[<prev] [next>] [day] [month] [year] [list]
Message-ID: <63991.67.68.179.142.1059320634.squirrel@webmail.catholic.org>
From: fulldisclosure at catholic.org (fulldisclosure@...holic.org)
Subject: DCOM RPC exploit (dcom.c)
24 hours after sending the code to the list, I still beleive it was the
right thing to do, being already published on the web (metasploit.com) and
refered to in news article (news.com). From then, it was only a matter of
hours until someone spill the beans to a mailling list, as I did.
the 2 weeks "grace" period being too short makes no real difference in the
outcome, microsoft products need to be constantly updated,and thats a
fact. People hit by slammer last year had plenty of time (6 month) to
patch their system, working exploit code was available from the begining
thru cnhonker.com to exploit MS02-039 month before slammer speaded on the
web, result ? most of MSSQL servers on the net were still vulnerable when
the public exploit became so "mainstream" that someone wrote a worm for
it.
Code being availlable to exploit a vuln is only a matter of time, sometime
days (latest cisco vuln) and sometime weeks (webdav)... but history has
proven us that even with a 6 month "grace" period, many systems remain
vulnerable.
If it wasnt of that necessary evil that fulldisclosure is, we would still
be running vulnerable version of sendmail with the WIZ command enable by
defalut. (doh)
Matt LaFlamme
FD supporter
Georgi Guninski wrote:
> Chris Paget wrote:
>
>> Personally, I'm tempted to set up my firewall to NAT incoming requests
on port
>> 135 to either www.metasploit.com or www.xfocus.org. I know this is the
>> full-disclosure list, but working exploit code for an issue this huge
is taking
>> it a bit far, especially less than 2 weeks after the advisory comes out.
>>
>
> IMHO releasing the exploit is ethical and legal.
> The root of the problem is m$, they should take responsibility for the
worms.
> IIRC the m$ EULA states something like "the product is not fit for any
purpose". So the exploit is consistent with the m$ EULA, I can't
understand why you whine.
> btw, Terry Pratchett has very good writings on IT EULA's and practices -
check "Good Omens" and a disc world book mentioning a disorganizer.
>
> georgi
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----------------------------------------
This email was sent using FREE Catholic Online Webmail.
http://webmail.catholic.org/
Powered by blists - more mailing lists