Jul 29, 2003 (02:07 PM EDT)
Exploit Code For Windows Vulnerability Posted

Read the Original Article at InformationWeek

Several hacking groups have posted code to the Internet that could be used to exploit a vulnerability in Microsoft's Windows operating system, the same vulnerability that drove the Department of Homeland Security last Friday to issue an alert urging all IT administrators to patch the flaw as soon as possible.

Rated by Microsoft as "critical," the highest in its four-level alert system, when it first was disclosed on July 16, the vulnerability could allow attackers entry into a system through a hole in Windows' Remote Procedure Call protocol. A hacker-crafted request could cause a buffer overflow on a Windows machine, allowing the attacker entry, where he could run code of his choosing or even delete files.

At least three different exploits have been posted to various security mailing lists, such as BugTraq and Full-Disclosure, said Dan Ingevaldson, the engineering manager of Internet Security Systems' X-Force research and development team.

"The first exploit, called DCOM.c, was followed by two more versions," Ingevaldson said. It's typical that after an original exploit is posted, other hackers then improve on it to make it more functional.

Although the posting of exploit code doesn't necessarily mean a worm is sure to follow, several security experts said it was virtually guaranteed. "No, we haven't seen a worm yet," Ingevaldson said. "But once someone writes code, the game is up. Hackers then know how to compromise systems, and only need to work on scanning and propagation."

The third variation of the exploit includes such scanning and propagation code, but Ingevaldson said it was buggy and platform-specific. He expects further enhancements by hackers before a worm actually hits the streets--something that could happen in as little as a couple of weeks.

Mark Maiffret, the co-founder of security firm eEye Digital Security, agreed. "I'd be very surprised if we don't see a worm," he said.

One reason, he said, was the speed with which the exploit was posted. "Most people, myself included, thought it would take a few months, or at least a month or two" for exploit code to appear, he said. "But it's just been a week."

This vulnerability is significant, and has gotten a lot of attention from security professionals, both Maiffret and Ingevaldson said, because of the huge pool of potential targets. Virtually all versions of Microsoft's Windows, from NT 4 to Windows Server 2003, are at risk unless a patch has been applied.

"We rarely see a vulnerability of this size," said Maiffret.

"This is a very serious vulnerability," Ingevaldson agreed, "because it affects a much larger pool than we normally see. It's not just servers, but desktops and servers. "There's always three factors we take in accessing a threat. One is the number of potential targets, the second is whether the vulnerability is due to something turned on by default, and the third is whether an exploit has been released. All are satisfied here."

If and when a worm does appear, the potential for damage and disruption is on the level with other major attacks, such as Slammer, both experts said.

"If this gets out," said Ingevaldson, "and crosses over to the mainstream, there could be bandwidth starvation, outages, and slow-downs. It could have the same net effect as Slammer."

Each expert, however, had a different piece of advice to enterprises as they try to protect themselves. "It takes days and days and days to patch this in a large organization," said Maiffret, "so companies should consider disabling DCOM everywhere in the meantime." This component of Windows can be disabled by changing one key in the Windows Registry, then rebooting, he said.

Ingevaldson's advice was to filter port 135, the one Microsoft originally identified (revisions to its security bulletin, however, upped the ante to include several other ports). "Make sure your filtering policies are in place at the gateway so that vulnerable systems aren't exposing port 135," he said. He noted, for instance, that since Outlook communicates to Exchange over that port, enterprises should first patch their Exchange servers.

Maiffret disagreed, saying that filtering wouldn't solve the problem. "It helps, but the problem is that if only one machine remains vulnerable, all hell's gonna break loose. There are a million ways that a worm can get inside an internal network."

"Filtering's not going to save you at the end of the day," Maiffret said. "And installing the patch is easier said than done. You really need to disable DCOM."