Additional info about Opaserv worm

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/05/02


Date:         Sat, 5 Oct 2002 11:36:30 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

According to Matt Power of Bindview <mhpower@bos.bindview.com>, an assertion I made regarding the Opaserv worm was incorrect. His testing confirms to him that Opaserv is in fact exploiting a previously patched vulnerability in Win9x/ME systems. Based on the information I had at the time, I incorrectly assumed it was exploiting file shares which had no passwords.

MS00-072 provided a patch for Win9x/ME systems which had File and Print Sharing installed, and, which had setup shares using SHARE-LEVEL access, and, which had established a password on that access (long, short, anything other than blank).

When a Win9x/ME system is configured as described above, and the patch from MS00-072 has not been applied, it is possible to send a request to connect to a share using only a portion of the actual password in place. That is, if your password was

a5C#4%lKj(9F@n

it would be possible to connect to your share sending only the letter "a", together with an instruction to the share server that the password being sent is only a single character. So regardless of the strength of your password, an attack need only cycle through the possibilities for one character to establish a share. Once established, Opaserv is able to compromise that system and propagate.

The vulnerability was discovered by NSFocus and first published in October 2000, see the following NSFocus page for more details;

http://www.nsfocus.com/english/homepage/sa_05.htm

The patch for this vulnerability is documented in MS00-072;

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

However you may wish to consider requesting another patch which superceded this one. That later patch can only be obtained by calling MS Support. Its documented here;

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q273727

There have been at least 3 exploit programs published with utilize this vulnerability, they can be found here;

http://online.securityfocus.com/bid/1780/exploit/

Thanks to Matt for providing the additional insight.

Cheers,
Russ - NTBugtraq Editor