Re: New attack vectors and a vulnerability dissection of MS03-007
From: Russ (Russ.Cooper@RC.ON.CA)
Date: Mon, 7 Apr 2003 12:11:30 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Firstly, the code that Chadd referred to doesn't make any mention of it working on Windows XP, and nothing so far has indicated that Windows XP has a vulnerable NTDLL.DLL.
The exploit code does state that it has been tested on Windows 2000 SP0, SP1, SP2, and SP3.
Microsoft Security Bulletin MS03-007 only refers to Windows 2000 SP2 and SP3. This is because these are the only versions of Windows 2000 that Microsoft currently supports. When SP4 is released some time in the relatively near future, SP2 installations will no longer be supported (per MS' new support policy effective September last year.) As a result, I, and others, mistakenly assumed that only SP2 and SP3 systems were vulnerable. If the author of the exploit code is to be believed, this affects all versions of Windows 2000. I have seen nothing to make me believe this is not true.
So, no XP vulnerability, but all W2K are vulnerable.
Finally, to the issue of IIS and WebDAV being highlighted in the MS Bulletin. At the time the bulletin was written, there was attack code in use which used the IIS/WebDAV vector. There was every reason to believe that would be the most likely attack vector used for an en-masse attack. Code was already written, the vulnerability prevalence was incredibly high, and the mitigation of disabling WebDAV was relatively easy and did not require a reboot to be effective. Ergo it made sense to put that information in the bulletin. Unfortunately, rather than suggesting other vectors were possible, the emphasis was put entirely on IIS/WebDAV, leading far too many to believe it was the *only* vector.
With the introduction of this new exploit, targeting desktop systems and allowing anyone who has the ability to run code of their choice locally to increase their privilege to LocalSystem, Microsoft would be well advised to revise the MS03-007 Security Bulletin to de-emphasize the IIS/WebDAV vector and target the more generic message that everyone needs this patch.
Whether they will or not remains to be seen, seems my messages to them over the past few weeks have been going into a black hole.
Russ - NTBugtraq Editor
Delivery co-sponsored by Prometric - More than testing, learning.
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.