Worm Sasser 和 Lsasrv.dll RPC buffer overflow Vulnerability(MS04-011) 的一些研究(By May 5)

All the code and tools can be found by google! Just have a try.

Connect Summary:

----------------

1, How Worm Sasser works,What's the different with version A,B,C,D and how to detect ?

2, What is Lsasrv.dll RPC buffer overflow Vulnerability(MS04-011) and how to check it is fixed or not?

3, What is the difference for grasped traffic package from vulnerable and not vulnerable machine when we attacked them?

 

 

Connect details:

----------------

1, How Worm Sasser works,What's the different with version A,B,C,D and how to detect ?

 

    Work Sasser uses MS04-011 RPC buffer overflow Vulnerability. System affected include windows 2k and windows xp. Includes worm.sasser.a,  worm.sasser.b, worm.sasser.c and worm.sasser.d.

 

1.1 How it works?( Sasser.A )

    1)Copy itself to %windir%, named avserve.exe.

    2)Create a #####_up.exe(##### is 4 or 5 digits number) file at %System% dir to transfer file using FTP.

    3)Adds the value "avserve.exe"="%Windir%\avserve.exe" to registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

    4)Connects randomly IP address on TCP port 445 (SMB used, MS called CIFS)to see the computer is online or not.

    5)Send Shell code to remote computer using port 9996

    6)Set up ftp server on local server on TCP port 5554, remote computer can get file.

    7)Create a c:\win.log to keep the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.

    8) It will make LSASS.EXE out of services, force windows rebooting.

 

1.2 What's the different with version A,B,C,D?

    General

        Version     File Size    FileName

        A           15,872      avserve.exe

        B           15,872      avserve2.exe

        C           15,872      avserve2.exe

        D           16,384      skynetave.exe

 

    Sasser.B, Different with A

        1) Change name to AVSERVE2.EXE

        2) Change c:\win.log to WIN2.LOG

        3) Add "AbortSystemShutdown" API to avoid system rebooting.

        4) Starts 128 processes instead of 128 threads

   

    Sasser.C Different with B       

        1) Starts 1024 processes to scan computers

    

    Sasser.D Different with C

        1) Start 128 processes to scan computers( Same with B)

        2) File name changed to skynetave.exe

        3) Use ICMPSendEcho API to scan computers

 

1.3 How to detect Sasser?

    1) Check avserve process, use EnumProcessModules API for local computer. For remote computer, use WMI query Win32_Process.

    2) Check avserve.exe at %windir% directory.

    3) Check *****_up.exe at %system% directory.

    4) Open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" to check string "avserve.exe"="%Windir%\avserve.exe"

    5) Check TCP port 9996 and 5554.

    6) Check c:\win.log

 

2, What is Lsasrv.dll RPC buffer overflow Vulnerability(MS04-011) and how to check it is fixed or not?

   

    2.1 What's the details for MS04-011 Vulnerability?

        remote buffer overflow in the Windows LSA (Local Security Authority) Service (LSASRV.DLL). The buffer overflow bug is in a logging function which generates a string for the log file using vsprintf(). The name of the log file is "DCPROMO.LOG", and it is located in the Windows "debug" directory.

        There is a very good article to report more details at http://www.eeye.com/html/Research/Advisories/AD20040413C.html

 

    2.2 Is there some exploit code?

    Yes.

 

    Windows Lsasrv.dll RPC buffer overflow Remote Exploit (MS04-011)

    http://www.k-otik.com/exploits/04252004.ms04011lsass.c.php

 

    I also attached a lsasrv-expl.c file, it was wrote using winsock. I have read the code. if there is any comments for this code, I'd like to talk for more details. 

 

    2.3 How to detect the Lsasrv.dll RPC buffer overflow Vulnerability is fixed or not?

 

    1) Use a DDScan.exe tool developed by foundstone. We can download at http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/dsscan.htm

    2) Check registry key, for my computer, After I installed the fix from Microsoft. There will be a key at  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732

    3) Use exploit code to attack the computer, check success or not.

    4) Compiler the exploit code to an exe file, try to use this tool to attack vulnerable and not vulnerable machine, grasp the traffic package and find out the difference. I did some example today. I'll explain it for more details at next chapter.

 

    I believe checking registry key is a good methods.

3, What is the difference for grasped traffic package from vulnerable and not vulnerable machine when we attacked them?

 

    3.1 How to attack a vulnerable machine using tools?

       

        I attached some tools in tools.zip, includes DSScan.exe,getos.exe,ms04011.exe. DSScan is used to scan a computer is vulnerable or not. getos.exe is used to detect windows version. ms04011.exe used to attack the vulnerable machine.

 

        Example:

        Open a cmd.exe windows: ms04011 1 IPAddress 8888 // 1 stands for windows xp, 8888 is port

        Open another cmd.exe window: telnet IPAddress 8888, the will get a remote cmd window.

 

    3.2 What is the difference for grasped traffic package from vulnerable and not vulnerable machine when we attacked them?

    1) Try to attack a  vulnerable machine, use Ethereal tool to grasp the traffic packages,named vulnerable

    2) Try to attack a not vulnerable machine, use Ethereal tool to grasp the traffic packages,named not_vulnerable

    3) The difference:

        For not_vulnerable, when client send a "LSA_DS unknown?! request" to server, sever will response "DCERPC Fault", the DCERPC status is nca_op_rng_error(0x1c010002).

        For vulnerable, when client send a "LSA_DS unknown?! request" to server,sever will response "LSA_DS unknown?! response"

 

    4) ethereal can be downloaded at http://www.ethereal.com/download.html