Home page logo

bugtraq logo Bugtraq mailing list archives

Remote MS03-026 vulnerability detection
From: Abe <abe () itsec-ss nl>
Date: Thu, 21 Aug 2003 13:33:07 +0200


Lately, I've been trying to find a way to detect whether a host is
vulnerable to the MS RPC issue fixed by MS03-026. This detection should
be possible remotely, without registry access and without disrupting

I have discovered that, when multiple "RemoteActivation Requests" are
send to the target system, the delays between the requests and the
replies vary. After running multiple tests, I have found that, on
patched W2k systems, there is a very distinct pattern in the delays
between a RemoteActivation request and reply. Example:

Delay 1: 0.002550 seconds
Delay 2: 0.000305
Delay 3: 0.002438
Delay 4: 0.000301
Delay 5: 0.002458
Delay 6: 0.000307

On an unpatched system, the pattern is much more irregular:

Delay 1: 0.002298 seconds
Delay 2: 0.000687
Delay 3: 0.002254
Delay 4: 0.002833
Delay 5: 0.005187
Delay 6: 0.000663

Has anyone else found this? Could this be used as a way to detect
whether a system is patched or not? Does anyone know of another way to
detect this?



ITsec Security Services

  By Date           By Thread  

Current thread:
  • Remote MS03-026 vulnerability detection Abe (Aug 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]