Kaspersky Threats

Class

Platform

Description

Technical Details

Beavuh is a malware exploit of the so-called MS IIS “.printer” vulnerability, which is described by Microsoft in the “Security Bulletin MS01-23”,released May 1, 2001.

The MS01-23 Security Bulletin can be viewed at the following location:

www.microsoft.com/technet/security/bulletin/ms01-023.asp

This exploit program gives remote access to a simple Windows NT command shell on the target machine. Beavuh was recently reported (on March 2nd, 2002) to have been used in a large number of hacking attempts.

The exploit program has the following parameters:

a destination IP address

a destination port number

an IP address/port to which the exploiting code will connect back with the command shell.

The remote exploit code gets executed on the target machine if the IIS vulnerability was not previously patched. The code is encrypted so it will first proceed to decrypt itself, and then it will scan the system memory for the Windows NT library (“kernel32.dll”). From there it will acquire the ‘offset’ of the ‘GetProcAddress’ function and will further use it to obtain a couple of other API addresses, both from “kernel32.dll” and “wsock32.dll”.

Next Beavuh connects to the address specified by the attacker, launches the executable “cmd.exe” and links the input and output of the command shell to the socket opened to the attacker’s control machine.

Recommendations
Due to the prevalence of this exploit, we recommend system administrators patch any vulnerable IIS servers as soon as possible. Also, installing the KL ISAPI AV filter provides a generic means of blocking IIS buffer overflow exploits, including this one. For more details, please check:

www.kasperskey.com/support.html?chapter=47

Class	Exploit
Platform	IIS
Description	Technical Details Beavuh is a malware exploit of the so-called MS IIS “.printer” vulnerability, which is described by Microsoft in the “Security Bulletin MS01-23”,released May 1, 2001. The MS01-23 Security Bulletin can be viewed at the following location: www.microsoft.com/technet/security/bulletin/ms01-023.asp This exploit program gives remote access to a simple Windows NT command shell on the target machine. Beavuh was recently reported (on March 2nd, 2002) to have been used in a large number of hacking attempts. The exploit program has the following parameters: a destination IP address a destination port number an IP address/port to which the exploiting code will connect back with the command shell. The remote exploit code gets executed on the target machine if the IIS vulnerability was not previously patched. The code is encrypted so it will first proceed to decrypt itself, and then it will scan the system memory for the Windows NT library (“kernel32.dll”). From there it will acquire the ‘offset’ of the ‘GetProcAddress’ function and will further use it to obtain a couple of other API addresses, both from “kernel32.dll” and “wsock32.dll”. Next Beavuh connects to the address specified by the attacker, launches the executable “cmd.exe” and links the input and output of the command shell to the socket opened to the attacker’s control machine. Recommendations Due to the prevalence of this exploit, we recommend system administrators patch any vulnerable IIS servers as soon as possible. Also, installing the KL ISAPI AV filter provides a generic means of blocking IIS buffer overflow exploits, including this one. For more details, please check: www.kasperskey.com/support.html?chapter=47

Exploit.IIS.Beavuh

Technical Details