RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 07/28/03
- Previous message: Knud Erik Højgaard: "Re: [Full-Disclosure] Win-Trap captured DCOM-RPC exploit code, on the spot!"
- Maybe in reply to: fulldisclosure_at_catholic.org: "[Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Next in thread: Ron DuFresne: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Reply: Ron DuFresne: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Reply: Admin GSecur: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Ron DuFresne" <dufresne@winternet.com> Date: Mon, 28 Jul 2003 11:12:27 -0500
> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne@winternet.com]
> Sent: Monday, July 28, 2003 10:46 AM
> To: Schmehl, Paul L
> Cc: Robert Wesley McGrew; full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> And those sites during slammer that blocked 1434, as was
> advised when the patch was made available, though it was
> advised even long before that, were largely unafected. Sites
> that are properly blocking 135 and it's protocolcs will most
> likely be unaffected from any new worm wishing to exploit
> this repeat problem with DCOM/RPC.
>
This is simply and plainly false. I don't know why people can't seem to
grasp this. I know of several major corporations who not only had
1434/UDP blocked at the firewall but also on a number of internal
routers *and* had aggressive patching programs, and they *still*
suffered from Slammer. All it takes is *one* infected box *inside* the
network to negate all the hard work you've done trying to keep the worm
out.
When you have 150,000 machines worldwide, having 1% of those unpatched
(which is a 99% *success* rate) means you have 1500! vulnerable
machines. Most situations that I'm familiar with were in the tens - not
even the hundreds - but it only took 10 or 15 machines to take down the
entire network due to the nature of that worm. 10 or 15 boxes
represents 1/100th of a percent of the total, yet that small number
could completely destablize a network and cause untold hours of work for
the admins and networking staff.
Now anybody who wants to tell me that a 0.01% failure rate in a patching
program proves the admins are incompetent is simply ignorant of the
issues. I guess it's just impossible for people who don't actually run
a large network to grasp the nature of the issues.
You build your little home network, you put up a FreeBSD box as a
NAT/Router/Firewall, and you think you understand networking in a large
enterprise? You haven't a clue.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Knud Erik Højgaard: "Re: [Full-Disclosure] Win-Trap captured DCOM-RPC exploit code, on the spot!"
- Maybe in reply to: fulldisclosure_at_catholic.org: "[Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Next in thread: Ron DuFresne: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Reply: Ron DuFresne: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Reply: Admin GSecur: "RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
