lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00a901c357fc$84662e50$bf6b9e89@dks>
From: dksaarth at unix.za.net (Richard Spiers)
Subject: RE: DCOM Exploit MS03-026 attack vectors

Hey hey guys. I believe it has something to do with CIS.
" COM Internet Services Proxy (a feature that is part of Windows 2000 that
allows a server to accept DCOM requests tunneled over HTTP)"

" The list of supported transports is as follows:

Local RPC        ncalrpc

TCP/IP ncacn_ip_tcp

SPX                 ncacn_spx

Named pipes     ncacn_np

NetBIOS           netbios

VINES IP          ncacn_vns_spp

It is not, however, documented in any of Microsoft resources, that Outlook
can use another RPC transport, ncacn_http"

Its not enabled by default, however in therory this makes whatever port the
server is configured to run it on vulnerable. Hope someone else can clear
this up further.


----- Original Message ----- 
From: "Jasper Blackwell" <jasper599@...mail.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, August 01, 2003 7:50 AM
Subject: [Full-Disclosure] RE: DCOM Exploit MS03-026 attack vectors


> Hi All,
>
> >Microsoft owns up to the exploit being usable on 135, 139 and 445, I have
> >heard rumors of port 80  being vulnerable as well. I was curious as to
> >whether anyone had seen anything using a port other than 135? Everything
I
> >have seen discussed here and elsewhere has been 135 specific.
> >
> >Thanks,
> >
> >Paul Tinsley
>
> I have no more information as yet, expect to say that I saw someone asking
a
> similar question somewhere else and they asked whether the RPC_CONNECT
> method could be used in HTML to spread this. Now I am not an HTML
programmer
> let alone a C programmer so I have no idea whether that is feasible or
not.
> However I would be very interested if it is as it could make a big
> difference to all of us. So any of the more knowledgable people out there,
> is there anyway that comes to mind that this exploit could work over port
> 80? What about other programs that use DCOM and listen on other ports, are
> they vulnerable in theory? Would it require entirely new exploitcode for
> each package/port to be exploited?
>
> By the way I am not asking for an exploit, I am neutral in the whole
debate,
> just someone who knows what they are talking about to give us an idea of
> whether this thing is ever going to work over ports other then 135.
>
> Jasp
>
> _________________________________________________________________
> Hotmail messages direct to your mobile phone
http://www.msn.co.uk/msnmobile
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ