Windows RPC hole being exploited already
A public exploit has been circulated for the recent [ticker:uk_17867 RPC hole in Windows]. When the vulnerability was publicised last Wednesday, Microsoft still said in its security bulletin that although there were targeted attacks, the actual attack code wasn't publicly available – but the company did warn that the the hole was a potential target for worms. It now seems that this prediction has come true, as a program called "Gimmiv.A" has reportedly been sighted in the wild. Gimmiv.A infiltrates vulnerable computers and sends information back to base. Some virus scanners and intrusion detection systems already offer signatures to recognise these attacks.
Security specialists Threatexperts have published a more in-depth analysis of Gimmiv in their blog. They report that the worm collects data on infected computers and sends them to a remote server in encrypted form. The exact content of the data has so far not been established. Microsoft points out that although Gimmiv.A installs malware on infected systems it does not spread by itself, which explains the relatively low number of incidents. This means that, technically speaking, Gimmiv.A is not a worm, as there is no automated distribution through the net.
Users are advised to immediately install the security update that closes the hole. Although XP firewall – included and enabled by default since SP2 – prevents the worm from accessing the RPC service, XP will open the necessary ports within local networks when file and printer sharing services are activated. If that connection is also the internet connection and there isn't a proper firewall in place on the router, or if a user mistakenly links the file and printer sharing services to a dedicated internet link, then the service is potentially also available through the internet.
According to Microsoft, the Data Execution Protection feature under Windows XP and Server 2003 offers no protection against such attacks as the vulnerability is said to be located in a Windows code segment that is not protected by "/GS security" cookies. When functions compiled using the /GS option are called, they deposit a cookie on the stack. This cookie is overwritten and thus rendered void in the event of a typical buffer overflow, prompting Windows to suspend the system.
For Vista and Server 2008, the story appears to be different. Here, the Address Space Layout Randomization feature is said to make the hole more difficult to exploit. If possible, Windows will choose random addresses both for the code and for DLLs as well as data objects like stacks and heaps when loading a process. The functions within the exploit can then no longer identify the exact location to jump to.
According to Microsoft's own report, the vendor only found out about the hole about two weeks ago when investigating attacks on Windows XP systems. The hole is said to be located in the same code area as an RPC parsing and routing flaw (MS06-040) already fixed in 2006. Although the Vanebot and Mocbot worms exploited the hole, there was no widespread distribution at the time. Gimmiv.A is speculated to be a variety of Mocbot.
- MS08-067 Released, posting by The Microsoft Security Response Center (MSRC)
- More detail about MS08-067, the out-of-band netapi32.dll security update, report by Microsoft
- Gimmiv.A exploits critical vulnerability (MS08-067)..., description by Threatexperts