Re: Windows 2000 .printer remote overflow proof of concept exploit....

[Shawn Kleinart <security () KLEINART NET>]

This is mostly an FYI for everyone on this list, as I assume everyone
reading emails on this list has already patched themselves if they were
vulnerable - running ISS 5. While this issue had been made very well known
to those who actually admin servers / networks, there are still those who
call themselves "admins" but who:

1) Don't follow security issues and have do idea about this.
2) Are to dumb to not, er too lazy, to apply the patch / secure the machine.
3) Are more worried about their uptime than they are with security.
4) Don't care.
5) ?

While we all know this exploit is being used 'in the wild,' I can confirm
that it's been used many times to gain access to the vulnerable machines. I
work for an ISP in the Internet Security Department and I've seen many cases
of people getting hacked via this vulnerability. Mostly this seems to be
part of the "Chinese web defacement coalition" against the US. The sites say
something like 'F* the US Government'

See below for my thoughts...


> -----Original Message-----
> From: .sozni [mailto:sozni () XATO NET]
> Sent: Thursday, May 03, 2001 10:30 PM
>
> The sad fact is that people will probably end up being protected against
> this exploit much faster because of the publicity behind it. There are
> plenty of other very serious vulnerabilities that have been overlooked and
> left unpatched simply because they didn't get enough press.

Overall, I hope so. But, it's still sad that it takes massive press for
people to properly admin their machines. I'm sure it doesn't need to be said
on this list, but as the somewhat recent FBI press release stated, there are
still many servers that have 2 year old vulnerabilities. That is just plain
unacceptable.

It's really not that hard to apply patches, any idiot can do it. Sure, it
takes a more competent person to setup a server properly and make sure the
config is sound, from a security standpoint and to make sure they have the
correct user permissions in place and appropriate security precautions, etc.
But, to simply apply a patch, I bet a monkey can even do that!

> In security consulting it is hard to make a sell to prevent intrusions but
> once someone is hacked they will pay just about any price to get
> secured.  I
> say give out the exploit and force admins to be held accountable for their
> networks. Even if they have to get hacked a few times to learn
> their lesson.

I can attest to that. This is so true, unfortunately. I think those that
have a (well-known) vulnerability that has had a publicly known fix/patch
available for over 3 months (personally I think over 72 hours) and have not
resolved the issue... they DESERVE to be hacked. And, I am actually happy
when they loose LOTS of money because of it. 'These people' are the ones
that are the problem.

My favorite saying, which likely isn't new to anyone here... and it has a
few variations, is:
"While you need a license to drive your car on the highway, you don't need a
license to have a machine on the information super-highway."
... it's so true that any 'Johnny B Hacked' can put up a server on the
Internet. The only 'accountability' for that is their ISP... what they
choose to do once they become aware of it.

> > -----Original Message-----
> > From: Steve [mailto:steve () SECURESOLUTIONS ORG]
> > Sent: Thursday, May 03, 2001 3:29 PM
> > To: win2ksecadvice () LISTSERV NTSECURITY NET
> > Subject: Re: Windows 2000 .printer remote overflow proof of concept
> > exploit t
> >
> >
> > > A number of people have put effort into supposedly providing "proof
> > > of concept" code or "remote test" code that allows Administrators to
> > > determine whether or not their IIS 5.0 box is, or isn't, patched
> > > against this .printer buffer overflow.
> >
> > I prefer to call it "proof of vulnerability".

It's out there. I've seen logs indicating the attacker put a "root.exe" file
on the IIS5 host and then were able to issue a command to run this file via
the overflow. I don't have any more specific information on the contents of
the root.exe file or the exact script used, etc. at this time.