Exploit Code For Stuxnet’s Unpatched Target Goes Public

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

Exploit code for one of the zero-day vulnerabilities exploited by Stuxnet has been posted online

Exploit code for one of the zero-day vulnerabilities exploited by the Stuxnet worm has made its way online. There is still no patch currently available for the flaw, though Microsoft said one is forthcoming.

The code exploits a Windows Task Scheduler vulnerability and can be used to escalate privileges. The exploit code was added to the Exploit Database operated by Offensive Security.

Attackers Must Already Have Access

“Microsoft is aware of the public posting of the details of an elevation of privilege vulnerability used by the Stuxnet malware,” Jerry Bryant, group manager of Response Communications at Microsoft, said in a statement. “We first discussed this vulnerability in September 2010. Because this is a local elevation of privilege issue, it requires attackers to be already able to execute code on a targeted machine. A bulletin addressing this issue will be released as part of our regular monthly bulletin cycle in the near future.”

The vulnerability was one of four zero-days used by the malware in its bid to compromise industrial control systems. The three others have all been patched since the worm was discovered this summer.

Researchers have spent the last several months trying to get to the bottom of the Stuxnet worm. Just recently, Symantec reported evidence that it targets frequency converter drives used to control the speed of motors and that the actual goal of the worm may be to disrupt nuclear programmes. In particular, speculation has focused on Iran as a possible target, as it has been the site of many of Stuxnet’s infections.

Among the other zero-days Stuxnet has been observed using are the .LNK shortcut vulnerability, patched in August; a vulnerability in the Windows Print Spooler service (MS10-061), patched in September; and another privilege escalation issue (MS10-073), patched in a massive update in October.

Early versions of the worm also spread without a vulnerability at all; instead abusing Windows’ AutoRun feature to compromise machines through infected USB devices.