SMBdie exploit testing
From: dwreck@hushmail.comDate: 09/05/02
- Previous message: Mike Coppins: "Re: IUSR_machinename"
- Next in thread: Robert Sieber: "RE: SMBdie exploit testing"
- Reply: Robert Sieber: "RE: SMBdie exploit testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 Sep 2002 12:46:49 -0700 To: focus-ms@securityfocus.com From: dwreck@hushmail.com
We tested the GUI version of the exploit on the following systems:
server1 Windows 2000 Server Hardend Did not work
server2 Windows 2000 Server Hardend Did not work
app server 1 Windows 2000 Server Hardend Did not work
Workstation 1 Windows 2000 Professional Partially Hardened (only restrict anonymous) Did not work
Workstation 2 Windows 2000 Professional No Hardening WORKED...blue screen, shutdown, checkdisk
Workstation 3 Windows XP Hardend WORKED...blue screen and a shutdown
.net server Windows .NET No Hardening WORKED...blue screen and a shutdown
server 3 Windows 2000 Server No Hardening WORKED...blue screen and a shutdown
Server 4 NT 4.0 TSE Hardened WORKED...blue screen and a shutdown
Workstation 5 Windows XP Hardend WORKED...blue screen and a shutdown
Workstation 6 NT 4.0 SP6a No Hardening WORKED...blue screen and a shutdown and a memory dump
Workstation 7 NT 4.0 SP6a No Hardening but restrictanonmyous was enabled WORKED...blue screen and a shutdown
It appears that the Restrict Anonymous setting on Windows 2000 servers and workstations stops this exploit. It appears to function on NT 4.0, XP, and .NET whether Restrict Anonymous is set or not.
Windows NT 4.0 Servers are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
Windows NT 4.0 TSE Edition Servers are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
Windows NT 4.0 workstations are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
Windows 2000 Servers and Workstations are NOT vulnerable as long as the "Additional restrictions for anonymous connections" option in their local security settings is set to "No access without explicit anonymous permissions".
Windows 2000 sever administrators can either verify/set this option or apply the patch. We have tested both solutions. Either one will protect a Windows 2000 system from the Smbdie exploit.
Windows XP workstations are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
Due to the release of the "canned" exploit, this (MS02-045)is a very easy internal attack vector. Any machine on your network, including systems that are connected via VPN can launch this attack. All you need is the IP address and netbios name of the target system. There is an entry left in the system log when this attack is successfully ran but it DOES NOT give any indication as to the source of the attack. The message differs between NT versions and appears to be intermittent on Windows 2000 systems.
Anyone have different results with their testing?
Thanks,
DWreck
Get your free encrypted email at https://www.hushmail.com
- Previous message: Mike Coppins: "Re: IUSR_machinename"
- Next in thread: Robert Sieber: "RE: SMBdie exploit testing"
- Reply: Robert Sieber: "RE: SMBdie exploit testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
