Re: Windows 2000 .printer remote overflow proof of concept exploi t

[Russ <Russ.Cooper () RC ON CA>]

-----BEGIN PGP SIGNED MESSAGE-----

A number of people have put effort into supposedly providing "proof
of concept" code or "remote test" code that allows Administrators to
determine whether or not their IIS 5.0 box is, or isn't, patched
against this .printer buffer overflow.

No doubt Eric Schultze has been rolling his eyes repeatedly as these
messages appear.

In a conversation I had with Marc Maiffret about exploit code, he
indicated that they (Eeye) had produced something to demonstrate the
severity of the issue to Microsoft. Perfectly understandable,
reproducing an issue and allowing the developers to see the potential
of a vulnerability are the most important thing a discoverer can do.

However, doing the same for the public-at-large is another thing.

The HFCHECK.wsf script/tool from Microsoft is perfectly capable of
determining whether or not a local or remote box is vulnerable to the
.printer exploit. Using WMI, within an organization, an Administrator
could easily determine whether some or all of his/her W2K boxen have
applied the patch. Using the customization to NOTIFY.JS described in
the documentation supplied with HFCHECK, an Administrator could
receive an email notification of any box which failed the test.

Moreover, not only will HFCHECK verify whether MS01-023 has been
patched, it will also ensure that any patches a given W2K box needs
have been applied, including security patches to other program sets
like the OS, Exchange, whatever.

So while IDS Vendors and the curious few might "need" to have sample
exploit code, to suggest that same code is "needed" to allow
Administrators to make a determination is, IMO, flawed thinking. With
advisories from so many sources within 24 hours of the announcement
of the vulnerability, you would think that everyone who should know
about the problem does. Folks should also have appreciated, again by
the sheer volume and speed of advisories, that this one is a big
problem that needs to be acted on right away.

All the exploit code does now is become the basis for actual
malicious exploits, regardless of disclaimers to the contrary.

Seeing may be believing, but if your security is based on
vulnerabilities being proven to you (or to yourself) before you patch
then your machine is likely vulnerable to several exploits right now.

With Windows 2000 and WMI, its possible to avoid such questions by
simply dealing with the output of the HFCHECK script quickly and
regularly.

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168

The threat level of this particular vulnerability (MS01-023) was,
IMNSHO, entirely dictated by the availability and quality of exploit
code. In the 24 hours since the advisory was published it went from
Low to Extremely High.

I'm not suggesting that exploit code shouldn't have been published, I
am suggesting that anyone who does publish code shouldn't pretend its
there for people to test their boxes or get a better appreciation of
how severe the issue is. A test pre-existed the vulnerability, and
its severity should be obvious to all...even folks who don't
understand security.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOvFkzhBh2Kw/l7p5AQFVXgQAqLrB0WMtub/uJUeNEJdEVpPdPm8GyU+o
78rylCPdFIRCzK79lFOsI1xmJ/212RjjMt/guqE1v80+aReX7qethXgeoyuFXkN0
5Ig4XanXyGWv3A0smTpjcOI+FbRDFXBIfpw3J7OxJ0FsEHelLOsEqD/38l6NMfhr
aknnt3QBvgw=
=VURy
-----END PGP SIGNATURE-----