Full Disclosure mailing list archives
RE: DCOM RPC exploit (dcom.c)
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 28 Jul 2003 09:49:09 -0500
-----Original Message----- From: Robert Wesley McGrew [mailto:rwm8 () CSE MsState EDU] Sent: Monday, July 28, 2003 3:01 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] DCOM RPC exploit (dcom.c) 1) How would you propose to change the scene/industry/community of security in such a way that would prevent the public release of exploit code like this?
I don't think you *can* change it. People are going to release exploit code. It's that simple. I *do* think we have to find a way to pressure vendors into doing a better job of auditing their code and out-of-the-box configurations (Microsoft being the absolute worst at both), but I'm not convinced lawsuits are the answer. As has been pointed out, that could work to the commercial vendors' advantage and kill open source development.
2) For this DCOM RPC problem in particular, everyone's talking about worms. How would the worm know what return address to use? Remote OS fingerprinting would mean it would be relatively large, slow, and unreliable (compared with Slammer), and sticking with one would cause more machines to just crash than to spread the worm. I haven't looked into this very closely yet to see if it can be generalized.
What fingerprinting? If you've got 135/UDP open to the Internet, you're screwed. Slammer didn't fingerprint. It simply hit every box it could find on port 1434/UDP, and the exploit either worked or it didn't. Most worms do the same. They attack indiscriminately, and infect those Oses that are susceptible. And with Windows, that's enough boxes to cause a real problem. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: DCOM RPC exploit (dcom.c), (continued)
- Re: Re: DCOM RPC exploit (dcom.c) CHeeKY (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Justin Shin (Jul 27)
- Re: DCOM RPC exploit (dcom.c) tcpdumb (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) Dan Stromberg (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Curt Purdy (Jul 31)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Robert Wesley McGrew (Jul 28)
- RE: DCOM RPC exploit (dcom.c) gml (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Marc Maiffret (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Admin GSecur (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 28)
