The PoC for Microsoft Windows Plug and Play “Umpnpmgr.dll” Remote Exploit MS05-047. Has just been released by FRSIRT.
With this release, we are now on the look out. I predict it will just be a matter of days (or hours) for a new malware to carry this exploit.
With this release, we are now on the look out. I predict it will just be a matter of days (or hours) for a new malware to carry this exploit.
Update (Jovs, 22 October 2005 01:55:34)
After more review of the PoC given by frsirt, we verified that it can only crash the machines targeted, since there is no actual shellcode that can be seen in the PoC.
So malware within hours might have been an overstatement in my part. Hehe… But hey when great minds work there”s no impossible right? :)
So malware within hours might have been an overstatement in my part. Hehe… But hey when great minds work there”s no impossible right? :)
Update (JJ, 22 October 2005 02:11:24)
Some factors on why a working exploit (not just a DOS) for this requires some time (although it has already been around 2 weeks hehehe):
1. This exploit works by sending a long string using a specified registry key and appending lots of “”. Ex: “ACPI\….” (under HKLMSYSTEMCurrentControlSetEnum)
.
2. Specifying characters other than “” and characters that are not in the subkeys of HKLMSYSTEMCurrentControlSetEnum will not trigger the exploit
3. When we finally have control of the stack, it points to a “00 xx 00 yy) address.
Quote from Dave Aitel on this bug:
“The umpnp bug is a bit more complex, you can overwrite eip with 00XX00YY where XX and YY are characters from a registry key you get to pick. It’s fun for the whole family. Do you A) spam the heap with lots of your shellcode? or B) off by two EIP and hope for something cool? C) find an 0day
1. This exploit works by sending a long string using a specified registry key and appending lots of “”. Ex: “ACPI\….” (under HKLMSYSTEMCurrentControlSetEnum)
.
2. Specifying characters other than “” and characters that are not in the subkeys of HKLMSYSTEMCurrentControlSetEnum will not trigger the exploit
3. When we finally have control of the stack, it points to a “00 xx 00 yy) address.
Quote from Dave Aitel on this bug:
“The umpnp bug is a bit more complex, you can overwrite eip with 00XX00YY where XX and YY are characters from a registry key you get to pick. It’s fun for the whole family. Do you A) spam the heap with lots of your shellcode? or B) off by two EIP and hope for something cool? C) find an 0day
Update (Jovs, 22 October 2005 03:19:15)
This has already been forwarded to the NVW team and was said to be already detected with NVW pattern NVP10229.
Also some workaround for this vulnerability is included in this report made.
Also some workaround for this vulnerability is included in this report made.
