Results 1 to 11 of 11

Thread: Win2K Exploit

  1. #1
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301

    * Win2K Exploit

    This came through my email box today:

    -----Original Message-----
    From: Kevin Gennuso [mailto:[email protected]]
    Sent: Tuesday, August 27, 2002 10:02 AM
    To: [email protected]
    Subject: MS02-045 exploit is out


    Hi all,

    I haven't seen much noise on this list about MS02-045 (Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830)), but the implications are very nasty. Any unpatched WinNT/2K/XP or .NET machine on your network that's listening on port 139 and/or 445 can be crashed in about two seconds with a malformed SMB packet. I highly disagreed with Microsoft's assessment that this was only a "moderate" threat level to intranet and desktop systems because the exploit is so easy to perform.

    It was bad enough in theory, but now a script-tot friendly GUI version of the exploit has been posted on PacketStorm, and it works against all of the above. You can try for yourself at http://packetstorm.decepticons.org/0...its/SMBdie.zip

    We worked through the weekend to get a large percentage of our boxen patched - you may have to do the same.

    The old "WinNuke" from the evil days of Win95 is back.

    Thanks for listening,

    Kevin
    If you're running Win2K / .NET internet servers, make sure you are blocking ports 139 / 445 at your router / firewall level. If not, make sure you install the patch at http://www.microsoft.com/technet/tre...n/MS02-045.asp ....
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  2. #2
    Join Date
    Aug 2002
    Location
    Plymouth
    Posts
    212
    Thank you for the info. We will remember that.

  3. #3
    Join Date
    Aug 2002
    Location
    Baltimore, Maryland
    Posts
    580
    lol...this cant be true, h/o crashing ex's box....

  4. #4
    Join Date
    Jan 2002
    Posts
    453
    i think it comes with the windowsupdate..

    if you have windowsupdate's automatic update and restart, you should be good

  5. #5
    Join Date
    Jul 2002
    Location
    San Luis Obispo, CA
    Posts
    818
    i have that program
    Nick Twaddell
    WebSpace Solutions - Custom E-Solutions
    Fast, Reliable, Affordable Web Hosting

  6. #6
    Join Date
    Jan 2002
    Location
    Atlanta, GA
    Posts
    1,249
    In a general webhosting security sense...

    You show me a Win2k host that has NetBIOS enabled and I promise they have a great deal more problems that this little thing.

    Heck.. Show me any Windows computer running NetBIOS and I'll show you a problem.
    char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
    I wear a gray hat

  7. #7
    Join Date
    Jan 2002
    Posts
    453
    hahah

  8. #8
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    You show me a Win2k host that has NetBIOS enabled and I promise they have a great deal more problems that this little thing.
    You read my mind!!!

    It's amazing though how many colo customers we do work for that always enable NetBIOS and File/Print sharing on a Public NIC.
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  9. #9
    Join Date
    Aug 2002
    Location
    Long beach
    Posts
    113
    LOL. This must be from some spammer.

  10. #10
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301
    Originally posted by Haley
    LOL. This must be from some spammer.
    Nope, not a spammer. The message came through NTBUGTRAQ, which is a highly moderated NT / Win2K bug mailing list.

    And RackMy is right ... anyone with NetBIOS enabled will have a lot more problems than just this ... it's just general good sense that you either need to disable NetBIOS or completely block port 139 / 445 with any Windows box.
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  11. #11
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    This must be from some spammer.
    I am confused, why would you say that?
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •