lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <005601c34cb0$561eccc0$3df3200a@amer.cisco.com>
Date: Thu, 17 Jul 2003 15:11:09 -0700
From: "Kirby Kuehl" <kkuehl@...co.com>
To: "'Todd Sabin'" <tsabin@...or.bindview.com>
Cc: <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>
Subject: [VulnDiscuss] RE: Re: [LSD] Critical security vulnerability in Microsoft Operating Systems


Definitely not trying to advertise, but in this case I do think this is
relevant.

If anyone is interested, Winfingerprint has had an RPC enumeration
option since 0.5.5. 
I do recommend that people try out the new 0.5.9pre1 rather that 0.5.8
though. 
If you are unfamiliar, it will also show Service Pack and Hotfix level
among other things.

http://winfingerprint.sourceforge.net

Kirby Kuehl


-----Original Message-----
From: Todd Sabin [mailto:tsabin@...or.bindview.com] 
Sent: Thursday, July 17, 2003 2:05 PM
To: Last Stage of Delirium
Cc: bugtraq@...urityfocus.com; secure@...rosoft.com;
vulnwatch@...nwatch.org
Subject: [VulnWatch] Re: [LSD] Critical security vulnerability in
Microsoft Operating Systems


Last Stage of Delirium <contact@...-pl.net> writes:

> Hello,
>
> We have discovered a critical security vulnerability in all recent 
> versions of Microsoft operating systems. The vulnerability affects 
> default installations of Windows NT 4.0, Windows 2000, Windows XP as 
> well as Windows 2003 Server.
>
> This is a buffer overflow vulnerability that exists in an integral 
> component of any Windows operating system, the RPC interface 
> implementing Distributed Component Object Model services (DCOM). In a 
> result of implementation error in a function responsible for 
> instantiation of DCOM objects, remote attackers can obtain 
> unauthorized access to vulnerable systems. [...]

I think it's worth mentioning that Microsoft's advisory on this issue is
incorrect in stating that the only attack vector is port 135.  The
vulnerability lies in one of the RPC interfaces that the endpoint
mapper/RPCSS services.  As such, it is accessible over any RPC protocol
sequence that the endpoint mapper listens on.  That includes:

o ncacn_ip_tcp :  TCP port 135
o ncadg_ip_udp :  UDP port 135
o ncacn_np     :  \pipe\epmapper, normally accessible via SMB null
                  session on TCP ports 139 and 445
o ncacn_http   : if active, listening on TCP port 593.

Finally, if ncacn_http is active, and COM Internet Services is installed
and enabled, which is NOT the default in any configuration I'm aware of,
then you can also talk to the endpoint mapper over port 80.  Just to be
clear, I think this is a very uncommon scenario, but the possibility
does exist.

So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
and 593.  And make sure you don't have COM Internet Services running.

-- 
Todd Sabin
<tsabin@...online.net>
BindView RAZOR Team
<tsabin@...or.bindview.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ