lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 22 Jul 2003 13:15:12 -0700
From: Last Stage of Delirium <contact@...-pl.net>
To: Todd Sabin <tsabin@...or.bindview.com>
Cc: bugtraq@...urityfocus.com, <secure@...rosoft.com>,
   <vulnwatch@...nwatch.org>
Subject: Re: [LSD] Critical security vulnerability in Microsoft Operating
 Systems



Hello,

We confirm the existance of the following RPC attack vectors pointed out
by Todd Sabin with regard to the vulnerability described in MS03-026.
These are respectively:

- ncacn_np:\pipe\epmapper
- ncadg_ip_udp:135
- ncacn_ip_tcp:135
- ncacn_http:593

This means that at least:
- UDP port 135,
- TCP ports 135, 139, 445 and 593 can be used as remote attack vectors.

The possibility of using ncacn_http (and TCP port 80) for the purpose
of launching a remote attack depends on whether COM Internet Services
are enabled for DCOM on a Windows Server running IIS (as far as we know
they are not enabled by default).

Best Regards,
Members of LSD Research Group
http://lsd-pl.net


On Thu, 17 Jul 2003, Todd Sabin wrote:

>
> I think it's worth mentioning that Microsoft's advisory on this issue
> is incorrect in stating that the only attack vector is port 135.  The
> vulnerability lies in one of the RPC interfaces that the endpoint
> mapper/RPCSS services.  As such, it is accessible over any RPC
> protocol sequence that the endpoint mapper listens on.  That includes:
>
> o ncacn_ip_tcp :  TCP port 135
> o ncadg_ip_udp :  UDP port 135
> o ncacn_np     :  \pipe\epmapper, normally accessible via SMB null
>                   session on TCP ports 139 and 445
> o ncacn_http   : if active, listening on TCP port 593.
>
> Finally, if ncacn_http is active, and COM Internet Services is
> installed and enabled, which is NOT the default in any configuration
> I'm aware of, then you can also talk to the endpoint mapper over port
> 80.  Just to be clear, I think this is a very uncommon scenario, but
> the possibility does exist.
>
> So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
> and 593.  And make sure you don't have COM Internet Services running.
>
> --
> Todd Sabin                                          <tsabin@...online.net>
> BindView RAZOR Team                            <tsabin@...or.bindview.com>
>

Powered by blists - more mailing lists