lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0307270351310.21048-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: RE: DCOM RPC exploit 

On Sun, 27 Jul 2003 Valdis.Kletnieks@...edu wrote:

> On Sat, 26 Jul 2003 23:49:05 PDT, "Steve W. Manzuik" said:
>
> > A worm exploiting this might happen, but is it really that big of a deal?
>
> Compare the number of boxes that have the bug Slapper exploited with the number
> of boxes that have DCOM open to the world....
>
> When I hear that a worm's finally been spotted,  I'm yanking my laptop off the
> net and going home - and it's a Linux box.  I'm just expecting to not get any
> useful connectivity for a while.
>
> And of course, anybody who's got half a clue and writes a worm is going to have
> it drop off a trojan/backdoor... And then those boxes get used as spam relays,
> front-end boxes for porn websites, keyboard sniffers, etc etc.  Gonna take a
> LONG time to clean that mess up.
>
> Hell, we're *still* seeing Code Red traffic.  And what we've *NOT* seen in the
> last 2 years is a CERT advisory of this magnitude against a Microsoft product
> that didn't spawn a "Holy Shit" scale worm.
>

	[SNIP]

Yet, this only further shows that much more risk mitigation up front is in
what's allowed to pass to and from the network, not to mention better
install//config defaults, which should be the basis for machines added to
the network.  Patching, at least getting the mass majority patched, long
after an event, even trying to clue the admins and upstream providers is
ineffective, at least at the rate that patches and updates and the great
numbers of application/addon/trinket replaces known bad code *after* the
m$ ladened admins have to maintain...

The whole concept of rpc has been an issue across platforms in the various
degrees of implimentation, either uninstalling or filtering traffic to
dangerous protocols like this.  we block the 111 and associated ports by
default, why would not 135 be in the mix?  This is not the first RPC nor
DCOM issue in the not to distant past in this OS, there is a history that
should guide one dealing with perimiters as well as admin, install, etc if
security is part of the company culture/environment/policy.

Thanks,


Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ