| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: security at brvenik.com (Jason) Subject: DCOM RPC exploit (dcom.c) The war begins... I'm not going to debate the release of code with anyone. Simply put, best practices should have mitigated this in a huge way from the beginning. All of the remaining threat should have been tested and patched by now. Now to the points you make. Chris Paget wrote: > Len, > > IMHO there's a difference between "security through obscurity" and posting > working exploit code. Knowing that there is a vulnerability in DCOM, accessible > over a range of RPC mechanisms (primarily 135/tcp) is all that most > administrators need to know. It's one thing knowing that you can kill a person > with a gun, and it's another to give away firearms. RPC services have been a risk forever. Knowing that the majority of clients do not use DCOM, an RPC service, is all that the administrators needed to know. Do you build a *nix system and leave all(any) RPC services enabled? ** DCOM should have been disabled for 99% of the systems they have. ** > > Scanners are good; I agree they give out more information than an advisory, but > it's still a step away from giving the kiddies a tool. Those in the know will > always be able to write an exploit from minimal details; whether or not the > pre-pubescent h4xx0rs get hold of it is another matter though. I would rather have a pre-pubescent cracker knocking on the door with a published sploit that I was forced to patch against any day when compared to the 1337 h4x0r w17h 4 g04l and the funding to achieve it. Ohhh, now we are going to complain about having to put in all those extra hours and spend all that overtime money. Umm, be happy you still have a job. ** Far too many people wait to patch until there is "published" exploit code. ** > > Different people will have differing opinions on how much information and what > kind of disclosure policy is acceptable; for me, working exploit code so soon > after the advisory is just irresponsible. Jihad, count me out. > > As for the <2 week "grace period", it's not enough. What if the patch is > broken in some way? It was rushed out the door by Microsoft; how many admins > wait a month before applying a patch, just to see if anyone else has problems > with it? I've just finished an audit on a multinational manufacturing company; > the exploit code came out before they'd patched. How many other companies are > in the same boat? Sorry, no sympathy here. ** If you have assets worth protecting you hire people who are capable of protecting them. ** Here are some parting questions: * How many of the systems in your typical multinational organization require the use of DCOM? ( slim to none? ) * How many of the systems that require DCOM need rpc exposed to everyone? ( slim to none? ) * How many of the systems exposed to everyone have weak administrative passwords? ( nearly all? ) * How many of the systems vulnerable internally would have been protected by an IPS if it had a way of protecting? ( slim to none? ) * How many of the systems vulnerable internally are protected with an IDS? ( slim to none? ) * How many of the systems vulnerable from the internet are implemented and administered by an MCSE or equivelant? ( nearly all? ) > > I agree, exploit code may force people to patch, but that's not sufficient > justification in my book. > > Chris > And some random thoughts. * I am still a firm believer in the ability of the human race to learn by making mistakes. ( it can be fun ) * I do not believe that those mistakes need not remove you from the human race. ( it should be fun if it does ) * I like beer! 1 l0v3 s3x! * These are my opinions and not those of my employer. * It is like shock and awe all over again... ONLY IT IS BETTER AND JUSTIFIED!!! * I have a clue stick, need a whack?
Powered by blists - more mailing lists