LISTSERV 16.0 - MSUNAG Archives

Haven't seen this mentioned anywhere yet so I figured I would mention it. It seems an exploit has been created for the vulnerability documented in Microsoft Security Bulletin MS04-00-007.  Here is the code: http://www.k-otik.com/exploits/02.14.MS04-007-dos.c.php.  Below is some info on it:

>A computer program that exploits the vulnerability in ASN.1 Library, a
>common Microsoft component, was posted to the Internet Saturday. However,
>the exploit code does not pose an extreme risk to confidential data stored
>on vulnerable systems. The code for the program appeared on
>http://www.k-otik.com, a known  outlet for software exploits.
>
>The program will cause machines using a vulnerable version of the ASN.1
>Library to reboot, producing DoS (denial of service) attack. The exploit not
>allow a remote attacker to run malicious code or access files on vulnerable
>machines. That makes it less dangerous than previous software exploits, such
>as Blaster.
>
>ASN, or Abstract Syntax Notation, is an international standard for
>representing different types of binary data such as numbers or strings of
>text. The ASN.1 Library is used by a wide range of Windows features and
>software.
>
>The ASN.1 exploit targets a Windows authentication protocol known as NT LAN
>Manager V2, or NTLMV2, that is used to authenticate users and allow them to
>connect to remote machines on a network. NTLMV2 is enabled by default on
>most Windows desktops and servers and can be reached through a number of
>communications ports on Windows machines using ASN.1 to encode the data that
>is sent back and forth.
>
>The nature of the ASN.1 vulnerability makes it harder to exploit than the
>DCOM vulnerability because the attacker does not have control over the area
>heap that is wiped out in the attack. That makes it difficult to produce
>reliable results on every vulnerable Windows machines.
>
>However, there is some evidence that malicious hackers are working to refine
>the attack and produce a version of the exploit that will give attackers
>total control over vulnerable systems. There are unofficial reports that an
>exploit for ASN.1 that gives attackers remote control of systems exists, but
>has not been released by the hackers.

________________________________________________
Stephen Bogdanski           Network Support, MSU-CVM
Michigan State University  [log in to unmask]
A227 VetMed Center         Phone:          (517) 353-5551
East Lansing, MI 48824     Fax:              (517) 432-2937