|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Command Line RPC vulnerability scanner?
From: Chris (Security
Xymox1.com)
Date: Fri Aug 01 2003 - 17:54:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Wow the below is scary.
Does this imply some combo of DCOM cfg settings can re expose you after the
patch ?
Does this imply that some machines, ones with DCOM disabled, are still vun
after patching ?
Maybe this might explain how some machines are not responding the same to
the exploit, ie rebooting.
Does some one have a fast, down and dirty link to how to properly secure
DCOM objects. What's funny is im scared to alter the settings fearing I may
re expose myself. I want to secure my DCOM objects and I have not seen a
hardening guide or paper that covers dcom fully.
Of course I sit happily behind a firewall :)
Still.... The below is pretty scary news.
-----Original Message-----
From: Makoto Shiotsuki [mailto:shiost.rim.or.jp]
Sent: Thursday, July 31, 2003 9:17 PM
To: incidentssecurityfocus.com
Subject: Re: Command Line RPC vulnerability scanner?
>
>http://www.iss.net/support/product_utilities/ms03-026rpc.php
>
>Be sure to read the page. It isn't 100% accurate.
>
Scanms returns wrong answer when you disabled DCOM on the target box.
(run dcomcnfg, uncheck the "Enable Distributed COM on this computer"
checkbox)
Target: Windows 2000 Pro SP4 with MS03-026 patch (Japanese version)
Case A: "Enable Distributed COM on this computer" is checked
D:\>scanms 192.168.183.129
--- ScanMs Tool --- (c) 2003 Internet Security Systems ---
Scans for systems vulnerable to MS03-026 vuln
More accurate for WinXP/Win2k, less accurate for WinNT
ISS provides no warrantees for any purpose
Use at own risk. Runs best from WinXP.
IP Address REMACT SYSACT DCOM Version
-----------------------------------------------------
192.168.183.129 [ptch] [ptch] 5.6
Case B: "Enable Distributed COM on this computer" is un-checked
D:\>scanms 192.168.183.129
--- ScanMs Tool --- (c) 2003 Internet Security Systems ---
Scans for systems vulnerable to MS03-026 vuln
More accurate for WinXP/Win2k, less accurate for WinNT
ISS provides no warrantees for any purpose
Use at own risk. Runs best from WinXP.
IP Address REMACT SYSACT DCOM Version
-----------------------------------------------------
192.168.183.129 [VULN] [VULN] 5.6
I've already notified ISS X-Force of this issue.
Makoto Shiotsuki
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]