Hello, We confirm the existance of the following RPC attack vectors pointed out by Todd Sabin with regard to the vulnerability described in MS03-026. These are respectively: - ncacn_np:\pipe\epmapper - ncadg_ip_udp:135 - ncacn_ip_tcp:135 - ncacn_http:593 This means that at least: - UDP port 135, - TCP ports 135, 139, 445 and 593 can be used as remote attack vectors. The possibility of using ncacn_http (and TCP port 80) for the purpose of launching a remote attack depends on whether COM Internet Services are enabled for DCOM on a Windows Server running IIS (as far as we know they are not enabled by default). Best Regards, Members of LSD Research Group http://lsd-pl.net On Thu, 17 Jul 2003, Todd Sabin wrote: > > I think it's worth mentioning that Microsoft's advisory on this issue > is incorrect in stating that the only attack vector is port 135. The > vulnerability lies in one of the RPC interfaces that the endpoint > mapper/RPCSS services. As such, it is accessible over any RPC > protocol sequence that the endpoint mapper listens on. That includes: > > o ncacn_ip_tcp : TCP port 135 > o ncadg_ip_udp : UDP port 135 > o ncacn_np : \pipe\epmapper, normally accessible via SMB null > session on TCP ports 139 and 445 > o ncacn_http : if active, listening on TCP port 593. > > Finally, if ncacn_http is active, and COM Internet Services is > installed and enabled, which is NOT the default in any configuration > I'm aware of, then you can also talk to the endpoint mapper over port > 80. Just to be clear, I think this is a very uncommon scenario, but > the possibility does exist. > > So if you want to be completely safe, block UDP 135, TCP 135, 139, 445, > and 593. And make sure you don't have COM Internet Services running. > > -- > Todd Sabin <tsabinat_private> > BindView RAZOR Team <tsabinat_private> >
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 08:13:15 PDT