|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: DCOM RPC exploit as a virus/trojan?
From: Michael B. Morell (MMorell
vdat.com)
Date: Fri Aug 01 2003 - 22:53:04 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At first glance when I heard about the ability of this to go over 443/80
I also got really paranoid really quick.
But From the clarification I got from LSD [Last Stage of Delirium],
(I had to ask for a better explanation because I was not familiar with the
term
COM Internet Services and neither was my colleagues, which turned out to be
a good thing),
COM Internet Services is not something that is enabled by default.
(It is not COM+ that one (like I) might get confused about nor is it a web
app running under COM+)
In fact, you kind of have to jump thru hoops to enable CIS tunneling
protocol.
First off by enabling the COM Internet Services Proxy. Which is *NOT*
enabled by default.
After which (Next part taken from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html
/cis.asp)
"To enable CIS on the server, you need to add the Tunneling TCP protocol to
the DCOM protocol list. You do this by running DCOMCNFG"
Now I still agree that the patch should be installed, cuz you never know.
My purpose for the post being
one over avoiding confusion of the exploit. And people looking for COM
Internet services, not knowing how to
turn it off.
Sometimes though not knowing what something is can be a good thing. Since I
did not know how to turn it on, I
was not able to leave the hole open in the first place. Which is what
usually counts anyways, not leaving yourself
open to begin with.
Just my half cents worth.
mike
-----Original Message-----
From: Dimitri Limanovski [mailto:dlimanovsct.com]
Sent: Friday, August 01, 2003 11:54 AM
To: Benjamin D. Goldman
Cc: A. Bluecoat; focus-mssecurityfocus.com
Subject: RE: DCOM RPC exploit as a virus/trojan?
Major issue is that not just 135/137/139 are exploitable. Any IIS box
with COM Internet Services installed is exploitable over 80/443
(you'll have to modify exploit for that) and any machine that has RPC
over HTTP is exploitable on 593 tcp/udp as well.
As far as trojaned version, it is a matter of time, as someone said.
Full Disclosure list already posted a working exploit that will try to
exploit more that one host at a time. More to follow, I'm sure. Feds
agree: <http://www.msnbc.com/news/946460.asp?cp1=1>
Dimitri
|---------+---------------------------->
| | "Benjamin D. |
| | Goldman" |
| | <bgoldmankipany.|
| | com> |
| | |
| | 08/01/2003 11:17 |
| | AM |
| | |
|---------+---------------------------->
>---------------------------------------------------------------------------
-----------------------------------|
|
|
| To: "A. Bluecoat" <abluecoathotmail.com>,
<focus-mssecurityfocus.com> |
| cc:
|
| Subject: RE: DCOM RPC exploit as a virus/trojan?
|
>---------------------------------------------------------------------------
-----------------------------------|
if you can dream it up, it can be done.
If it can run on UDP - it can be done in such a way that will make it
drearily impossible to stop.
-----Original Message-----
From: A. Bluecoat [mailto:abluecoathotmail.com]
Sent: Thursday, July 31, 2003 7:58 PM
To: focus-mssecurityfocus.com
Subject: DCOM RPC exploit as a virus/trojan?
Just wondering, a newbie question really; theoretically, could the
Microsoft
RPC exploit be scripted to work in virus or trojan form?
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in
Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in
Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]