Three years ago, a vulnerability was discovered that to this very day systems still fall victim to.
The vulnerability is a flaw in the Windows Server Service that when a specially crafted RPC request was sent could allow remote code executions.
This vulnerability affected Windows 2000, XP, Server 2003, Vista, and server 2008 and has been assigned CVE-2008-4250.
(http://twitpic.com/6t1xhz picture from Mubix)
From systems buried in corporate environments, to others just sitting there on the internet waiting to be compromised, this vulnerability just doesn’t want to die.
Why aren’t they patched yet? Let’s look at the simple math of patching a large corporate environment.
If a large corporation has 10,000 systems that can be affected by MS08-078, and all but 1 percent are patched, that leaves 100 systems vulnerable.
A corporation might not even be able to patch this issue depending on what legacy equipment is being used or depending on the size of the environment they may not even know the systems are vulnerable.
Relying on anti-virus (a/v) to protect the system is just not enough. Metasploit, which is commonly used to exploit this vulnerability, has some of the best a/v avoidance encoding around. The only solutions are to patch and protect sensitive ports.
As a Penetration Tester, this vulnerability is sought out because it is highly reliable and very low risk. As an attacker, the simple fact is the attack still works. The vulnerability was widely used in conjunction with the conficker worm, which affected more than seven million systems.
This vulnerability is loved by Penetration Testers and hackers so much that during Derbycon an actual birthday party was thrown. The vulnerability even got a birthday cake as seen below. Finally, I would like to wish MS08-067 a personal happy birthday; may you have three more years in you.
Cross-posted from blog.securestate.com