| VID |
24077 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The user 'X' with a blank password or with the password, 'X' exists in the target host. This probably indicates that a remote attacker exploited the GDI+ integer overflow vulnerability, described in Microsoft Security Bulletin MS04-028 with a widely available exploit.
By exploiting this flaw, an attacker could create a specially crafted JPEG image that contains exploit and shellcode. The attacker would put the JPEG image file to:
1. Web site
2. Email
3. MS Office Document
4. P2P
When a victim opens the JPEG file, a buffer overflow occurs and allowing an attacker to run arbitrary code on the affected system. The exploit program that can "Create User X in Administrators Group" has been widely spreading.
* Platforms Affected:
Microsoft Windows Any version
* References:
http://seclists.org/lists/fulldisclosure/2004/Sep/0840.html
http://www.kb.cert.org/vuls/id/297462
http://www.ciac.org/ciac/bulletins/o-213.shtml
http://packetstormsecurity.nl/0409-advisories/ms04-028.html
http://packetstormsecurity.nl/0409-exploits/ms04-028-cmd.c
http://packetstormsecurity.nl/0409-exploits/JpegOfDeath.c
http://packetstormsecurity.nl/0409-exploits/JpgDownloader.c
http://packetstormsecurity.nl/0409-exploits/JpegOfDeathAll.c |
| Recommendation |
Remove the user 'X' from the affected Windows host.
-- AND --
If the MS04-028 patch has not been applied, apply the appropriate patch for your system, as listed in the Microsoft Security Bulletin MS04-028 at http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
And you also need to look for more vulnerable versions of the .dll files within your system using gdiscan.exe, available from http://isc.sans.org/gdiscan.php . If vulnerable .dll files are detected, then those files should be upgraded manually. |
| Related URL |
CVE-2004-0200 (CVE) |
| Related URL |
1503,11173 (SecurityFocus) |
| Related URL |
16304 (ISS) |
|
