48Bits has released code for remotely exploiting vulnerable Windows 2000 machines via the RPC interface.
A little bit of background. Ten days ago ZDI published an advisory about a stack overflow in the Microsoft Windows Message Queuing Service (CVE-2007-3039). At the same time Microsoft released a patch (MS07-065) which replaces MS05-017 and fixes this issue under Windows 2000 SP4 and Windows XP SP2.
The vulnerability affects Windows XP and has been rated Moderate as it requires local exploitation. However under Windows 2000 it can be exploited remotely and has been labeled Important.
If you manage Windows 2000 machines make sure that you either:
a) apply the patch,
b) disable Microsoft Windows Message Queuing Service, or
c) block inbound traffic on ports higher than 1024 or specially configured RPC ports.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
2 comments
does panda proactively block this exploit from downloading malware
Sorry for the late reply, I took a few days off for Xmas. Actually we have not seen any malware using this exploit yet in the wild. We’ll keep an eye out for this but in case a malicious attack were to appear, the vulnerability is the delivery mechanism and this should be fixed with the patch from Microsoft. The malware that would be delivered in case of in-the-wild spread would be most probably detected by our signatures, heuristics or behavioral blocking/analysis engines.