Re: SMBdie exploit testing (fwd)

From: Robert J. Young (rjyoung@frankie.ca)
Date: 09/12/02


Date: Wed, 11 Sep 2002 18:08:07 -0400
From: "Robert J. Young" <rjyoung@frankie.ca>
To: security-basics@securityfocus.com

This particular exploit also seems to be taken care of on WinXP boxes
with Service Pack 1. Don't know about 2K, tho. A linux machine running
samba 2.2.1 was unaffected.

shawn merdinger wrote:

>fyi,
>
>posted on focus-ms@securityfocus.com
>
>-scm
>
>---------- Forwarded message ----------
>Date: Thu, 5 Sep 2002 12:46:49 -0700
>From: dwreck@hushmail.com
>To: focus-ms@securityfocus.com
>Subject: SMBdie exploit testing
>
>
>We tested the GUI version of the exploit on the following systems:
>
>
>server1 Windows 2000 Server Hardend Did not work
>
>server2 Windows 2000 Server Hardend Did not work
>
>app server 1 Windows 2000 Server Hardend Did not work
>
>Workstation 1 Windows 2000 Professional Partially Hardened (only restrict anonymous) Did not work
>
>Workstation 2 Windows 2000 Professional No Hardening WORKED...blue screen, shutdown, checkdisk
>
>Workstation 3 Windows XP Hardend WORKED...blue screen and a shutdown
>
>.net server Windows .NET No Hardening WORKED...blue screen and a shutdown
>
>server 3 Windows 2000 Server No Hardening WORKED...blue screen and a shutdown
>
>Server 4 NT 4.0 TSE Hardened WORKED...blue screen and a shutdown
>
>Workstation 5 Windows XP Hardend WORKED...blue screen and a shutdown
>
>Workstation 6 NT 4.0 SP6a No Hardening WORKED...blue screen and a shutdown and a memory dump
>
>Workstation 7 NT 4.0 SP6a No Hardening but restrictanonmyous was enabled WORKED...blue screen and a shutdown
>
>
>It appears that the Restrict Anonymous setting on Windows 2000 servers and workstations stops this exploit. It appears to function on NT 4.0, XP, and .NET whether Restrict Anonymous is set or not.
>
>
>
>Windows NT 4.0 Servers are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
>
>Windows NT 4.0 TSE Edition Servers are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
>
>Windows NT 4.0 workstations are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
>
>Windows 2000 Servers and Workstations are NOT vulnerable as long as the "Additional restrictions for anonymous connections" option in their local security settings is set to "No access without explicit anonymous permissions".
>Windows 2000 sever administrators can either verify/set this option or apply the patch. We have tested both solutions. Either one will protect a Windows 2000 system from the Smbdie exploit.
>
>Windows XP workstations are susceptible to the Smbdie exploit.. The patch must be applied to stop the Smbdie exploit.
>
>
>Due to the release of the "canned" exploit, this (MS02-045)is a very easy internal attack vector. Any machine on your network, including systems that are connected via VPN can launch this attack. All you need is the IP address and netbios name of the target system. There is an entry left in the system log when this attack is successfully ran but it DOES NOT give any indication as to the source of the attack. The message differs between NT versions and appears to be intermittent on Windows 2000 systems.
>
>Anyone have different results with their testing?
>
>Thanks,
>
>DWreck
>
>
>
>Get your free encrypted email at https://www.hushmail.com
>
>
>

-- 

rjyoung@frankie.ca http://www.frankie.ca



Relevant Pages

  • SMBdie exploit testing
    ... Windows NT 4.0 TSE Edition Servers are susceptible to the Smbdie exploit.. ... The patch must be applied to stop the Smbdie exploit. ... Windows NT 4.0 workstations are susceptible to the Smbdie exploit.. ...
    (Focus-Microsoft)
  • SMBdie exploit testing (fwd)
    ... Windows NT 4.0 TSE Edition Servers are susceptible to the Smbdie exploit.. ... The patch must be applied to stop the Smbdie exploit. ... Windows NT 4.0 workstations are susceptible to the Smbdie exploit.. ...
    (Security-Basics)
  • RE: SMBdie exploit testing
    ... I can confirm your results for Windows 2000 servers and professional! ... > It appears that the Restrict Anonymous setting on Windows 2000 ... > Windows NT 4.0 Servers are susceptible to the Smbdie exploit.. ...
    (Focus-Microsoft)
  • MS03-032 - Win2K + IE6 Pre-SP1
    ... to our population of primarily Windows 2000 workstations. ... Microsoft didn't make a IE6 pre-SP1 version of the patch for Windows 2000 ... the Software Update Installer reports back to SMS that it ...
    (microsoft.public.win2000.security)
  • Problem with Security Update 835732
    ... I been attempting to load this on a Windows 2000 system ... When I deinstall the patch through add/remove programs, ... the delay and event log notifications go away. ... workstations within my organization. ...
    (microsoft.public.win2000.windows_update)