Windows LSASS Exploit

• URL: http://www.secureworks.com/research/threats/lsassadvisory
• Date: April 29, 2004
• Author: Joe Stewart

***Broad Exploit Code For LSASS Vulnerability Released ***

Three days ago we published a threat in the SecureWorks Portal detailing an exploit for the recent Microsoft LSASS vulnerability described in Microsoft Security Bulletin MS04-011. That code has already been incorporated into mass-exploiters and trojans, including the very prevalent Agobot trojan. That code, while effective, was limited in scope and by the fact it required an additional non-standard DLL to function. Today new exploit code has been released that includes additional targets while eliminating dependence on modified Windows DLLs.

Based on previous events of this nature, there is a high probability that a worm may be released in the next 24 to 48 hours. This underscores the urgency for patching all internal and external Windows 2000 and XP systems with the MS04-011 patch. If a worm is released, past experience shows it will frequently penetrate perimeter network defenses by piggybacking on laptop and VPN users' systems.

The current exploit utilizes TCP port 445, the Windows Networking service, but it could also be modified to use TCP port 135 or 1025. Because these services are critical to Windows Networking, it may not be possible to block these ports at the VPN gateway or internal firewalls, but blocking these ports should be considered where possible.

Microsoft has reported some problems with the patch for users of the Nortel VPN client. For details and the patch, see: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx