Detailed exploit code for a critical Windows worm hole has been published on the Internet, putting millions of users at risk of PC takeover attacks.
Microsoft released the MS06-036 bulletin on July 11 to correct the flaw, and warned that a successful exploit could allow remote code execution on Windows 2000 SP4, Windows XP and Windows Server 2003.
Windows uses DHCP to reduce the complexity of administering network addresses. But because of an unchecked buffer, Microsoft said, an attacker could remotely hijack a compromised system to install programs, view, change or delete data, or create new accounts with full user rights.
According to Swa Frantzen, an incident handler with the SANS ISC (Internet Storm Center), the published exploit claims to add the user “bl4ck” with a very insecure password to cause the service to terminate.
“The author left some suggestions for improvement in the source code, so expect potentially nastier versions to be used in real life,” Frantzen said in an entry on the SANS ISC diary page. “If you still have not patched your Windows client systems, it is a very good time to do so now.”
Frantzen said he believes an attack could be successful on both wired and wireless networks. “Or it could be used in a multi-stage attack where this gets inside your network in other ways and then does its magic on the local LAN,” he said.
Microsoft described the issue as a vulnerability in IIS (Internet Information Services) that could be exploited by a malicious hacker with a specially crafted ASP (Active Server Pages) file. “An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft said.