[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Windows Lsasrv.dll RPC buffer overflow Remo te Exploit (MS04-011)

To: elvi52001@xxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Windows Lsasrv.dll RPC buffer overflow Remo te Exploit (MS04-011)
From: James.Cupps@xxxxxxxxx
Date: Tue, 27 Apr 2004 10:25:34 -0400

Did anybody else notice that the SecurityFocus site had the LSASS code you
mentioned below posted for a few days and now it is gone? Did they change
the name of the post under the vulnerability section or just remove it? If
they removed it then it makes me wonder why. 

 

James Cupps
Information Security Officer



-----Original Message-----
From: - ElviS - [mailto:elvi52001@xxxxxxxxx] 
Sent: Tuesday, April 27, 2004 2:06 AM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Windows Lsasrv.dll RPC buffer overflow Remote
Exploit (MS04-011)

 

 <http://isc.sans.org/diary.php?date=2004-04-26>  

http://www.k-otik.com/exploits/04252004.ms04011lsass.c.php
<http://www.k-otik.com/exploits/04252004.ms04011lsass.c.php> 

http://isc.sans.org/diary.php?date=2004-04-26
<http://isc.sans.org/diary.php?date=2004-04-26> 

 

Handler's Diary April 26th 2004 " An exploit targeting the recently released
vulnerability in Windows' Active Directory service functions in LSASRV.DLL
(LSASS: Local Security Authority Subsystem Service) was made public today. 

The exploit is effective against some versions of Windows 2000 with SP3 or
SP4 installed. The patch released earlier this month as part of MS04-011
will fix this vulnerability. 

If you have not done so already, please apply the MS04-011 patch as soon as
possible. Even if no worm is released, we expect that all Internet facing
systems will be probed with this exploit over the next couple of days. 

The exploit will allow full remote control via a remote shell. The port used
by the remote shell can be changed via a command line option. we just
received a report of the exploit being used in the wild. "

really dangerous !



Paul Tinsley <jackhammer@xxxxxxxxx <mailto:jackhammer@xxxxxxxxx%3e> > wrote:

I haven't seen much discussion about this one other than here:
http://www.incidents.org/diary.php?date=2004-04-25&isc=24f2410ad7a5b786b009d
9226c908b92
and I just figured I would pass along that this one is real and does
work. We setup some vmware sessions awhile ago and tested it against
a W2K SP4 box with no success, but a W2K SP4 box with all patches
except MS04-011 and MS04-012 was a successful target. So patching is
probably a good idea if you haven't already done so.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

   _____  

Do you Yahoo!?
Win
<http://pa.yahoo.com/*http:/us.rd.yahoo.com/hotjobs/hotjobs_mail_signature_f
ooter_textlink/evt=23983/*http:/hotjobs.sweepstakes.yahoo.com/careermakeover
>  a $20,000 Career Makeover at Yahoo! HotJobs 

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.

Prev by Date: [Full-Disclosure] no more public exploits
Next by Date: Re: [Full-Disclosure] lynx with the proxy support
Previous by thread: [Full-Disclosure] no more public exploits
Next by thread: [Full-Disclosure] Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>
Index(es):
- Date
- Thread