RE: Command Line RPC vulnerability scanner?

From: Chris (Securityat_private)
Date: Fri Aug 01 2003 - 15:54:40 PDT

Next message: Steven M. Christey: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"

Previous message: Jay Woody: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
In reply to: Makoto Shiotsuki: "Re: Command Line RPC vulnerability scanner?"
Next in thread: Russell Fulton: "RE: Command Line RPC vulnerability scanner?"
Reply: Russell Fulton: "RE: Command Line RPC vulnerability scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wow the below is scary.
 
Does this imply some combo of DCOM cfg settings can re expose you after the
patch ?
 
Does this imply that some machines, ones with DCOM disabled, are still vun
after patching ?
 
Maybe this might explain how some machines are not responding the same to
the exploit, ie rebooting.
 
Does some one have a fast, down and dirty link to how to properly secure
DCOM objects. What's funny is im scared to alter the settings fearing I may
re expose myself. I want to secure my DCOM objects and I have not seen a
hardening guide or paper that covers dcom fully.
 
Of course I sit happily behind a firewall :)
 
Still.... The below is pretty scary news.

-----Original Message-----
From: Makoto Shiotsuki [mailto:shioat_private] 
Sent: Thursday, July 31, 2003 9:17 PM
To: incidentsat_private
Subject: Re: Command Line RPC vulnerability scanner?


>
>http://www.iss.net/support/product_utilities/ms03-026rpc.php
>
>Be sure to read the page.  It isn't 100% accurate.
>

Scanms returns wrong answer when you disabled DCOM on the target box.
(run dcomcnfg, uncheck the "Enable Distributed COM on this computer"
checkbox)

  Target: Windows 2000 Pro SP4 with MS03-026 patch (Japanese version)

  Case A: "Enable Distributed COM on this computer" is checked

    D:\>scanms 192.168.183.129
    --- ScanMs Tool --- (c) 2003 Internet Security Systems ---
     Scans for systems vulnerable to MS03-026 vuln
     More accurate for WinXP/Win2k, less accurate for WinNT
     ISS provides no warrantees for any purpose
     Use at own risk. Runs best from WinXP.
    IP Address              REMACT  SYSACT  DCOM Version
    -----------------------------------------------------
    192.168.183.129         [ptch]  [ptch]  5.6

  Case B: "Enable Distributed COM on this computer" is un-checked

    D:\>scanms 192.168.183.129
    --- ScanMs Tool --- (c) 2003 Internet Security Systems ---
     Scans for systems vulnerable to MS03-026 vuln
     More accurate for WinXP/Win2k, less accurate for WinNT
     ISS provides no warrantees for any purpose
     Use at own risk. Runs best from WinXP.
    IP Address              REMACT  SYSACT  DCOM Version
    -----------------------------------------------------
    192.168.183.129         [VULN]  [VULN]  5.6

I've already notified ISS X-Force of this issue.

Makoto Shiotsuki

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Steven M. Christey: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Previous message: Jay Woody: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
In reply to: Makoto Shiotsuki: "Re: Command Line RPC vulnerability scanner?"
Next in thread: Russell Fulton: "RE: Command Line RPC vulnerability scanner?"
Reply: Russell Fulton: "RE: Command Line RPC vulnerability scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 02 2003 - 10:30:12 PDT