Skip to content ↓ | Skip to navigation ↓

Ok…so here is the deal…last year Cesar Cerrudo discovers the token kidnapping vulnerability and notifies Microsoft…now as of late MS has been fairly responsive to vulnerabilities and patches often…in this case not so much… So Cerrudo releases a Proof of Concept to underscore the importance of this and still no response…aaaaannnnndddd…one year later comes this little nugget posted here: http://blogs.zdnet.com/security/?p=2894 that discusses that there are now exploits of this in the wild…

Now typically if an exploit this old were to hit a company’s servers I would fully blame the IT Ninja for not patching their systems and I would mock them mercilessly. In this case, however, the vendor actually sat on the data and did not even offer up the patch itself…Now the crackers (and lately I have started calling them pirates because the whole Pirates versus Ninja thing is just too good to ignore) have started taking advantage of the situation…

Of course working for Tripwire I loved this part of the article:

  • The story started more or less like hundreds of recently seen incidents. A web application had a vulnerability that allowed a remote attacker to upload files to the server. As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.
  • However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play. The attackers uploaded a local exploit called Churrasco2. This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008. What makes it even worse is that it work on both Windows Server 2008 and Server 2003. The exploit creates a backdoor shell after it steals the SYSTEM token. The program’s usage description says it all:

Well..these are the sorts of things that Tripwire Enterprise’s change auditing and configuration assessment capabilities are designed to do…So take heed Ninja’s…in the eternal fight against the pirate who would plunder your data, Tripwire’s enhanced file integrity will ride to the rescue…(am I mixing too many metaphors here?).

Well anyway…we would/should be one of the layers of defense to help you find that binary being loaded to your system without your knowledge…without Tripwire looking for that extra file would be like finding a needle in a needlestack…ok…I really need to get off the cliche wagon…

Don’t forget to follow my tweets…I am theorrminator.

Hacking Point of Sale
  • Reza

    Hi I have the same problem , Any news ? nI can't prevent this rootkit. I need help… nBest regardsn

  • You may need to check to see whether or not Microsoft has released a patch by now. Of course, you can do other things to mitigate the risk by continuously monitoring the integrity of the files on the server and capturing log data and correlating the information against other sources using our new product Tripwire Log Center…

  • You may need to check to see whether or not Microsoft has released a patch by now. Of course, you can do other things to mitigate the risk by continuously monitoring the integrity of the files on the server and capturing log data and correlating the information against other sources using our new product Tripwire Log Center…