Detailed exploit code for a critical Windows worm hole has been published on the Internet, putting millions of users at risk of PC takeover attacks.
The code, which was posted to the Milw0rm Web site, attempts to exploit a known—and already patched—vulnerability in the DHCP (Dynamic Host Configuration Protocol) Client service.
Microsoft released the MS06-036 bulletin on July 11 to correct the flaw, and warned that a successful exploit could allow remote code execution on Windows 2000 SP4, Windows XP and Windows Server 2003.
Windows uses DHCP to reduce the complexity of administering network addresses. But because of an unchecked buffer, Microsoft said, an attacker could remotely hijack a compromised system to install programs, view, change or delete data, or create new accounts with full user rights.
According to Swa Frantzen, an incident handler with the SANS ISC (Internet Storm Center), the published exploit claims to add the user “bl4ck” with a very insecure password to cause the service to terminate.
“The author left some suggestions for improvement in the source code, so expect potentially nastier versions to be used in real life,” Frantzen said in an entry on the SANS ISC diary page. “If you still have not patched your Windows client systems, it is a very good time to do so now.”
Frantzen said he believes an attack could be successful on both wired and wireless networks. “Or it could be used in a multi-stage attack where this gets inside your network in other ways and then does its magic on the local LAN,” he said.
A separate proof of concept posted at Milw0rm also provides a path for hackers to exploit a remote code execution hole that was patched with Microsofts MS06-034 update.
Microsoft described the issue as a vulnerability in IIS (Internet Information Services) that could be exploited by a malicious hacker with a specially crafted ASP (Active Server Pages) file. “An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft said.