lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1063244795.8155.25.camel@martini>
From: jade.deane at riven.net (Jade E. Deane)
Subject: [inbox] RE: MS03-039 has been released -
	critical

On a somewhat related note, although a tad off-topic...

I'm curious as to how some of you using IDS are capturing sessions that
don't make it past the first line of defense packet filtering.

I have an IDS on a spanned port of a packet filter, who only allows
established traffic in.  Obviously I'd never see these RPC related
exploits due to the fact I'll only log and capture the first SYN.  Often
thought about the use of netcat or something, but staying WAY away from
a true administrative nightmare of a honeypot.

Would love any advice/suggestions off-list.

Regards,
Jade

On Wed, 2003-09-10 at 18:55, Exibar wrote:
> Sounds good to me, I've already given my IDS guy the details that you've
> posted and he's going to write his IDS rules by them.
> 
>   No problem here :-)
> 
>   Exibar
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Marc
> Maiffret
> Sent: Wednesday, September 10, 2003 6:26 PM
> To: Peter Kruse; 'Mike Tancsa'; 'Exibar';
> full-disclosure@...ts.netsys.com
> Subject: [inbox] RE: [Full-Disclosure] MS03-039 has been released -
> critical
> 
> 
> Hi,
> 
> Just to cut off any stupid debate, that I promise anyone stepping to will
> lose... ;-) Giving details of where a flaw is does not make exploits/worms
> happen any more often. The "bad guys" do not need details in order to write
> exploits and worms. That is apparent when you look at the first RPC flaw and
> how NO details were released yet an exploit and worm were. However, with
> details, we can all audit our networks for the flaws, to know systems we
> need to fix, and setup IDS/IPS systems to monitor for attackers, whereas we
> couldn't without details. Also, we can check to make sure vendors did not
> (yet again) screw up and release a patch that does not truly fix a system.
> 
> Signed,
> Marc Maiffret
> Chief Hacking Officer
> eEye Digital Security
> T.949.349.9062
> F.949.349.9538
> http://eEye.com/Retina - Network Security Scanner
> http://eEye.com/Iris - Network Traffic Analyzer
> http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
> 
> | -----Original Message-----
> | From: full-disclosure-admin@...ts.netsys.com
> | [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Peter Kruse
> | Sent: Wednesday, September 10, 2003 2:20 PM
> | To: 'Mike Tancsa'; 'Exibar'; full-disclosure@...ts.netsys.com
> | Subject: SV: [Full-Disclosure] MS03-039 has been released - critical
> |
> |
> | Hi,
> |
> | > "The new DoS vulnerability was disclosed by a hacking group
> | > in China on July 25, 2003, and functional exploit code is
> | > already in use on the Internet. "
> |
> | This is well known. However it?s not the BoF exploit.
> |
> | Yet again, the detailed advisory from Eeye makes it fairly easy to write
> | a working exploit. Although I haven?t seen a PoC yet I would expect it
> | to be release shortly. It?s a bit harder to exploit than the previous
> | RPC Dcom weakness but it?s certainly possible.
> |
> | Please note that Eeye has already released an update for Retina Security
> | Scanner and I suppose every script kid, cracker or hacker should be able
> | to sniff to code from Retina going to a remote vulnerable host. You
> | think? CHAM, yeah?
> |
> | I suggest we update RPC - again.
> |
> | Med venlig hilsen // Kind regards
> |
> | Peter Kruse
> | Kruse Security
> | http://www.krusesecurity.dk
> |
> |
> | _______________________________________________
> | Full-Disclosure - We believe in it.
> | Charter: http://lists.netsys.com/full-disclosure-charter.html
> |
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc
Key fingerprint = C497 1FEC 6FC4 6896 6AB5  9A26 71DF 521B 0612 D1B8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030910/607b2e29/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ