Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
DCOM not disabled on Win2k SP0,1,2
From: Marc Maiffret (marcEEYE.COM)
Date: Tue Aug 12 2003 - 14:28:15 CDT
Thanks much for the eMail Tod. It should be noted that I just spoke to
Microsoft and they can confirm that DCOM does not truly become disabled on
Windows 2000 SP0, SP1, SP2. Even if you set the registry key and restart or
use the DCOM config tool and restart, your still vulnerable to the DCOM bug.
Once again Microsoft confirmed this with me on the phone just a little while
ago. Most of us have been saying this the past few days, or weeks in Tod's
case, but a few people still wanted to hear it from MS themselves that this
information is accurate. It is accurate.
Chief Hacking Officer
eEye Digital Security
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message-----
| From: Tod Beardsley [mailto:todbplanb-security.net]
| Sent: Tuesday, August 12, 2003 12:32 PM
| To: Marc Maiffret
| Subject: Re: reports of DCOM worm on the loose...Report #4
| You posted on NTBugTraq:
| > DCOM is not "really" disabled and you are still vulnerable. We have
| > seen this with a few customers of ours and also testing in our lab.
| > Anyone else have the same experience?
| Yup. Documented on Jul 28:
| "Oh, and in case you have 1000s of workstations and would prefer to
| simply disable DCOM over RPC (with, say, dcomcnfg.exe), don't bother. I
| tested this today on Windows 2000, and even after disabling, removing
| all permissions, and unbinding all protocols, and reboots in between,
| the target was still plenty exploitable." - Me
| Just in case you're still gathering data points.
| "It's okay to yell 'fire' in a crowded theater
| if the theater is actually on fire."
| Tod Beardsley | www.planb-security.net
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to