I really need to get back into the habit of writing on here, so maybe a few words on the new non-Patch-Tuesday vulnerability is in order. I just got my MacBook back from warranty service yesterday, and was reading about this on Twitter as I was getting everything set back up. I’ll give you a few links that I’ve seen in my feed reader, Twitter, and IRC (shouts to #pauldotcom and #securabit on freenode), and a little commentary:
It’s been a while since we’ve had a vulnerability that is this clean and perfect for large-scale attacks: remote, pre-authentication, and something you can count on running on most Windows systems.
There is active exploitation of this “in the wild”. Whoever developed that exploit probably noticed the problem while looking at the code affected by MS08-040.
ThreatExpert calls the above exploit/malware-payload a worm, and while it really doesn’t seem like this particular chunk of code will spread extremely far, it does fit the definition. I expect to see a much leaner exploit+scanning worm developed around this vulnerability. Such a worm could cause some serious problems, although I don’t think that it would be on quite the same level as Slammer. For starters, this one will at least have to go through the trouble of setting up full TCP connections, instead of just flooding links with UDP .
This is a reverse-engineered-to-C analysis of the vulnerable function, from Alexander Sotirov. The function in question is in netapi32.dll, and if I’m reading the milw0rm exploit right, is called from _NetprPathCanonicalize. The vulnerability results in a stack-based overflow, but the core problem is a little more subtle.
…and finally, a proof-of-concept exploit on Milw0rm. This one just shows you that taking control of EIP is pretty straightforward. I’d expect that there’ll be a pretty reliable code-execution exploit soon.