Wow the below is scary. Does this imply some combo of DCOM cfg settings can re expose you after the patch ? Does this imply that some machines, ones with DCOM disabled, are still vun after patching ? Maybe this might explain how some machines are not responding the same to the exploit, ie rebooting. Does some one have a fast, down and dirty link to how to properly secure DCOM objects. What's funny is im scared to alter the settings fearing I may re expose myself. I want to secure my DCOM objects and I have not seen a hardening guide or paper that covers dcom fully. Of course I sit happily behind a firewall :) Still.... The below is pretty scary news. -----Original Message----- From: Makoto Shiotsuki [mailto:shioat_private] Sent: Thursday, July 31, 2003 9:17 PM To: incidentsat_private Subject: Re: Command Line RPC vulnerability scanner? > >http://www.iss.net/support/product_utilities/ms03-026rpc.php > >Be sure to read the page. It isn't 100% accurate. > Scanms returns wrong answer when you disabled DCOM on the target box. (run dcomcnfg, uncheck the "Enable Distributed COM on this computer" checkbox) Target: Windows 2000 Pro SP4 with MS03-026 patch (Japanese version) Case A: "Enable Distributed COM on this computer" is checked D:\>scanms 192.168.183.129 --- ScanMs Tool --- (c) 2003 Internet Security Systems --- Scans for systems vulnerable to MS03-026 vuln More accurate for WinXP/Win2k, less accurate for WinNT ISS provides no warrantees for any purpose Use at own risk. Runs best from WinXP. IP Address REMACT SYSACT DCOM Version ----------------------------------------------------- 192.168.183.129 [ptch] [ptch] 5.6 Case B: "Enable Distributed COM on this computer" is un-checked D:\>scanms 192.168.183.129 --- ScanMs Tool --- (c) 2003 Internet Security Systems --- Scans for systems vulnerable to MS03-026 vuln More accurate for WinXP/Win2k, less accurate for WinNT ISS provides no warrantees for any purpose Use at own risk. Runs best from WinXP. IP Address REMACT SYSACT DCOM Version ----------------------------------------------------- 192.168.183.129 [VULN] [VULN] 5.6 I've already notified ISS X-Force of this issue. Makoto Shiotsuki --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Aug 02 2003 - 10:30:12 PDT