LSASS Vulnerability Analysis

by Javantea aka. Joel R. Voss
Analysis: May 1, 2004
Write-up: Sept 8, 2006
Botnets

Introduction

Sasser is a good example of a recent botnet victim using push technology (service). Microsoft Windows has a service called LSASS running on port 445. This unnecessary service has many vulnerabilities, including one on Aug 10, 2006 of which the Department of Homeland Security (DHS) said "if exploited could enable an attacker to remotely take control of an affected system," [1]. Thank you Captain Obvious. On May 1, 2004, Sasser attacked a vulnerability in LSASS which resulted in massive infection (including myself). While Sasser is not generally accepted as a botnet because it did not do anything by itself, it did open shell and file transfer services, which qualify as botnet properties. Unpatched and unfirewalled Windows machines are easily exploited by worms. On May 1, 2004, during Sasser, I captured connection attempts by Sasser. I tested the LSASS exploit on my laptop and sure enough it worked. Sadly my desktop's motherboard died during Sasser, so I switched to using my laptop that was running Windows XP and got infected myself. My modem (MSN Arescom) DMZ'd the computer it was connected to, so instead of giving protection like a NAT router does, it opens the user up to worms. Remember that Sasser and LSASS exploit rebooted the target machine 60 seconds after disconnect. It took me 5 minutes to get infected and 5 hours to patch my laptop. These days, most modems are NAT and not DMZ, but many people still open up unnecessary ports to the outside world. Sadly, I didn't know how to use tcpdump at the time, so I was unable to capture Sasser traffic. I should have written a data capturing honeypot, but I was not able to.

Methods of LSASS

Unfinished

Data

lsasrv-expl3.c Source: Attack example:

jvoss@ASLinWs01:~/dev/programming/ASHack2/pfm2$ lsasrv1 0 192.168.0.2 445 192.168.0.5

MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---

[*] Target: IP: 192.168.0.2: OS: WinXP Professional    [universal] lsass.exe
[*] Connecting to 192.168.0.2:445 ... OK
[*] Attacking ... OK

Analysis

Ping of infected hosts: Ping of infected hosts Unfinished.

Conclusion

The LSASS service is a liability. No ports should be open on a computer until the user specifies that they should. Software developers cannot assume that users will ever patch their machines. Vulnerability analysis should be done on all code being used.

1) Department of Homeland Security. "DHS Recommends Security Patch to Protect Against a Vulnerability Found In Windows Operating Systems." URL: http://www.dhs.gov/dhspublic/display?content=5789 August 9, 2006