Jay Suds
08-27-2002, 12:44 PM
This came through my email box today:
-----Original Message-----
From: Kevin Gennuso [mailto:goosey@ICUBED.COM]
Sent: Tuesday, August 27, 2002 10:02 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MS02-045 exploit is out
Hi all,
I haven't seen much noise on this list about MS02-045 (Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830)), but the implications are very nasty. Any unpatched WinNT/2K/XP or .NET machine on your network that's listening on port 139 and/or 445 can be crashed in about two seconds with a malformed SMB packet. I highly disagreed with Microsoft's assessment that this was only a "moderate" threat level to intranet and desktop systems because the exploit is so easy to perform.
It was bad enough in theory, but now a script-tot friendly GUI version of the exploit has been posted on PacketStorm, and it works against all of the above. You can try for yourself at http://packetstorm.decepticons.org/0208-exploits/SMBdie.zip
We worked through the weekend to get a large percentage of our boxen patched - you may have to do the same.
The old "WinNuke" from the evil days of Win95 is back.
Thanks for listening,
Kevin
If you're running Win2K / .NET internet servers, make sure you are blocking ports 139 / 445 at your router / firewall level. If not, make sure you install the patch at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-045.asp ....
-----Original Message-----
From: Kevin Gennuso [mailto:goosey@ICUBED.COM]
Sent: Tuesday, August 27, 2002 10:02 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MS02-045 exploit is out
Hi all,
I haven't seen much noise on this list about MS02-045 (Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830)), but the implications are very nasty. Any unpatched WinNT/2K/XP or .NET machine on your network that's listening on port 139 and/or 445 can be crashed in about two seconds with a malformed SMB packet. I highly disagreed with Microsoft's assessment that this was only a "moderate" threat level to intranet and desktop systems because the exploit is so easy to perform.
It was bad enough in theory, but now a script-tot friendly GUI version of the exploit has been posted on PacketStorm, and it works against all of the above. You can try for yourself at http://packetstorm.decepticons.org/0208-exploits/SMBdie.zip
We worked through the weekend to get a large percentage of our boxen patched - you may have to do the same.
The old "WinNuke" from the evil days of Win95 is back.
Thanks for listening,
Kevin
If you're running Win2K / .NET internet servers, make sure you are blocking ports 139 / 445 at your router / firewall level. If not, make sure you install the patch at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-045.asp ....