computer are very good given the depth of the vulnerability, and the widespread nature of the Microsoft Windows operating system. It is also important to note that this vulnerability exists in all versions of Windows from Windows 2000 onward, including the latest pre-beta versions of Windows 7. Obviously this bit of code is integral to the Windows OS and has not been changed much over the multiple generations of the software.
IT Response The key to an effective response is defense in depth 1. Patch all affected systems -- which basically means if it runs Windows -- patch it (If you have systems with history of problems with Windows Updates, test then patch, or call you vendor today). 2. Make sure your perimeter firewalls (and internal firewalls if you use them) block the following ports 137,138(udp) 139(tcp) and 445(tcp) Test the new rules by scanning known systems for open ports. nmap scan: nmap -vv -P0 -p U:137,138,T:139,445 host(s) 3. Educate your users on how to protect their home and mobile systems.
'Home' Response 1. Update your computers -- explained on slides 11-19 2. If you are not using a firewall - you need to be - if you have a high speed connection (cable or DSL) you need a firewall router in addition to your windows firewall. Many routers Support NAT which helps mitigate incoming traffic problems 3. Update your anti-virus systems
Methods of Compromise Malicious download from compromised web site 1.Highly likely 2.This method has already been seen in the wild and is actively in use 3.Current known malicious sites have been requested to block Malicious file opened from E-Mail 1.Possible, but less likely 2.Requires users to manually open file Unpatched systems 1. If unpatched and otherwise unprotected, very likely (obviously)
Known Exploits to the Vulnerablility • http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.htm • http://www.milw0rm.com/exploits/6824 • https://www.immunityinc.com/downloads/immpartners/ms08_067.tgz Immunity INC. (Login required) • Securityfocus POC
Technical Infomation Snort Rules Emerging threats: http://www.snort.org/pub-bin/snortnews.cgi#819 Emerging Threats: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-0 Code: http://www.phreedom.org/ A good matrix of what is affected: http://blogs.technet.com/swi/ From Microsoft: http://www.microsoft.com/security/portal/Entry.aspx?name=Exploit%3aWin32%2fMS
Intrusion Prevention Releases Tippingpoint Filter # 6515 Provided via Digital Vaccine 7582. Released 10/23/2008 @ 1:51pm EST. *Default action for this filter is DISABLED* Tippingpoint TMC Release (required registration) Sourcefire Snort SEU Released 10/23/2008 @ 1:59pm Advisory Press Release
Early Trojan Information Early Trojan named Gimmiv.A Propagates automatically, self installs files at the endpoint Attempts to exploit other machines by sending them a malformed RPC request to Server service •“c....AAAAAAAAAAAAAAAAAAAAAAAAAAAAA” •the malware drops a DLL component (Gimmiv.A) Searches the endpoint for: •computer name, MSN/Outlook credentials, various user namespasswords, patch information, and more Connects to remote server at: •http://59.106.145.58/[…].php?abc=1?def=2 Encrypts information prior to sending! ... and more to come. ref: http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vulnerability/
Updating Windows XP Navigate to http://www.windowsupdate.com Choose Custom
What if you only see SP3? If you recieve the message below, choose Review Other Updates. While installing Service Pack 3 is important, it is imparative that this other update gets installed, Service Pack 3 is less critical and generally requires more testing.
The update is available for Windows XP
Windows XP: Update is not visable What Should I do? On the left Click on Review your upate history
Patched Windows XP Machine This computer has alrady had it applied see Security Update for Windows XP (KB958644) has a Green check next to it
The Update is available through Autoupdate
Updating Vista Microsoft released the Vista patch as Important (because of ASLR), not Critical as with the other Operating Systems.
Windows Server 2008 Again its KB958644
Windows 2000 SP4 Look another KB958644
Verifying Patch Installation Manual methods: Log onto machine, pull up Add/Remove programs and check the "Show Updates" box. Verify KB958644 is in the list, which should be near the bottom. Or Log onto machine, pull up system32 folder and depending on your OS, you're looking for Net32api.dll or wnet32api.dll to have a certain version. Full table is here: http://support.microsoft.com/kb/958644
Here is an Autoit3 script to scan a subnet or part there of. Exe of said code will be at www.kracomp.com/gimmivscan.exe The code could use bit more editing. Please feel free to contribute. ;I added 3 input boxes so one doesnt have to hardcode the ip subnet and start/stop ip's in the code. ;Revision3 #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_outfile=c:test.exe #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include <GUIConstantsEx.au3> $subnet = 0 $startIP = 0 $endIP = 0 $subnet = InputBox("subnet","type in your subnet

Recommended

Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02devidas shinde
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
Linta
LintaLinta
Lintagalaxy201
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Ict 9 module 3, lesson 2.2 system's specification
Ict 9 module 3, lesson 2.2 system's specificationIct 9 module 3, lesson 2.2 system's specification
Ict 9 module 3, lesson 2.2 system's specificationYonel Cadapan
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityHTS Hosting
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguideLiễu Hồng
 

Recommended

Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02Firewallpresentation 100826052003-phpapp02
Firewallpresentation 100826052003-phpapp02devidas shinde
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 
Linta
LintaLinta
Lintagalaxy201
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Ict 9 module 3, lesson 2.2 system's specification
Ict 9 module 3, lesson 2.2 system's specificationIct 9 module 3, lesson 2.2 system's specification
Ict 9 module 3, lesson 2.2 system's specificationYonel Cadapan
 
Recommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityRecommended Software and Modifications for Server Security
Recommended Software and Modifications for Server SecurityHTS Hosting
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguideLiễu Hồng
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerNETWAYS
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies sushmil123
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Firewall
FirewallFirewall
FirewallMudasser Afzal
 
Assignment on windows firewall
Assignment on windows firewallAssignment on windows firewall
Assignment on windows firewallMd Shihab
 
Firewall vpn proxy
Firewall vpn proxyFirewall vpn proxy
Firewall vpn proxySANKET SENAPATI
 
How to make good Xeon Phi
How to make good Xeon PhiHow to make good Xeon Phi
How to make good Xeon PhiNaoto MATSUMOTO
 
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)Yonel Cadapan
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networksAdeel Javaid
 
Administrasi jaringan
Administrasi jaringanAdministrasi jaringan
Administrasi jaringanseolangit2
 
How to-simulate-network-devices
How to-simulate-network-devicesHow to-simulate-network-devices
How to-simulate-network-devicesSusant Sahani
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System AdminMD SAHABUDDIN
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Firewall girija ppt
Firewall girija pptFirewall girija ppt
Firewall girija pptGirija Sankar Dash
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Linux Security and Hardening, 40 Tips 2019
Linux Security and Hardening, 40 Tips 2019Linux Security and Hardening, 40 Tips 2019
Linux Security and Hardening, 40 Tips 2019Saeid Bostandoust
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
FireWall
FireWallFireWall
FireWallrubal_9
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7Sergey Yrievich
 

More Related Content

What's hot

OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerNETWAYS
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies sushmil123
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Assignment on windows firewall
Assignment on windows firewallAssignment on windows firewall
Assignment on windows firewallMd Shihab
 
How to make good Xeon Phi
How to make good Xeon PhiHow to make good Xeon Phi
How to make good Xeon PhiNaoto MATSUMOTO
 
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)Yonel Cadapan
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networksAdeel Javaid
 
Administrasi jaringan
Administrasi jaringanAdministrasi jaringan
Administrasi jaringanseolangit2
 
How to-simulate-network-devices
How to-simulate-network-devicesHow to-simulate-network-devices
How to-simulate-network-devicesSusant Sahani
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System AdminMD SAHABUDDIN
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Linux Security and Hardening, 40 Tips 2019
Linux Security and Hardening, 40 Tips 2019Linux Security and Hardening, 40 Tips 2019
Linux Security and Hardening, 40 Tips 2019Saeid Bostandoust
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
FireWall
FireWallFireWall
FireWallrubal_9
 

What's hot (20)

OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Firewall
FirewallFirewall
Firewall
 
Assignment on windows firewall
Assignment on windows firewallAssignment on windows firewall
Assignment on windows firewall
 
Firewall vpn proxy
Firewall vpn proxyFirewall vpn proxy
Firewall vpn proxy
 
How to make good Xeon Phi
How to make good Xeon PhiHow to make good Xeon Phi
How to make good Xeon Phi
 
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
 
Administrasi jaringan
Administrasi jaringanAdministrasi jaringan
Administrasi jaringan
 
How to-simulate-network-devices
How to-simulate-network-devicesHow to-simulate-network-devices
How to-simulate-network-devices
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System Admin
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Firewall girija ppt
Firewall girija pptFirewall girija ppt
Firewall girija ppt
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
 
Linux Security and Hardening, 40 Tips 2019
Linux Security and Hardening, 40 Tips 2019Linux Security and Hardening, 40 Tips 2019
Linux Security and Hardening, 40 Tips 2019
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
FireWall
FireWallFireWall
FireWall
 

Similar to MS08 067

Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
marlenis del carmen duarte gonzalez tegnologioa
marlenis del carmen duarte gonzalez tegnologioamarlenis del carmen duarte gonzalez tegnologioa
marlenis del carmen duarte gonzalez tegnologioamarlenisdrt
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
Host Based Security Best Practices
Host Based Security Best PracticesHost Based Security Best Practices
Host Based Security Best Practiceswebhostingguy
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromiseCal Bryant
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersITExamAnswers.net
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Computer technicians-quick-reference-guide
Computer technicians-quick-reference-guideComputer technicians-quick-reference-guide
Computer technicians-quick-reference-guideShathees Rao
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Interview questions
Interview questionsInterview questions
Interview questionsxavier john
 

Similar to MS08 067 (20)

Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
marlenis del carmen duarte gonzalez tegnologioa
marlenis del carmen duarte gonzalez tegnologioamarlenis del carmen duarte gonzalez tegnologioa
marlenis del carmen duarte gonzalez tegnologioa
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
 
Host Based Security Best Practices
Host Based Security Best PracticesHost Based Security Best Practices
Host Based Security Best Practices
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Computer technicians-quick-reference-guide
Computer technicians-quick-reference-guideComputer technicians-quick-reference-guide
Computer technicians-quick-reference-guide
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Techno-Fest-15nov16
Techno-Fest-15nov16Techno-Fest-15nov16
Techno-Fest-15nov16
 
Interview questions
Interview questionsInterview questions
Interview questions
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

MS08 067

  • 1. Information on MS08-067 Patch your systems! Creative Commons License: Attribution-Noncommercial-Share Alike 2.0 Revision 3: 11-2-08
  • 2. Contributors Tim Krabec http://www.kracomp.com Chris Mills http://www.securabit.com Chris Gerling Tim Holmes http://www.mcaschool.net Carl Hester http://www.dontpanictech.com Stephen Moore http://stephenrmoore.blogspot.com Thank you to everyone in the IRC channels who helped with Screen shots and web links, etc. #crcerror http://www.crcerror.net #dshield http://www.dshield.org/indexd.html #pauldotcom http://www.pauldotcom.com #securabit http://www.securabit.com
  • 3. Worm Exploiting this Flaw!! Finish patching Very SOON. http://www.f-secure.com/weblog/archives/00001526.html http://www.symantec.com/business/security_response/writeup.jsp?d
  • 4. Scope MS08-67 vulnerability is a flaw in the default implementation of the remote procedure call (RPC) as it relates to the use of the Server message block (SMB) protocol. This vulnerability is in all Windows systems from Windows 2000 to Windows 7 Pre-Beta. (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) Exploitation of this vulnerability will result in the attacker gaining free and unrestricted access to the exploited computer with the ability to run arbitrary code. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx There are confirmed rumors that this exploit (which is at this time in the wild) may be "weaponized" to form some type of worm at least comparable in scope to the Blaster Worm.
  • 5. Scope continued The chances of this affecting any given computer are very good given the depth of the vulnerability, and the widespread nature of the Microsoft Windows operating system. It is also important to note that this vulnerability exists in all versions of Windows from Windows 2000 onward, including the latest pre-beta versions of Windows 7. Obviously this bit of code is integral to the Windows OS and has not been changed much over the multiple generations of the software.
  • 6. IT Response The key to an effective response is defense in depth 1. Patch all affected systems -- which basically means if it runs Windows -- patch it (If you have systems with history of problems with Windows Updates, test then patch, or call you vendor today). 2. Make sure your perimeter firewalls (and internal firewalls if you use them) block the following ports 137,138(udp) 139(tcp) and 445(tcp) Test the new rules by scanning known systems for open ports. nmap scan: nmap -vv -P0 -p U:137,138,T:139,445 host(s) 3. Educate your users on how to protect their home and mobile systems.
  • 7. 'Home' Response 1. Update your computers -- explained on slides 11-19 2. If you are not using a firewall - you need to be - if you have a high speed connection (cable or DSL) you need a firewall router in addition to your windows firewall. Many routers Support NAT which helps mitigate incoming traffic problems 3. Update your anti-virus systems
  • 8. Methods of Compromise Malicious download from compromised web site 1.Highly likely 2.This method has already been seen in the wild and is actively in use 3.Current known malicious sites have been requested to block Malicious file opened from E-Mail 1.Possible, but less likely 2.Requires users to manually open file Unpatched systems 1. If unpatched and otherwise unprotected, very likely (obviously)
  • 9. Known Exploits to the Vulnerablility • http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.htm • http://www.milw0rm.com/exploits/6824 • https://www.immunityinc.com/downloads/immpartners/ms08_067.tgz Immunity INC. (Login required) • Securityfocus POC
  • 10. Technical Infomation Snort Rules Emerging threats: http://www.snort.org/pub-bin/snortnews.cgi#819 Emerging Threats: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-0 Code: http://www.phreedom.org/ A good matrix of what is affected: http://blogs.technet.com/swi/ From Microsoft: http://www.microsoft.com/security/portal/Entry.aspx?name=Exploit%3aWin32%2fMS
  • 11. Intrusion Prevention Releases Tippingpoint Filter # 6515 Provided via Digital Vaccine 7582. Released 10/23/2008 @ 1:51pm EST. *Default action for this filter is DISABLED* Tippingpoint TMC Release (required registration) Sourcefire Snort SEU Released 10/23/2008 @ 1:59pm Advisory Press Release
  • 12. Early Trojan Information Early Trojan named Gimmiv.A Propagates automatically, self installs files at the endpoint Attempts to exploit other machines by sending them a malformed RPC request to Server service •“c....AAAAAAAAAAAAAAAAAAAAAAAAAAAAA” •the malware drops a DLL component (Gimmiv.A) Searches the endpoint for: •computer name, MSN/Outlook credentials, various user namespasswords, patch information, and more Connects to remote server at: •http://59.106.145.58/[…].php?abc=1?def=2 Encrypts information prior to sending! ... and more to come. ref: http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vulnerability/
  • 13. Updating Windows XP Navigate to http://www.windowsupdate.com Choose Custom
  • 14. What if you only see SP3? If you recieve the message below, choose Review Other Updates. While installing Service Pack 3 is important, it is imparative that this other update gets installed, Service Pack 3 is less critical and generally requires more testing.
  • 15. The update is available for Windows XP
  • 16. Windows XP: Update is not visable What Should I do? On the left Click on Review your upate history
  • 17. Patched Windows XP Machine This computer has alrady had it applied see Security Update for Windows XP (KB958644) has a Green check next to it
  • 18. The Update is available through Autoupdate
  • 19. Updating Vista Microsoft released the Vista patch as Important (because of ASLR), not Critical as with the other Operating Systems.
  • 21. Windows 2000 SP4 Look another KB958644
  • 22. Verifying Patch Installation Manual methods: Log onto machine, pull up Add/Remove programs and check the "Show Updates" box. Verify KB958644 is in the list, which should be near the bottom. Or Log onto machine, pull up system32 folder and depending on your OS, you're looking for Net32api.dll or wnet32api.dll to have a certain version. Full table is here: http://support.microsoft.com/kb/958644
  • 23. Here is an Autoit3 script to scan a subnet or part there of. Exe of said code will be at www.kracomp.com/gimmivscan.exe The code could use bit more editing. Please feel free to contribute. ;I added 3 input boxes so one doesnt have to hardcode the ip subnet and start/stop ip's in the code. ;Revision3 #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_outfile=c:test.exe #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include <GUIConstantsEx.au3> $subnet = 0 $startIP = 0 $endIP = 0 $subnet = InputBox("subnet","type in your subnet