[unisog] CRITICAL: Active exploitation of MS09-039 in the EDU sector

Doug Pearson dodpears at ren-isac.net
Wed Aug 19 13:41:29 GMT 2009

Regarding: Active exploitation of MS09-039 in the EDU Sector
August 18, 2009


On August 11, Microsoft announced Bulletin MS09-039. The two CRITICAL
vulnerabilities reported in MS09-039 can allow unauthenticated remote
code execution on a WINS server - simply by the transmission of a
specially-crafted WINS replication packet. Versions of Windows Server
2000 and 2003 are vulnerable; refer to the MS09-039 bulletin[1].

Often WINS services will be located on the same machine as, and/or
managed under the same administrator credentials, as an institutional or
departmental Active Directory domain. A high risk exists that if WINS is
compromised, an AD compromise is either a short step away, or already
accomplished. A compromised AD server puts every machine and user in the
domain at risk. The only sure way to completely recover from an AD
compromise is to completely rebuild the AD, every machine in the domain,
and have all users change all their passwords.

The vulnerabilities are being actively exploited. We have received
information from a handful of institutions reporting successful WINS
compromises, one of which also involved compromise of a small AD domain.


(1) Ensure MS09-039[1] security updates are installed on all known WINS
servers. The Microsoft Baseline Security Analyzer may assist you in
performing this task.[2][3]


(1) Identify unknown WINS servers on your network by scanning for
machines listening on port TCP/UDP 42. Nmap may assist you in performing
this task.[4]

(2) Use netflow monitoring for inbound and outbound TCP/UDP 42 to
identify suspicious traffic, and potentially compromised machines.

(3) Consider blocking TCP/UDP 42 at the border router or firewall. Be
sure to understand any unintended consequences this may cause your
institution. For example you would want to create exceptions for any
external WINS replication partners.

(4) Leverage host-based firewalls on WINS servers to restrict TCP/UDP 42
to WINS replication partners.


(1) Do not solely rely on border router or firewall blocks, as
successful WINS server compromises have been seen originating from
inside the organization.

REN-ISAC is monitoring and analyzing attacks in the EDU sector. If
you've been attacked and have useful information to share, or if you've
experienced a compromise, please let us know, at soc @ ren-isac . net

If you have questions or concerns, please contact us.


Doug Pearson
Technical Director, REN-ISAC
24x7 Watch Desk +1(317)278-6630

REN-ISAC membership: http://www.ren-isac.net/membership.html


[1] MS09-039

[2] Microsoft Baseline Security Analyzer

[3] How To: Use the Microsoft Baseline Security Analyzer

[4] Nmap ("Network Mapper")


More information about the unisog mailing list