Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Alert: Microsoft Security Bulletin - MS03-039
From: Marc Maiffret (marcEEYE.COM)
Date: Thu Sep 11 2003 - 21:11:35 CDT
| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of James Foster
| Sent: Thursday, September 11, 2003 1:12 PM
| To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
| Subject: Re: Alert: Microsoft Security Bulletin - MS03-039
| Clarification of points:
| -Foundstone Enterprise, FS 1000, Managed Service, and Foundstone
| Professional are all accurate
| -Microsoft's tool appears to be inaccurately identifying Windows 9x
| boxes as vulnerable
| -eEye's tool appears to be dropping hosts on large network scans
Thank you for the note on our tool. We have had over 250 thousand downloads
and have not had any reports of dropping hosts. We went ahead though and
redid our QA process to verify our tool against systems and other tools to
make sure we were working accurately and non-intrusively. We were not able
to reproduce any bugs within our tool. However, if anyone is experiencing
any problems please feel free to contact infoeeye.com.
Also, in our testing we did not experience Microsoft's tool having the bugs
pointed out above. We believe those bugs to be fixed in their latest
versions. It was their older versions that had more problems.
We did however find a problem in your latest free Foundstone tool (Version
2.00, at 7:06pm PDT) on auditing Windows NT 4.0 systems. We thought we would
include some technical information here of why your tool might be failing to
correctly identify NT 4.0 systems, rather than just leave it as a vague
statement of "you have a bug".
The Foundstone scanner tries all the right UUIDs to figure out if a machine
is 9x/Me or NT-family, but a false positive issue with NT4 machines still
exists because of the format of REMACT packet being used to detect the
vulnerability. It turns out that NT4 machines don't like the old-style
packet (the style that XFocus used in their original exploit), but if you
generate a packet from scratch using the same CoGetInstanceFromFile()
technique you describe in "your" MS03-039 advisory, you should arrive at a
smaller and much simpler packet that works cross-version. Obviously we could
be mistaken in understanding why your tool is broken on NT4.0, so you'll
have to do a bit more QA yourselves.
As you're no doubt aware, sniffing the traffic from the Retina DCOM scanning
tool will provide all the necessary example packets.
| Can't speak for products, just the free tools. Check out Foundstone
| Labs' advisory on details of the CoGetInstanceFromFile prototype if you
| are interested in creating a packet for yourself using the supplied
| Microsoft API.
| -Kudos to Barns for finding the bug.
| James C. Foster
| Director, Research and Development
| Foundstone, Inc.
| Strategic Security
| 949.297.5600 Tel
| 949.463.3373 Mobile
| 949.297.5575 Fax
| http://www.foundstone.com <http://www.foundstone.com/>
Again we are committed to accuracy so if anyone finds any problems with our
free tools please contact infoeEye.com with exact tool version numbers and
as much detailed information as possible.
Co-Founder/Chief Hacking Officer
eEye Digital Security
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to