Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: Command Line RPC vulnerability scanner?
.

  • To: <[EMAIL PROTECTED]>
  • Subject: RE: Command Line RPC vulnerability scanner?
  • From: "Chris" <[EMAIL PROTECTED]>
  • Date: Fri, 1 Aug 2003 15:54:40 -0700
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
Wow the below is scary.
 
Does this imply some combo of DCOM cfg settings can re expose you after the
patch ?
 
Does this imply that some machines, ones with DCOM disabled, are still vun
after patching ?
 
Maybe this might explain how some machines are not responding the same to
the exploit, ie rebooting.
 
Does some one have a fast, down and dirty link to how to properly secure
DCOM objects. What's funny is im scared to alter the settings fearing I may
re expose myself. I want to secure my DCOM objects and I have not seen a
hardening guide or paper that covers dcom fully.
 
Of course I sit happily behind a firewall :)
 
Still.... The below is pretty scary news.

-----Original Message-----
From: Makoto Shiotsuki [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 31, 2003 9:17 PM
To: [EMAIL PROTECTED]
Subject: Re: Command Line RPC vulnerability scanner?


>
>http://www.iss.net/support/product_utilities/ms03-026rpc.php
>
>Be sure to read the page.  It isn't 100% accurate.
>

Scanms returns wrong answer when you disabled DCOM on the target box.
(run dcomcnfg, uncheck the "Enable Distributed COM on this computer"
checkbox)

  Target: Windows 2000 Pro SP4 with MS03-026 patch (Japanese version)

  Case A: "Enable Distributed COM on this computer" is checked

    D:\>scanms 192.168.183.129
    --- ScanMs Tool --- (c) 2003 Internet Security Systems ---
     Scans for systems vulnerable to MS03-026 vuln
     More accurate for WinXP/Win2k, less accurate for WinNT
     ISS provides no warrantees for any purpose
     Use at own risk. Runs best from WinXP.
    IP Address              REMACT  SYSACT  DCOM Version
    -----------------------------------------------------
    192.168.183.129         [ptch]  [ptch]  5.6

  Case B: "Enable Distributed COM on this computer" is un-checked

    D:\>scanms 192.168.183.129
    --- ScanMs Tool --- (c) 2003 Internet Security Systems ---
     Scans for systems vulnerable to MS03-026 vuln
     More accurate for WinXP/Win2k, less accurate for WinNT
     ISS provides no warrantees for any purpose
     Use at own risk. Runs best from WinXP.
    IP Address              REMACT  SYSACT  DCOM Version
    -----------------------------------------------------
    192.168.183.129         [VULN]  [VULN]  5.6

I've already notified ISS X-Force of this issue.

Makoto Shiotsuki

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.