Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

MS04-007 Exploit released

Feb 14, 2004 1:07PM PST

A DOS exploit has been made available using the ASN.1 bug (MS04-007). This exploit uses port 445, 139 or 135. While this is just a DOS exploit, more serious exploits may follow soon.

Note: This Exploit appears to work only against Windows 2000 Professional. Dont forget history, it wasnt long after Dcom came out, that we saw universal shellcode for almost all windows platforms.

This may be your last chance to apply the patch!
(See yesterday's diary for more details regarding ASN.1)

The exploit kills lsass.exe (see definition below), fires an error message to the screen, and reboots the machine after approximately 1 minute.

According to: Liutilitilies.com (http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/ ) Lsass is:

Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.

Below are screen captures from the error log and lsass crash message:

http://isc.sans.org/images/lsasspopup.gif
http://isc.sans.org/images/errorlog.gif

http://isc.sans.org/diary.html

Discussion is locked