RE: smbdie - GUI remote smb DoS tool

From: Ayers, Diane (DAyers@pacbell.net)
Date: 08/30/02 

Date: Fri, 30 Aug 2002 10:08:35 -0700
From: "Ayers, Diane" <DAyers@pacbell.net>
To: security-basics@securityfocus.com

Please don't take this the wrong way but this seems like an odd comment for
someone that works for Cisco. I manage a large NT infrastructure for a
utility company and am responsible for maintaining availability for critical
NT infrastructure boxes. When a new vulnerability comes out especially
higher risk ones, it takes a period of time to patch a significant number of
servers in the enterprise. That leaves a number of critical boxes
vulnerable for a period of time.

SMBdie was a good demo of the vulnerability but I hardly categorize it as a
"tool". When a GUI comes out that any low level users can run and impact
your daily business, I categorize that as something other than a tool.
Statistics show that 50%-80% of attacks come internally rather than
externally. Adding these programs to DAT file signatures is nothing new.
WinNuke from the old NT 4.0 ping of death has been in DAT files for years.

Diane

-----Original Message-----
From: Dozal, Tim [mailto:tdozal@cisco.com]
Sent: Thursday, August 29, 2002 2:30 PM
To: Wesley Shields; shawn merdinger
Cc: security-basics@securityfocus.com
Subject: RE: smbdie - GUI remote smb DoS tool

This "proof of concept tool" was very useful a few days ago in
demonstrating how easy this exploit can be taken advantage of. However
today I noticed the virus protection companies added this tools pattern
to their definitions so it can no longer live on a machine running VP
software or pass through the e-mail scanners that were updated today. I
don't know about the rest of you but I was really pissed about this.
The tool is NOT a virus, and I had been sending it to various IT friends
for the last few days to use as a demo tool for their various companies.

I'm curious if anybody knows of a REAL virus that has taken advantage of
this exploit, and also why the VP companies feel they have the right to
add a pattern for a "tool" into their DAT files?

Can somebody explain the logic here?

Tim

Btw, the MS description of this exploit requiring a valid
username/password seems to be total BS based on what this little tool is
able to do.

-----Original Message-----
From: Wesley Shields [mailto:wxs@csh.rit.edu]
Sent: Thursday, August 29, 2002 10:55 AM
To: shawn merdinger
Cc: security-basics@securityfocus.com
Subject: Re: smbdie - GUI remote smb DoS tool

On Wed, Aug 28, 2002 at 10:51:00AM -0500, shawn merdinger wrote:

> fyi,
>
> Yet another reason to disable netbios. This tool runs on Windows and
> has a GUI interface. Windows machines w/ SMB (port 139) access will
> reboot instantly.
>
> Tool is here: http://packetstormsecurity.org/0208-exploits/SMBdie.zip
>
> -scm
>
>

If you're going to post the proof of concept you may want to post the
patch.

MS02-045

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q326830&

-- WXS