DDoS and Security Reports

Woke up this morning to see a dramatic rise in TCP port 5168 scans. Various people are abuzz trying to figure out what malware is behind this. At present it seems to be a botnet causing all of the havoc. You can see that it’s mainly Chinese hosts doing the work around this.

Right now there’s some debate as to what the vulnerability is. Earlier this week a pair of vulnerabilities were found:

CVE-2007-4219
Summary: Integer overflow in the RPCFN_SYNC_TASK function in StRpcSrv.dll, as used by the ServerProtect service (SpntSvc.exe), in Trend Micro ServerProtect for Windows before Security Patch 4 allows remote attackers to execute arbitrary code via a certain integer field in a request packet to TCP port 5168, which triggers a heap-based buffer overflow.
Published: 8/22/2007
CVSS Severity: 9.3 (High)

CVE-2007-4218
Summary: Multiple buffer overflows in the ServerProtect service (SpntSvc.exe) in Trend Micro ServerProtect for Windows before Security Patch 4 allow remote attackers to execute arbitrary code via certain RPC requests to certain TCP ports that are processed by the (1) RPCFN_ENG_NewManualScan, (2) RPCFN_ENG_TimedNewManualScan, and (3) RPCFN_SetComputerName functions in (a) StRpcSrv.dll; the (4) RPCFN_CMON_SetSvcImpersonateUser and (5) RPCFN_OldCMON_SetSvcImpersonateUser functions in (b) Stcommon.dll; the (6) RPCFN_ENG_TakeActionOnAFile and (7) RPCFN_ENG_AddTaskExportLogItem functions in (c) Eng50.dll; the (8) NTF_SetPagerNotifyConfig function in (d) Notification.dll; or the (9) RPCFN_CopyAUSrc function in the (e) ServerProtect Agent service.
Published: 8/22/2007
CVSS Severity: 9.3 (High)

But this doesn’t appear to be either one. Instead it appears to be an older vulnerability:

CVE-2007-1070
Summary: Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll.
Published: 2/21/2007
CVSS Severity: 10.0 (High)

We’re investigating further and hope to have an answer for you soon. We’re pounding the pavement looking for more details.

UPDATED: We’re seeing this thing slowly spread. First it was just China with a few hosts in the US. Then Korea appeared. Now Chile and Indonesia, too. It’s hard to say if those are infected boxes starting to scan or if those are attackers jumping on the bandwagon.

Popularity: 1% [?]

This entry was posted on Thursday, August 23rd, 2007 at 3:38 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Book Reviews, Exploit Code, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.