Haven't seen this mentioned anywhere yet so I figured I would mention it. It seems an exploit has been created for the vulnerability documented in Microsoft Security Bulletin MS04-00-007. Here is the code: http://www.k-otik.com/exploits/02.14.MS04-007-dos.c.php. Below is some info on it: >A computer program that exploits the vulnerability in ASN.1 Library, a >common Microsoft component, was posted to the Internet Saturday. However, >the exploit code does not pose an extreme risk to confidential data stored >on vulnerable systems. The code for the program appeared on >http://www.k-otik.com, a known outlet for software exploits. > >The program will cause machines using a vulnerable version of the ASN.1 >Library to reboot, producing DoS (denial of service) attack. The exploit not >allow a remote attacker to run malicious code or access files on vulnerable >machines. That makes it less dangerous than previous software exploits, such >as Blaster. > >ASN, or Abstract Syntax Notation, is an international standard for >representing different types of binary data such as numbers or strings of >text. The ASN.1 Library is used by a wide range of Windows features and >software. > >The ASN.1 exploit targets a Windows authentication protocol known as NT LAN >Manager V2, or NTLMV2, that is used to authenticate users and allow them to >connect to remote machines on a network. NTLMV2 is enabled by default on >most Windows desktops and servers and can be reached through a number of >communications ports on Windows machines using ASN.1 to encode the data that >is sent back and forth. > >The nature of the ASN.1 vulnerability makes it harder to exploit than the >DCOM vulnerability because the attacker does not have control over the area >heap that is wiped out in the attack. That makes it difficult to produce >reliable results on every vulnerable Windows machines. > >However, there is some evidence that malicious hackers are working to refine >the attack and produce a version of the exploit that will give attackers >total control over vulnerable systems. There are unofficial reports that an >exploit for ASN.1 that gives attackers remote control of systems exists, but >has not been released by the hackers. ________________________________________________ Stephen Bogdanski Network Support, MSU-CVM Michigan State University [log in to unmask] A227 VetMed Center Phone: (517) 353-5551 East Lansing, MI 48824 Fax: (517) 432-2937