Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: RE: DCOM Exploit MS03-026 attack vectors

Re: RE: DCOM Exploit MS03-026 attack vectors

From: Richard Spiers <dksaarth_at_unix.za.net>
Date: Fri, 1 Aug 2003 09:14:15 +0200

Hey hey guys. I believe it has something to do with CIS.
" COM Internet Services Proxy (a feature that is part of Windows 2000 that
allows a server to accept DCOM requests tunneled over HTTP)"

" The list of supported transports is as follows:

Local RPC ncalrpc

TCP/IP ncacn_ip_tcp

SPX ncacn_spx

Named pipes ncacn_np

NetBIOS netbios

VINES IP ncacn_vns_spp

It is not, however, documented in any of Microsoft resources, that Outlook
can use another RPC transport, ncacn_http"

Its not enabled by default, however in therory this makes whatever port the
server is configured to run it on vulnerable. Hope someone else can clear
this up further.

----- Original Message -----
From: "Jasper Blackwell" <jasper599_at_hotmail.com>
To: <full-disclosure_at_lists.netsys.com>
Sent: Friday, August 01, 2003 7:50 AM
Subject: [Full-disclosure] RE: DCOM Exploit MS03-026 attack vectors

> Hi All,
>
> >Microsoft owns up to the exploit being usable on 135, 139 and 445, I have
> >heard rumors of port 80 being vulnerable as well. I was curious as to
> >whether anyone had seen anything using a port other than 135? Everything
I
> >have seen discussed here and elsewhere has been 135 specific.
> >
> >Thanks,
> >
> >Paul Tinsley
>
> I have no more information as yet, expect to say that I saw someone asking
a
> similar question somewhere else and they asked whether the RPC_CONNECT
> method could be used in HTML to spread this. Now I am not an HTML
programmer
> let alone a C programmer so I have no idea whether that is feasible or
not.
> However I would be very interested if it is as it could make a big
> difference to all of us. So any of the more knowledgable people out there,
> is there anyway that comes to mind that this exploit could work over port
> 80? What about other programs that use DCOM and listen on other ports, are
> they vulnerable in theory? Would it require entirely new exploitcode for
> each package/port to be exploited?
>
> By the way I am not asking for an exploit, I am neutral in the whole
debate,
> just someone who knows what they are talking about to give us an idea of
> whether this thing is ever going to work over ports other then 135.
>
> Jasp
>
> _________________________________________________________________
> Hotmail messages direct to your mobile phone
http://www.msn.co.uk/msnmobile
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Aug 01 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos