lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060515193603.19472.qmail@mail.securityfocus.com>
Date: Mon, 15 May 2006 16:01:23 -0400
From: "Maxime Ducharme" <mducharme@...ergeneration.com>
To: "'Nick Boyce'" <nick.boyce@...il.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Is MS06-018 a DoS or a system compromise ?


 

Hello Nick and people on the list

I have seen 2 servers last month which have been
hacked and actively used to scan TCP 3372 on foreign
IPs

There were servers which had port 3372 accessible
(a firewall rule misconfiguration was making TCP ports
>3000 accessible on the Internet)

I was not able to find any tool which was used to
hack the server on this port, but I think DTC was the culprit.

These servers had also port 53 (DNS) accessible, they
were running win2k with about 3 weeks of patch missing,
no other services were on (no iis, "server" service turned off,
on TCP/IP binded on NIC, ...)

I found tools on the hacked servers : "infoscan.exe" 1.0
from uhhuhy (cnhonker.com), and dfind.exe from class101.org,
and log files of recent scans which were corresponding to the
complaints the server's owner received.

The tools were placed in recycler directory, the hacker seems to
have been able to send commands or get a remote shell.

I'd be interested to hear information about remote code
execution on this port if you find some, these details make
me think a serious problem exists in DTC service.

Thanks and have a nice day

Maxime Ducharme

 

-----Message d'origine-----
De : Nick Boyce [mailto:nick.boyce@...il.com] 
Envoyé : 13 mai, 2006 20:25
À : bugtraq@...urityfocus.com
Objet : Is MS06-018 a DoS or a system compromise ?

There seems to be some confusion in MS Security Bulletin MS06-018,
"Vulnerability in Microsoft Distributed Transaction Coordinator".

The bulletin itself
(http://www.microsoft.com/technet/security/bulletin/ms06-018.mspx)
states :

  "An attacker could cause the Microsoft Distributed
  Transaction Coordinator (MSDTC) to stop responding.
  Note that the denial of service vulnerability would
  not allow an attacker to execute code or to elevate
  their user rights, but it could cause the affected
  system to stop accepting requests."

whereas the linked download pages for both the Win2K and WinXP patches
http://www.microsoft.com/downloads/details.aspx?familyid=8B98F380-0E5C-4B80-
9710-95E1B35AFD83&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=D80B43B2-727B-46B6-
82D1-F2CBD916FE32&displaylang=en
state :

  "A security issue has been identified in the
  Microsoft Distributed Transaction Controller
  service that could allow an attacker to compromise
  your Windows-based system and gain control over it."

The related McAfee advisory
(http://seclists.org/lists/bugtraq/2006/May/0215.html) states :

  "Exploitation can at most lead to a denial of service
  and therefore the risk factor is at medium."

so I guess DoS is what it is ... but it would still be nice if someone
in the know could confirm the download pages are wrong .... anyone
from Microsoft here ?

Cheers
Nick Boyce
-- 
One way to make your old car run better is to look up the
price of a new model.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ