MS15-002 was one of the more interesting patches this month. As such, we spent quite a bit of time on it. But alas, it appears as though a pretty thorough analysis has already been posted at WooYun (http://drops.wooyun.org/papers/4621) which mostly aligns with our analysis of the issue.
We believe this issue to be difficult to exploit but pretty easy to detect. Our (ugly) internal detection script can be grabbed from here for anyone who might find it useful: http://pastebin.com/aTxca42w
Please note that this script IS NOT SAFE and running it against a target multiple times will exhaust the telnet server's maximum connections (as defined in Software\Microsoft\TelnetServer\1.0\MaxConnections) and require restarting the telnet service.
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.
