Tuesday, March 2, 2010

The Sudden Reappearance of MS03-039

Last Friday, I got into the office and pulled up my email. Among other things, there was an escalation from Sourcefire's support group, where the customer had alerts on SIDs 15512 and 3397, and they wanted an official opinion from Sourcefire as to whether the alerts they were seeing constituted false positives. Opening up the supplied packet captures, the DCERPC payload in question looked odd at first glance - the string "|CC CC CC CC|" appeared several times in the payload, as did the string "|FF FF FF FF|". Given that 0xCC is the x86 instruction for "INT 3", which causes a debugger trap, and that the value 0xFFFFFFFF is often associated with either buffer or integer overflows, I was immediately suspicious. I also wondered about the fact that the string "MEOW" appeared in the packets - it's an odd string to have in normal traffic, that's for sure.

Unfortunately, the remainder of the payloads did not contain obvious shellcode - no NOP sleds, etc. - so I couldn't just immediately declare these to be real attacks. Since the rules in question exploited MS03-039 and MS03-026, and I didn't want to unduly alarm the customer - I figured, the chances of such old vulnerabilities being actively exploited seemed fairly low - I sent the PCAPs to the remainder of the team, to get an additional set of eyes on them. Within minutes, one of my fellow analysts recognized the payload as something she'd seen previously - based on the string "MEOW" that I had wondered about. I reported back to the customer that this was a live exploit attempt, and that they should immediately begin checking all of the machines in question for infection - particularly since the source IP addresses happened to be within their corporate network.

With that done, I closed the escalation, chuckled to myself about such an old vulnerability remaining unpatched, and put it out of mind; I figured it would be an isolated incident, again given the age of the vulnerability in question.

Much to my surprise, however, another customer escalation came in this afternoon, reporting "hundreds" of alerts on MS03-039-related rules. Opening up their supplied PCAP, I immediately saw all of the same characteristics - strings of "MEOW", "|CC CC CC CC|" and "|FF FF FF FF|". Again, the source host was coming from inside their corporate network, which meant that they had a live attack going on from the inside - seriously bad news.

That said, if you're running Snort for a network where you're not 100% confident that all of your hosts have been patched at least past the end of 2003, I would suggest that you consider enabling the following SIDs, to ensure you're protected from these sorts of attacks:
  • 2252
  • 3158
  • 3159
  • 3397
  • 3398
  • 3409
  • 9422
  • 9423
  • 11073
  • 11074
  • 15512
  • 15513
That, and review your company's patching policy if possible. ;-)


  1. Its been a while since I did any IDS but I was under the impression that the string "MEOW MARB" was the indicator of this exploit. The "MEOW" string does appear in normal Windows traffic.

  2. http://en.wikipedia.org/wiki/Magic_number_%28programming%29

    "In COM and DCOM marshalled interfaces, called OBJREFs, always start with the byte sequence "MEOW" (4D 45 4F 57). Debugging extensions (used for DCOM channel hooking) are prefaced with the byte sequence "MARB" (4D 41 52 42)."


Post a Comment