- Joined
- Jan 2, 2004
This thread is *specific* to Microsoft Windows Security Advisory MS06-040, and has been deemed a HIGH risk by Microsoft.
---Vulnerability title--- Microsoft Windows Advisory MS06-040 - Buffer Overflow in Server Service Could Permit Remote Code Execution
---Summary--- Publicly-available exploit code for a vulnerability in the RPC Server Service in Microsoft Windows 2000, Server 2003, and Windows XP SP1 and SP2 was disclosed almost immediately following Microsoft's official recognition of the problem. An attacker who sends a specially-crafted SMB packet to an affected system can overflow a buffer and execute arbitrary code on the exploited system with kernel-level privileges.
---Affected Systems---
* 32-bit Microsoft Windows XP SP0, SP1, SP2 (see note)
* 32-bit Microsoft Windows Server 2003 SP0, SP1
* 32-bit Microsoft Windows 2000, SP4
Note: Due to changes in the code path used in Service Pack 2, it is believed that system compromise cannot occur on Windows XP SP2 systems, although Microsoft still lists this OS as vulnerable. It is believed that the most that can occur on a SP2 system is a denial-of-service attack. XP SP2 users should apply this update regardless.
---Technical Description and Risks--- An attacker who successfully exploits this vulnerability can perform remote code execution with the privileges of the operating system itself. This vulnerability could result in system compromise, the loss of sensitive data, a denial of service attack, or destruction of data.
This vulnerability is being exploited in the wild. While the possibility of a Great Internet Worm such as Slammer or Code Red is low due to other proactive preventions taken by NSPs and the increasing use of firewalls, the possibility for rootkit installation remains high.
---Exploit Detail--- The programs known to be exploiting this vulnerability are described in greater detail at the Internet Storm Center, and in full detail at Lurhq. The programs appear to be extensions to the Windows Genuine Advantage service to deter unsuspecting users from removing them. The executables open a back door on the system and attempt to connect to an IRC server for commands in botnet fashion.
This vulnerability exists due to an unchecked buffer condition in Microsoft Windows. The specially-crafted packet overruns a buffer and permits a malicious user to transfer control to a program transferred as part of the exploit packet, allowing the malicious remote user to execute arbitrary code with operating system privileges on the remote system.
---Remediation--- Ports 135 through 139 and 445 should be filtered at your firewall. For the current publicly-known exploits, signatures are available for the major anti-virus companies and should be part of your weekly signature updates effective August 16, 2006, or earlier if you are a daily update subscriber. Best practices, including stringent firewall rules and patch compliance as soon as possible, will render you immune to known exploits.
---Recommendations--- Best practices enumerated above should be implemented without delay, and all Windows systems should have the MS06-040 patch applied as soon as is practical.
For systems that are compromised, the recommended recovery method is a nuke-from-orbit, or complete wipe and reinstallation of the OS followed by patch application.
---References, Further Information---
Microsoft's Advisory
US-CERT
Lurhq's Analysis
Internet Storm Center
Symantec SecurityResponse
This thread is *specific* to Microsoft Windows Security Advisory MS06-040, and has been deemed a HIGH risk by Microsoft.
hope they work!
