Full Disclosure mailing list archives

Re: DCOM RPC exploit (dcom.c)


From: "CHeeKY" <cheekypeople () sec33 com>
Date: Sun, 27 Jul 2003 09:53:08 +0100

Paul, have you patched against this vunerability?
if so then be cool, most holes work as people didnt follow or have  a
clear
and present patching program,
With regards to slammer, again it was successful due to, as you put it
rogue
machines that werent patched, but that to me was a program that caused the
issue, this is a standard port, on my firewall system port 135 isnt open,
on
a VPN-ed laptop the patch has been released for folk, and laptop firewalls
amended.

Again we have issue of rogue machine, but thats what I have perimeter
defenses for, NAT would effectively kill this exploit, same with sqlhack
of
old, they maybe able to knock at the door, but they cant take the goods
back
out the way they came...

For the record we stopped slammer with a patch that we put on 6 months
earlier, and thus everyone that had sql had already been patched through
login script, others got the patch through our sms system as new released
patches are tested and integrated as soon as available.
I believe its about approach.

Regards


-------------------------------------------------------------------------
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com


----- Original Message ----- 
From: "Paul Schmehl" <pauls () utdallas edu>
To: "Ron DuFresne" <dufresne () winternet com>
Cc: "Chris Paget" <chrisp () ngssoftware com>; "Len Rose" <len () netsys com>;
<full-disclosure () lists netsys com>
Sent: Sunday, July 27, 2003 5:20 AM
Subject: Re: [Full-disclosure] DCOM RPC exploit (dcom.c)


On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:

I'm just trying to understand how corporate networks would/should be
at
risk with this, why port 135 would not be filtered already limiting
exposure.  Is there a reason why it would not be that I'm missing?

Are you really serious?  Recall Slammer?  There were networks that were
locked down pretty tight.  Slammer couldn't get in, right?  Then one
developer who got his unpatched copy of SQL inside the network, by
logging in through VPN with his infected laptop, took the entire network
down.

You can't get in to our network on those ports either - unless you're
already in.  But I can guarantee you that we'll be chasing infected
boxes down for days after the worm hits.  And we've already patched
everything that we could patch.  I scan for Slammer every week, because
every week someone new decides to install SQL unpatched or some stupid
app that has an unpatched copy of MSDE.  Now I'll be chasing the RPC
worm around too.

You can't firewall 135 inside your network or you'd have no network.

The only reason I read lists like this is because I need to know before
it hits what the next stupid exploit is that I have to deal with.  And
every one is a royal PITA.  I put virus and worm writers right there in
the same pile with spammers.  They're all the scum of the earth.  Clear
examples of the worst of human nature.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: