Re: NT2K systems dying, LsaSrv EventID 5000

• Previous message: Cooper, Russ: "FW: MinorRev: Microsoft Security Bulletin MS05-031 - Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458)"
• Maybe in reply to: David Soussan: "NT2K systems dying, LsaSrv EventID 5000"
• Next in thread: David Soussan: "Re: NT2K systems dying, LsaSrv EventID 5000"
• Reply: David Soussan: "Re: NT2K systems dying, LsaSrv EventID 5000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 15 Jun 2005 14:32:49 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

While your waiting for microsoft...

Without a network packet capture, I will take a guess that your system is beiing hit either by the recently surfaced worm/exploit for the ASN vulns published a while back. There was an exploit written by Solar Eclipse for ASN that has finally been publicly released and recently someone took this exploit and piggy backed it to turn it into a rather lame ASN Worm. The reason I think this is what your experiencing is by the symptons you described. http was being used by the exploit/worm, and the ASN would be triggered through the negotiation request, which is then handed off to lsa, hence the crash there instead of in iis itself. You can read about these symptoms on the incidents mailing list.

Again just taking a guess, well have to all wait and see what the experts at microsoft have to say.

-Marc Maiffret

P.s. You can go read more about the ASN flaws on our website www.eeye.com although you should note that the specific ASN flaw being exploited was silently fixed by microsoft in the patch they created for us which is why most ids/ips do not detect the attack genrically, because they didn't know about it. Core Impact and Canvas have had ASN exploits in there tools for a while now. Another case of people thinking something isn't a problem just because THEY don't see it.

-----Original Message-----
From: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Mon Jun 06 05:23:28 2005
Subject: NT2K systems dying, LsaSrv EventID 5000

Greetings;

Summary: Someone is testing a new exploit, most likely one fixed by MS04-11
though Microsoft should confrm this sometime today. If you have an NT2K
machine with IIS running open on port 80 facing the internet and have not
patched your system, you will most likely see this exploit knock on your
front door.

Prior to 6/1/05, the MS04-11 holes were not exploited via port 80 & IIS.

Details:

Windows Server 2000 / SP4 / not fully security patched is affected.
Windows Server 2000 / SP4 / fully security patched - not yet known (I've
been waiting patiently for the offending packet to re-arrive, but whoever
was testing this exploit stopped for awhile)
Windows Server 2003 / IIS 6.0 is not affected.

The attack vector is via an IIS packet which calls for authentication, hands
it a whole lot of data, and crashes LsaSrv that instant. Requires a server
reboot to bring the 2K Server back online.

I've captured the offending packets and turned them over to Microsoft
awaiting analysis.

How to know if you've been hit:

The crash event in the event log follows:

Event Type: Error
Event Source: LsaSrv
Event Category: Devices
Event ID: 5000
Date: 6/3/2005
Time: 7:38:06 AM
User: N/A
Computer: <your server name here>
Description:
The security package Negotiate generated an exception. The package is now
disabled. The exception information is the data.
Data:
0000: 05 00 00 c0 00 00 00 00 .......
0008: 00 00 00 00 18 f2 55 78 .....Ux
0010: 02 00 00 00 00 00 00 00 ........
0018: 0c 00 00 00 3f 00 01 00 ....?...
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 00 00 00 00 00 00 ........
0030: 00 00 00 00 00 00 00 00 ........
0038: 7f 02 ff ff 00 00 ff ff ...
0040: ff ff ff ff 00 00 00 00 ....
0048: 00 00 00 00 00 00 00 00 ........

At the exact same date / time LsaSrv died, a log entry in the IIS logs that
looks something like this:

(assuming MS IIS log format, yours might differ)

66.54.153.162, -, 6/3/2005, 7:38:06, W3SVC1, SERVER-E, 192.168.1.2, 110,
5699, 1 82, 500, 2148074244, GET, /, -,

The error code back from IIS of 2148074244 is not right. The inbound packet
size of 5699 is a key indicator this exploit has knocked on your front door.

Note: This is for the variant of the exploit that was being tested late last
week and crashes LsaSrv. I believe (but have no hard data to verify) this
was someone testing an exploit that didn't quite work, causing the crash.
He/She is probably fixing this so the exploit is more useful. So if you are
curious if you've seen this exploit knock on your door, search your logs for
the 5699 incomming packet size.

I believe we're seeing the field testing of a new exploit. The input vector
is via a public facing IIS port 80. The packet gets IIS to try and do an
SNMPv2-SMI::security.5.2 authentication (AKA: "SPNEGO - Simple Protected
Negotiation") When the oversized packet (it is filled with "AAAAAAA...AAAA"
to pad the buffer out) is handed around to various windows processes,
apparently that overflows a buffer and does some other damage. I'm not sure
what that other damage is -- there are some responses in various newsgroups
where some people are saying they've got other processes running on their
system now.

More to come as I find out.

-----
David Soussan

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Previous message: Cooper, Russ: "FW: MinorRev: Microsoft Security Bulletin MS05-031 - Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458)"
• Maybe in reply to: David Soussan: "NT2K systems dying, LsaSrv EventID 5000"
• Next in thread: David Soussan: "Re: NT2K systems dying, LsaSrv EventID 5000"
• Reply: David Soussan: "Re: NT2K systems dying, LsaSrv EventID 5000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Problem with connect computer wizard ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Please double-check the default application pool in IIS. ... (microsoft.public.windows.server.sbs) Re: SBS 2003, lost companyweb ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Click Start, click Server Management. ... Collect IIS Log: ... (microsoft.public.windows.server.sbs) RE: Problem with OWA ... Please help me collect IIS log and Metabase for further ... Microsoft CSS Online Newsgroup Support ... <Thread-Topic: Problem with OWA ... Click Start, click Server Management. ... (microsoft.public.windows.server.sbs) RE: SharePoint and Company Web not working ... Cause: Incorrect IIS settings. ... Right click Companyweb and select Properties. ... Using Microsoft Exchange Server 2003 Recovery Storage Groups ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) RE: no OWA ... Please can you tell me what ASP.NET version the virtual directories or the ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ... Please note that the Exchange services could be marked as ... (microsoft.public.windows.server.sbs)