[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00a901c357fc$84662e50$bf6b9e89@dks>
From: dksaarth at unix.za.net (Richard Spiers)
Subject: RE: DCOM Exploit MS03-026 attack vectors
Hey hey guys. I believe it has something to do with CIS.
" COM Internet Services Proxy (a feature that is part of Windows 2000 that
allows a server to accept DCOM requests tunneled over HTTP)"
" The list of supported transports is as follows:
Local RPC ncalrpc
TCP/IP ncacn_ip_tcp
SPX ncacn_spx
Named pipes ncacn_np
NetBIOS netbios
VINES IP ncacn_vns_spp
It is not, however, documented in any of Microsoft resources, that Outlook
can use another RPC transport, ncacn_http"
Its not enabled by default, however in therory this makes whatever port the
server is configured to run it on vulnerable. Hope someone else can clear
this up further.
----- Original Message -----
From: "Jasper Blackwell" <jasper599@...mail.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, August 01, 2003 7:50 AM
Subject: [Full-Disclosure] RE: DCOM Exploit MS03-026 attack vectors
> Hi All,
>
> >Microsoft owns up to the exploit being usable on 135, 139 and 445, I have
> >heard rumors of port 80 being vulnerable as well. I was curious as to
> >whether anyone had seen anything using a port other than 135? Everything
I
> >have seen discussed here and elsewhere has been 135 specific.
> >
> >Thanks,
> >
> >Paul Tinsley
>
> I have no more information as yet, expect to say that I saw someone asking
a
> similar question somewhere else and they asked whether the RPC_CONNECT
> method could be used in HTML to spread this. Now I am not an HTML
programmer
> let alone a C programmer so I have no idea whether that is feasible or
not.
> However I would be very interested if it is as it could make a big
> difference to all of us. So any of the more knowledgable people out there,
> is there anyway that comes to mind that this exploit could work over port
> 80? What about other programs that use DCOM and listen on other ports, are
> they vulnerable in theory? Would it require entirely new exploitcode for
> each package/port to be exploited?
>
> By the way I am not asking for an exploit, I am neutral in the whole
debate,
> just someone who knows what they are talking about to give us an idea of
> whether this thing is ever going to work over ports other then 135.
>
> Jasp
>
> _________________________________________________________________
> Hotmail messages direct to your mobile phone
http://www.msn.co.uk/msnmobile
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists