Graweg NetApi32.dll Exploit
Exploit details:There is a buffer overrun vulnerability in the Server service. By default the Server service listens on port 139 and port 445 and by sending a special crafted message to this port, then it is possible to execute malicious commands within the context of the Server service.
The following operating systems have this security hole:
- Windows 2000 SP1, SP2, SP3, SP4
- Windows XP SP1, SP2
- Windows 2003 SP1
Exploit side effects:The Server service is not vital for the operation of Windows, but it resides in the netsvcs service wrapper along with other vital services like COM+ Event System and Network Service. When vulnerable to attacks then the service wrapper might crash, and cause COM+ applications to fail and block the network/internet access. One of the following messages are usually shown when it crashes:
The result of the attacks is usually that the system becomes infected with a virus, which take control of the CPU and the Internet bandwidth, and it is then used for attacking other machines on the Internet.
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
Faulting application svchost.exe, version 5.1.2600.2180, faulting module netapi32.dll, version 5.1.2600.2180, fault address 0x0000a3c0.
Faulting application svchost.exe, version 5.2.3790.1830, faulting module netapi32.dll, version 5.2.3790.1830, fault address 0x0000a2be.
Solution to prevent exploit:
- Consider enabling a firewall to prevent future attacks (Like Windows XP Firewall)
- Download and install the Microsoft patch MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883).
- Download the newest virus database for your existing AntiVira Scanner and scan or use housecall.antivirus.com. (If using WinXP remember to turn off System Restore temporarily)
- Sophos have created a dedicated removal tool CUEBTGUI
- Check Windows Update to see if there are other critical patches for your system
- Uninstall the network component "File and Printer Sharing for Microsoft Networks"
- Disable nbt.sys and block port 139 and 445
Exploiters:More information about the Server service attackers:
Updated: 2 October 2007