Full Disclosure mailing list archives
Re: DCOM RPC exploit (dcom.c)
From: "CHeeKY" <cheekypeople () sec33 com>
Date: Sun, 27 Jul 2003 09:53:08 +0100
Paul, have you patched against this vunerability? if so then be cool, most holes work as people didnt follow or have a
clear
and present patching program, With regards to slammer, again it was successful due to, as you put it
rogue
machines that werent patched, but that to me was a program that caused the issue, this is a standard port, on my firewall system port 135 isnt open,
on
a VPN-ed laptop the patch has been released for folk, and laptop firewalls amended. Again we have issue of rogue machine, but thats what I have perimeter defenses for, NAT would effectively kill this exploit, same with sqlhack
of
old, they maybe able to knock at the door, but they cant take the goods
back
out the way they came... For the record we stopped slammer with a patch that we put on 6 months earlier, and thus everyone that had sql had already been patched through login script, others got the patch through our sms system as new released patches are tested and integrated as soon as available. I believe its about approach. Regards ------------------------------------------------------------------------- FIGHT BACK AGAINST SPAM! Download Spam Inspector, the Award Winning Anti-Spam Filter http://mail.giantcompany.com ----- Original Message ----- From: "Paul Schmehl" <pauls () utdallas edu> To: "Ron DuFresne" <dufresne () winternet com> Cc: "Chris Paget" <chrisp () ngssoftware com>; "Len Rose" <len () netsys com>; <full-disclosure () lists netsys com> Sent: Sunday, July 27, 2003 5:20 AM Subject: Re: [Full-disclosure] DCOM RPC exploit (dcom.c)On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:I'm just trying to understand how corporate networks would/should be
at
risk with this, why port 135 would not be filtered already limiting exposure. Is there a reason why it would not be that I'm missing?Are you really serious? Recall Slammer? There were networks that were locked down pretty tight. Slammer couldn't get in, right? Then one developer who got his unpatched copy of SQL inside the network, by logging in through VPN with his infected laptop, took the entire network down. You can't get in to our network on those ports either - unless you're already in. But I can guarantee you that we'll be chasing infected boxes down for days after the worm hits. And we've already patched everything that we could patch. I scan for Slammer every week, because every week someone new decides to install SQL unpatched or some stupid app that has an unpatched copy of MSDE. Now I'll be chasing the RPC worm around too. You can't firewall 135 inside your network or you'd have no network. The only reason I read lists like this is because I need to know before it hits what the next stupid exploit is that I have to deal with. And every one is a royal PITA. I put virus and worm writers right there in the same pile with spammers. They're all the scum of the earth. Clear examples of the worst of human nature. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: DCOM RPC exploit (dcom.c), (continued)
- Re: DCOM RPC exploit (dcom.c) Georgi Guninski (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Chris Paget (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Georgi Guninski (Jul 27)
- Re: DCOM RPC exploit (dcom.c) H D Moore (Jul 27)
- Re: DCOM RPC exploit (dcom.c) w g (Jul 27)
- Re: DCOM RPC exploit (dcom.c) dhtml (Jul 26)
- Re: DCOM RPC exploit w g (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Neeko Oni (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Neeko Oni (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 27)
- Re: DCOM RPC exploit (dcom.c) CHeeKY (Jul 27)
- Re: DCOM RPC exploit (dcom.c) tcpdumb (Jul 27)
- Re: DCOM RPC exploit (dcom.c) El Guille (Jul 27)
- Re: DCOM RPC exploit (dcom.c) tcpdumb (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) Jennifer Bradley (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) Jennifer Bradley (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) David R. Piegdon (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) CHeeKY (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Justin Shin (Jul 27)
- Re: DCOM RPC exploit (dcom.c) tcpdumb (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) David R. Piegdon (Jul 27)
- Re: Re: DCOM RPC exploit (dcom.c) Dan Stromberg (Jul 28)
