Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A)
W32.Downadup aka ConямБcker
W32.Downadup.B
W32.Fujacks.CE
W32.Neeris.C
W32.Wapomi.B
Vulnerability details
Advisory: SB2008102301 - Remote code execution in Microsoft Windows
Vulnerable component: Windows
CVE-ID: CVE-2008-4250
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CWE-ID: CWE-120 - Buffer overflow
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to buffer overflow during path canonicalization in Windows Server service. By sending a specially crafted RCP request, a remote attacker can cause memory corruption and execute arbitrary code with privileges of system account.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: this vulnerability was being actively exploited.
Public Exploits:
- Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067) [Exploit-DB]
- Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067) (Metasploit) [Exploit-DB]
- Microsoft Windows Server 2000/2003 - Code Execution (MS08-067) [Exploit-DB]
- Microsoft Windows Server - Code Execution (MS08-067) [Exploit-DB]
- Microsoft Windows Server - Code Execution (MS08-067) (Universal) [Exploit-DB]
- Microsoft Windows Server - Code Execution (PoC) (MS08-067) [Exploit-DB]
External links:
http://marc.info/?l=bugtraq&m=122703006921213&w=2
https://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf
https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23179
http://blog.disects.com/2014/05/metasploit-gaining-access-using-ms08.html
http://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_server_service_allows_code_execut...
http://www.bleepingcomputer.com/forums/t/401254/norton-blocked-an-attack-by-os-attack-ms-windows-ser...
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf