>Date: Fri, 4 Oct 2002 14:13:55 +0700 >From: Alain Fauconnet <alainat_private> ... >I know that Win95 had its share of bugs regarding SMB passwords. ... >http://security-archive.merton.ox.ac.uk/bugtraq-200010/0228.html I was able to confirm this for Windows 98. In other words, the Opaserv worm is apparently exploiting the vulnerability from http://www.microsoft.com/technet/security/bulletin/MS00-072.asp (see also CVE-2000-0979 and http://online.securityfocus.com/bid/1780) Basically, a long and complex password for the C share doesn't prevent the worm from writing scrsvr.exe and modifying win.ini, or even slow it down. This differs from some previous reports, e.g., http://www.f-secure.com/v-descs/opasoft.shtml says: 2. In case the resource is protected by a password the worm tries to open it with all one-symbol passwords (brute-force attack). ... The worm caused global epidemy in the beginning of October 2002 and hit many Win9x systems because of following reasons: ... - many users don't pay enough attention to password length and security. Also, http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq&F=P&S=&P=72 says: Two new worms are of particular concern due to the fact they spread via network shares. Both rely upon open network shares, that is, shares which have no passwords. Some of the conclusions seem straightforward. Loading the MS00-072 patch needs to be part of the procedure used in recovery of a machine compromised by Opaserv. People who have Windows 9x systems, with read/write file sharing, that are exposed to untrusted networks should, in advance of compromise, try to get MS00-072 onto those systems. (In practice, it's not only the open Internet that's an untrusted network.) My testing approach was as follows. Do a new installation of two Windows 98 Second Edition systems on an isolated network. Set up one with the IP address 192.168.155.2, and the other 192.168.155.3. On 192.168.155.2, share the C drive with the share name C. Configure a long and complex full-access password, and no read-only password. On 192.168.155.3, copy the Opaserv worm program (28672 bytes, MD5 checksum d6018381ee9c28caf40bb34d65cc6c2c) to C:\windows\scrsvr.exe. Run scrsvr.exe. (Upon running it, a new value was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.) Then, within a minute, C:\windows\scrsvr.exe was found on 192.168.155.2. Also, on 192.168.155.2, the third line of win.ini was modified to be "run=c:\windows\scrsvr.exe". On 192.168.155.2, HKLM\Software\Microsoft\Windows\CurrentVersion\Run was not modified. Disconnect 192.168.155.3 from the network. Format the disk on 192.168.155.2, and then reinstall it with the same setup as before. This time, however, load the MS00-072 patch. Format the disk on 192.168.155.3, reinstall it with its previous setup, connect it to the network, and again run scrsvr.exe. Wait an hour. This time, C:\windows\scrsvr.exe was not found on 192.168.155.2. This was repeated a few times to try to establish validity. Perhaps of interest is that when 192.168.155.2 had the MS00-072 patch and had a one-character full-access password for the C share, it was not compromised within an hour after starting scrsvr.exe on 192.168.155.3. (I've sent a Bcc copy of this to the previous reports' authors.) Matt Power BindView Corporation, RAZOR Team mhpowerat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 05 2002 - 15:25:39 PDT