lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F4F8278.9030303@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Authorities eye MSBlaster suspect

morning_wood wrote:

>It seems to me that it is each admins responsiblity, if
>they were affected ( infected ) not the coder. if this were the case the
>LastStage(of)Delerium would be the blamed party for developing and releasing the
>exploit, but alas.. they are not of USA orgin.
>
LSD presumably developed an exploit internally - never released anything 
but a high-level white paper on the vulnerability in concurrent time 
with the MS KB and patch.

It was the Chinese group that released the first exploit.  Followed with 
an improved version in precompiled form from various sources.  - Donnie, 
you were one of the first posters of the .exe to this list I think!

A pretty complete timeline of the public life of this vulnerability 
until the first worm:

** 2003 Evolution of DCOM-RPC Exploit * *
 
For 16 days before the MSBlaster worm made its debut, semi-skilled 
attackers were
already able to use this vulnerability at will.
 
*Timeline:*
** 
*July 16*
 
Microsoft Security Bulletin MS03-026
MS Announces bulletin and availability of patches for vulnerability 
discovered by LSD,
a Security Research group in Poland.
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/M 
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>S03-026.asp 
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>
 
LSD makes public announcement of vulnerability, after withholding 
disclosure on
agreement with Microsoft. The group witholds their exploit code, due to 
the serious
implications of this as an exploit.  A whitepaper on the vulnerability 
is publicly
released this day.
 
http://lsd-pl.net/special.html
 
Announcement of the DCOM-RPC vulnerability is widely distributed in the 
security and
blackhat communities, including the Full-Disclosure mailing list.
 
*July 17*
 
Official CERT advisory CA-2003-16 is published, formalizing the issue as 
CERT VU#568148.
 
http://www.cert.org/advisories/CA-2003-16.html
 
The Mitre Corp CVE is updated to include this vulnerability as CVE 
candidate CAN-2003-0352.
 

Network Associates makes their first published bulletin on DCOM-RPC
 
http://vil.nai.com/vil/content/v_100499.htm
 
Symantec provides an advisory
 
http://www.symantec.co.uk/avcenter/security/Content/8205.html
 

*July 18 - 24*
 
Discussion of possible methods for exploiting DCOM-RPC vulnerability 
circulates on
numerous public discussion boards and mailing lists.  Initial 
non-functional
proof-of-concept code appears by various authors on the Full Disclosure 
mailing list.
 
*July 21*
 
Early, working exploits are publicly leaked by various parties, and 
circulate on mailing lists.
 
http://lists.netsys.com/pipermail/full-disclosure/2003-July/006851.html
 
*July 25*
 
A working exploit for DCOM-RPC is published for general availability by 
Xfocus Team, a "grayhat" research group in the People's Republic of 
China.  Analysis of the exploit with working code is published on their 
site.
 
http://www.cert.org/advisories/CA-2003-16.html
 

The Xfocus exploit is refined by HD Moore of the Metasploit Project - as 
dcom.c This is the first exploit to give an attacker a working, remote 
command shell with escalated privileges against multiple versions of 
Windows. Code is published.
 
http://www.metasploit.com/tools/dcom.c
 
http://news.com.com/2100-1002_3-5055759.html?tag=fd_top
 
http://lists.netsys.com/pipermail/full-disclosure/2003-July/007092.html
 
*July 26*
 
Compiled, 'ready to run' versions of the Metasploit dcom.c code are made 
available on the Internet.
 
http://lists.netsys.com/pipermail/full-disclosure/2003-July/007103.html
 
http://illmob.org/rpc/
 
*July 31*
 
Stanford University has several networks penetrated by hostile 
attackers, probably making use of the Metasploit version of this 
exploit.  Approximately 2000 individual computers were compromised.
 
http://securecomputing.stanford.edu/alerts/windows-rpc-update-5aug2003.html
 
Concurrent attacks, of similar severity and breadth are announced by MIT 
and UC Berkeley.  CERT adds an advisory based on exploit and 
denial-of-service activity.
 
http://www.cert.org/advisories/CA-2003-19.html
 
*August 11*
 
MSBlaster (W32/Lovesan.worm) makes its first public appearance, adding 
unaided - self-replicating exploitation of vulnerable hosts.
 
http://www.trusecure.com/knowledge/hypeorhot/2003/tsa03011.shtml
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://vil.nai.com/vil/content/v_100547.htm

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
farm9.com Security

"Administration for Windows networks is similar to maintaining a 12-year 
old GM Truck.  Brand new, W2K+3 already has 190K miles of wear."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ