Published: 2008-11-23T17:13+00:00    Last Updated: 2009-01-22T02:28+00:00

TRTA08-297A
Microsoft Windows Server Service RPC Vulnerability

Overview

A vulnerability in the way the Microsoft Windows server service handles RPC requests could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

Event Information


Date (UTC)Description
2009-01-17 05:00 SANS Internet Storm Center
Investigating and Verifying domains to block (Conficker.B/Downadup.B)
As most of us know, investigation and verification of data plays a critical role in protecting our assets. Blind faith in what others say or do may of course lead to a call from a C level asking why his VP of sales cant get to his favorite vacation blog. Todays diary (and the updates that will follow) will share some of the process and findings of my investigation into the wonderful list of domains that was produced by F-secure that we have previously mentioned.
2009-01-16 22:27 US-CERT
Widespread Infection of Win32/Conflicker/Downadup Worm
US-CERT Current Activity
US-CERT is aware of public reports indicating a widespread infection of the Win32/Conflicker/Downadup worm. This worm exploits a previously patched vulnerability addressed in Microsoft Security Bulletin MS08-067. This worm attempts to propagate via multiple methods including removable media.
2009-01-06 12:39 Symantec Security Response Blog : Malicious Code
W32.Downadup Infection Statistics
On July 7, Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. On or about this date, our honeypots began detecting this vulnerability exploited in what I can only describe as a Neosploit wrapper.
2008-12-22 Symantec
Trojan.Gimfan.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-12-05 17:59 Symantec
ThreatCON (2) => (1)
2008-11-26 16:32 SANS Internet Storm Center
MS - new malware using an ms08-067 exploit gained momentum
In Tuesday's blog "More MS08-067 Exploits" Microsoft said that new malware using an ms08-067 exploit "gained momentum and as a result we see an increased support call volume".
2008-11-25 04:48 Microsoft Security Response Center Blog
MS08-067 Update: November 25
Recently we've received a string of reports from customers that have yet to apply the update and are infected by malware. These most recent reports have a common malware family, and the folks in the Microsoft Malware Protection Center (MMPC) have provided detailed information regarding this latest threat. The detailed write-ups regarding this threat can be found here and here. It's important to note that customers who have installed MS08-067 are not affected.
2008-11-22 18:14 Symantec
ThreatCON (2) => (2)
Symantec has released detections for a new worm named W32.Downadup that is exploiting Windows 2000 computers over TCP port 445.
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-21 16:33 Symantec
ThreatCON (2) => (2)
Symantec TMS sensors are observing a rise in activity over TCP port 445 that appears to be related to exploitation of MS08-067.
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-21 Symantec
W32.Downadup
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-21 Trend Micro
WORM_DOWNAD.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-16 22:54 Bugtraq
Microsoft Windows Server Service (MS08-067) Exploit
Server Service Vulnerability (CVE-2008-4250, MS08-067)
#Cid: srvsvcexpl.rar
#Cid: 31874.py
#Tested: Windows 2000
#Tested: Windows 2003 Server SP2
2008-11-05 15:31 SANS Internet Storm Center
ms08-067 exploitation by 61.218.147.66
They have sample packets of the exploit and the call back shell. They show an example of libemu's sctest. They find the exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended.
2008-11-04 10:00 JPCERT/CC
JPCERT-AT-2008-0019: Increased activity targeting TCP port 445
2008-11-03 20:13 Symantec
ThreatCON (2) => (2)
Microsoft has released the MS08-067 bulletin to patch a critical flaw being exploited in the wild. We strongly urge users to update immediately and to filter TCP ports 139 and 445.
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-03 18:54 SANS Internet Storm Center
MS08-067 Worm in the wild? (Version: 3)
The "Worm" appears to be spreading over local network. Port 445. Speaking from a Snort perspective, as pointed out in the VRT blog, not only does this worm trigger off of the new rules that Sourcefire has written for Snort for the newest 08-067 vulnerability, but this particular variant of the worm triggers an older rule that VRT wrote for 06-040.
2008-11-03 18:54 US-CERT
Worm Exploiting Microsoft MS08-067 Circulating
US-CERT Current Activity
US-CERT is aware of public reports of a worm circulating that has the capability of exploiting the recently patched vulnerability described in Microsoft Security Bulletin MS08-067.
2008-11-03 13:34 F-Secure
Worm Exploiting MS08-067 in the Wild
F-Secure Weblog : News from the Lab
Code building on the proof of concept binaries that were mentioned last week has moved into the wild. We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi.
2008-11-03 Trend Micro
WORM_WECORL.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-03 Trend Micro
WORM_KERBOT.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-02 Symantec
W32.Wecorl
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-02 Trend Micro
TROJ_DUCKY.O
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-11-02 Trend Micro
TROJ_DUCKY.M
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-31 18:00 IBM Internet Security Systems
AlertCon (2) => (1)
The threat level has been reduced to AlertCon 1 due to absence of any widespread exploitation of MS08-067.
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-31 12:53 F-Secure
Proof of Concept Binaries for MS08-067 Targeting English Windows OS's
F-Secure Weblog : News from the Lab
We are seeing the first Proof of Concept binaries that target the MS08-067 vulnerability on the following English localized systems: Windows XP Service Pack 2, Windows XP Service Pack 3, Windows 2003 Service Pack 2
2008-10-28 Bugtraq
MS Windows Server Service Code Execution Exploit (MS08-067)
Server Service Vulnerability (CVE-2008-4250, MS08-067)
#Cid: 31874.c
2008-10-27 23:43 Microsoft
Microsoft Security Advisory (958963): Exploit Code Published Affecting the Server Service
Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability.
2008-10-26 Bugtraq
MS Windows Server Service Code Execution Exploit (MS08-067) (cn univ.)
Server Service Vulnerability (CVE-2008-4250, MS08-067)
MS08-067 Exploit for CN by EMM
#Cid: 2008-MS08-067.rar
2008-10-25 16:29 ThreatExpert
Gimmiv.A exploits critical vulnerability (MS08-067)
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-25 SecuriTeam Blogs
Microsoft Windows RPC Vulnerability MS08-067 (CVE-2008-4250) FAQ - October 2008
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-24 20:27 Symantec
Trojan.Gimmiv.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-24 18:34 Symantec
ThreatCON (2) => (2)
Microsoft has released the MS08-067 bulletin to patch a critical flaw being exploited in the wild by at least one piece of malicious code. We strongly urge users to update immediately and filter TCP ports 139 and 445.
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-24 01:33 JPCERT/CC
JPCERT-AT-2008-0018: Vulnerability in Microsoft Server Service
2008-10-24 Trend Micro
TSPY_GIMMIV.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-23 23:43 Emerging Threats
Gimmiv.A exploits critical vulnerability (MS08-067)
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-23 21:12 US-CERT
TA08-297A: Microsoft Windows Server Service RPC Vulnerability
Via US-CERT Mailing List
2008-10-23 21:00 IBM Internet Security Systems
AlertCon (1) => (2)
The threat level has been elevated to AlertCon 2 due to an out-of-cycle security advisory issued by Microsoft, MS08-067.
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-23 20:58 SANS Internet Storm Center
Microsoft out-of-band patch - Severity Critical (Version: 3)
Microsoft has just released an advance notification of an out-of-band update to be released on 23rd of October. They will hold a special webcast on the 23rd at 1:00 pm PT to discuss the release. The patch will be released at 10.00 am.
2008-10-23 19:06 Sophos
Troj/Gimmiv-A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-23 17:58 Microsoft
MS08-067: Out-of Band Microsoft Security Bulletin Summary for October 23, 2008
Via Microsoft newsletters
This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code.
2008-10-23 17:45 Symantec
ThreatCON (2) => (2)
Microsoft has just released MS08-067 to patch a critical flaw affecting Windows 2000, XP, 2003, Vista, and Server 2008. This issue is being actively exploited in the wild. Users should patch immediately.
Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-23 11:47 US-CERT
Microsoft Releases Advance Notification for Out-of-Band October Security Bulletin
US-CERT Current Activity
Microsoft has issued a Security Bulletin Advance Notification indicating the upcoming release of an out-of-band bulletin. The notification states that this is a Critical bulletin and is for Microsoft Windows. Release of this bulletin is scheduled for Thursday, October 23.
2008-10-23 10:33 Microsoft Security Response Center Blog
MS08-067 Released
This security update resolves a vulnerability in the Server service that affects all currently supported versions of Windows. Windows XP and older versions are rated as "Critical" while Windows Vista and newer versions are rated as "Important". Because the vulnerability is potentially wormable on those older versions of Windows, we're encouraging customers to test and deploy the update as soon as possible.
2008-10-23 04:50 Microsoft
MS08-067: Out-of-Band Microsoft Security Bulletin Advance Notification for October 23, 2008
Via Microsoft newsletters
2008-10-23 Microsoft
TrojanSpy:Win32/Gimmiv.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-23 McAfee
Exploit-MSExcel.p
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
2008-10-23 Bugtraq
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
Server Service Vulnerability (CVE-2008-4250, MS08-067)
MS Windows Server Service Code Execution PoC (MS08-067)
#Cid: 2008-ms08-067.zip
#Cid: 31874.zip
2008-10-23 IBM Internet Security Systems
Microsoft Windows Server Service RPC Code Execution
Server Service Vulnerability (CVE-2008-4250, MS08-067)
Microsoft Windows Server Service could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Remote Procedure Call (RPC) service.
2008-10-22 Trend Micro
WORM_GIMMIV.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)


Other Information