| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F44ADF3.D399D794@itsec-ss.nl> Date: Thu, 21 Aug 2003 13:33:07 +0200 From: Abe <abe@...ec-ss.nl> To: bugtraq@...urityfocus.com Subject: Remote MS03-026 vulnerability detection Hi, Lately, I've been trying to find a way to detect whether a host is vulnerable to the MS RPC issue fixed by MS03-026. This detection should be possible remotely, without registry access and without disrupting services. I have discovered that, when multiple "RemoteActivation Requests" are send to the target system, the delays between the requests and the replies vary. After running multiple tests, I have found that, on patched W2k systems, there is a very distinct pattern in the delays between a RemoteActivation request and reply. Example: Delay 1: 0.002550 seconds Delay 2: 0.000305 Delay 3: 0.002438 Delay 4: 0.000301 Delay 5: 0.002458 Delay 6: 0.000307 On an unpatched system, the pattern is much more irregular: Delay 1: 0.002298 seconds Delay 2: 0.000687 Delay 3: 0.002254 Delay 4: 0.002833 Delay 5: 0.005187 Delay 6: 0.000663 Has anyone else found this? Could this be used as a way to detect whether a system is patched or not? Does anyone know of another way to detect this? Regards, Abe ITsec Security Services
Powered by blists - more mailing lists