Additional info about Opaserv worm

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/05/02


Date:         Sat, 5 Oct 2002 11:36:30 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

According to Matt Power of Bindview <mhpower@bos.bindview.com>, an assertion I made regarding the Opaserv worm was incorrect. His testing confirms to him that Opaserv is in fact exploiting a previously patched vulnerability in Win9x/ME systems. Based on the information I had at the time, I incorrectly assumed it was exploiting file shares which had no passwords.

MS00-072 provided a patch for Win9x/ME systems which had File and Print Sharing installed, and, which had setup shares using SHARE-LEVEL access, and, which had established a password on that access (long, short, anything other than blank).

When a Win9x/ME system is configured as described above, and the patch from MS00-072 has not been applied, it is possible to send a request to connect to a share using only a portion of the actual password in place. That is, if your password was

a5C#4%lKj(9F@n

it would be possible to connect to your share sending only the letter "a", together with an instruction to the share server that the password being sent is only a single character. So regardless of the strength of your password, an attack need only cycle through the possibilities for one character to establish a share. Once established, Opaserv is able to compromise that system and propagate.

The vulnerability was discovered by NSFocus and first published in October 2000, see the following NSFocus page for more details;

http://www.nsfocus.com/english/homepage/sa_05.htm

The patch for this vulnerability is documented in MS00-072;

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

However you may wish to consider requesting another patch which superceded this one. That later patch can only be obtained by calling MS Support. Its documented here;

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q273727

There have been at least 3 exploit programs published with utilize this vulnerability, they can be found here;

http://online.securityfocus.com/bid/1780/exploit/

Thanks to Matt for providing the additional insight.

Cheers,
Russ - NTBugtraq Editor



Relevant Pages

  • Re: Download.ject - commentary - LONG
    ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
    (microsoft.public.win2000.security)
  • Vulnerability Details for MS02-012
    ... Microsoft released a patch for a denial of service ... vulnerability in the Windows 2000 SMTP component. ... This bug affects all Windows 2000 systems running the SMTP service that have ...
    (Bugtraq)
  • Microsoft Security Bulletin MS01-044
    ... Subject: Microsoft Security Bulletin MS01-044 ... 15 August 2001 Cumulative Patch for IIS ... - A denial of service vulnerability that could enable an attacker ...
    (Bugtraq)
  • [NT] 15 August 2001 Cumulative Patch for IIS
    ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...
    (Securiteam)
  • McAfee ePolicy Orchestrator Format String Vulnerability (a031703-1)
    ... ePolicy Orchestrator Format String Vulnerability ... on the host they wish to compromise. ... The vendor has made a patch available. ...
    (Bugtraq)