MS08-001 details and exploit video

Here is an interesting, albeit highly technical video analyzing a buffer overflow vulnerability described in MS08-001. I knew assembly language back in college, but it was still tough for me to understand how the code analysis was performed. For those who are not familiar with this security bulletin:

According to ISS, who discovered this issue, “Microsoft Windows TCP/IP is the network communication protocol that is used by all Microsoft operating systems. The two components affected by remote code execution vulnerabilities, IGMPv3 (XFID 39452) and MLDv2 (XFID 39453), are enabled by default. Although MLDv2 is available only on Windows Vista for IPv6 support, IGMPv3 is available on all affected platforms. An attacker does not need to invoke any kind of user interaction to exploit this vulnerability. The lack of user interaction, widespread availability of the protocols, and the possibility of complete compromise of targeted systems means that administrators should treat this vulnerability as highly critical.”

According to Steve Gibson in his Security Now podcast episode #126, it’s just a matter of time until someone writes a nasty worm to exploit the vulnerability in the Windows TCP/IP stack described in Microsoft Security Bulletin MS08-001. Microsoft states that an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Interestingly enough, the severity of this vulnerability is different depending on which version of Windows you are running. It’s considered a moderate risk for Windows 2000 SP4, important for Windows Server 2003 SP1 and SP2, and critical for Windows XP SP2, Windows Small Business Server 2003 SP2, and Windows Vista.

Keep an eye on KB 941644 for any new information on this vulnerability. You can also read a three part post on the Microsoft Security Vulnerability Research & Defense Technet blog with lots of technical details. Now, in part three, Microsoft makes it sound difficult, if not highly improbable, to exploit this flaw.

But Dave says on the DailyDave

“You’ll be able to trigger it every time, especially on a local LAN”

and in an article he states

“It reliably crashes Windows machines. In fact, it blue-screened our print server by accident — this is a broadcast attack, after all.”

and Holly on the blog notes

“This leads to one of the things that make this set of vulnerabilities so unique. These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them. Even if you have IPS in your host product, the standard APIs that protection vendors hook into on XP and Windows 2000 do not provide protection at this low level in TCP/IP” … “So, the problem with most host-based protection against this TCP/IP kernel vulnerability is that many products will never see an attack. Standard AV won’t work and neither would behavior blocking, including generic buffer overflow protection, because they don’t monitor at that low of a level and the exploit would never make it past the TCP/IP stack. For most, the only true way to protect against this attack is to apply the patch or disable multicast functionality in its entirety, which disables a lot of good things like some streaming media applications, some file distribution systems, etc.”

You’ll want to scan your network with a tool like the Microsoft Baseline Security Analyzer (MBSA), which allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. Once you identify unpatched machines, get the updates applied as soon as possible, since neither a perimeter nor desktop firewall will protect your Windows machines from potential exploits.

[updated 01-30-2008]

Immunity Inc has a flash video detailing their working exploit of this security problem. It looks like this is no longer at the proof of concept stage.

One Response to “MS08-001 details and exploit video”

  1. ms08 Says:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: