MS-ISAC ADVISORY NUMBER:
2008-034 Updated

DATE(S) ISSUED:
10/23/2008
10/24/2008 - Updated

SUBJECT:
Vulnerability in Server Services Could Allow Remote Code Execution

OVERVIEW:

A new vulnerability has been discovered in the Microsoft Server Service that could allow a remote attacker to take complete control of the vulnerable system. The Server Service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. A vulnerable computer could be exploited if a malicious user sends a specially-crafted Remote Procedure Call (RPC) request over the Internet or an internal network. RPC is a protocol that a program can use to request a service from a program located on another computer in a network. Successful exploitation will result in an attacker gaining complete control of the affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

SYSTEMS AFFECTED:

  • Windows 2000
  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been discovered in Microsoft Server Service. The Server Service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for Remote Procedure Calls (RPC).

On Windows XP, Windows 2000 and Windows 2003 Server, any anonymous user could deliver a specially-crafted message to exploit this vulnerability. However, on Windows Vista and Windows 2008 systems, exploitation requires users to be authenticated. Successful exploitation will result in an attacker gaining complete control of the affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

This vulnerability has the potential to be used in new worms or worm variants, so it should be addressed as soon as possible. It should be noted that this vulnerability is currently being exploited on the Internet.

UPDATED DESCRIPTION:
Microsoft has reported a Trojan exploiting this vulnerability. The name of the Trojan is TrojanSpy:Win32/Gimmiv.A. It is distributed from remote sites via an executable file named 'n2.exe'. This Trojan will also drop a Dynamic Link Library (DLL) file as '<system folder>\wbem\sysmgr.dll', which will run as a service. Once the service has started, it will collect information about the infected system which can then be collected remotely by an attacker. The Trojan will then run a batch script that will delete the original executable file, and then the batch script itself.

There are signatures which are being triggered by our Managed Security Service for this vulnerability. Although these signatures are designed to detect MS08-067, we are still confirming the attack method. At this time, the IP address, 66.45.237.219 (Interserver, Inc., NJ), is the site that is being visited and triggering these signatures.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Block un-trusted incoming traffic on ports 139/TCP and 445/TCP from the Internet at your network perimeter.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
UPDATED RECOMMENDATIONS:
  • Once signatures are available, update your anti-virus software signatures as soon as possible, including all laptops. Please note that a few vendors have new signatures available as of October 23, 2008.
  • IDS and IPS vendors have also begun providing signatures to detect this exploit. Update your devices to the latest signatures to protect against this vulnerability.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/31874(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250(New Window)

Secunia:
http://secunia.com/advisories/32326/(New Window)

UPDATED REFERENCES:
Microsoft:
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx(New Window)
http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A(New Window)
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx(New Window)

Panda Labs:
http://pandalabs.pandasecurity.com/archive/New-critical-Security-Bulletin-MS08_2D00_067.aspx(New Window)

Sophos:
http://www.sophos.com/support/knowledgebase/article/47804.html(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.