Re: Alert: Microsoft Security Bulletin - MS03-039
From: James Foster (James.Foster_at_FOUNDSTONE.COM)
Date: 09/11/03
- Previous message: Gavin Haslett: "EEye RPC Scanning Tool"
- Maybe in reply to: Russ: "Alert: Microsoft Security Bulletin - MS03-039"
- Next in thread: Marc Maiffret: "Re: Alert: Microsoft Security Bulletin - MS03-039"
- Reply: Marc Maiffret: "Re: Alert: Microsoft Security Bulletin - MS03-039"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Sep 2003 13:12:04 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Clarification of points:
-Foundstone Enterprise, FS 1000, Managed Service, and Foundstone
Professional are all accurate
-Microsoft's tool appears to be inaccurately identifying Windows 9x
boxes as vulnerable
-eEye's tool appears to be dropping hosts on large network scans
Can't speak for products, just the free tools. Check out Foundstone
Labs' advisory on details of the CoGetInstanceFromFile prototype if you
are interested in creating a packet for yourself using the supplied
Microsoft API.
-Kudos to Barns for finding the bug.
...
James C. Foster
Director, Research and Development
Foundstone, Inc.
Strategic Security
949.297.5600 Tel
949.463.3373 Mobile
949.297.5575 Fax
http://www.foundstone.com <http://www.foundstone.com/>
software | services | education
This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you.
-----Original Message-----
From: Marc Maiffret [mailto:marc@EEYE.COM]
Sent: Wednesday, September 10, 2003 1:52 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Alert: Microsoft Security Bulletin - MS03-039
Some insight for you all...
The way that Microsoft patched the new RPC Part II vulnerability
actually breaks most scanning tools looking for the first flaw.
That is to say that if your company is using a scanning tool looking for
MS03-026 and you have installed MS03-039 then your MS03-039 systems will
be flagged as vulnerable, when they obviously are not.
Since we actually found the flaw we were able to update Retina and our
free scanning tool to correctly identify this new vulnerability, and
old, without getting false positives. Again, last time I checked ISS,
Foundstone, and a couple free tools (MS's old version), will incorrectly
identify systems as vulnerable to the old flaw, with this new patch
installed.
Retina 4.9.126 and our free RPC scanner Version 1.1.0 have the correct
checks that the rest of the scanners are going to need to "model
themselves" after in order to accurately detect these RPC flaws. Again
the free RPC scanner tool, with latest RPC check, can be downloaded
from: http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Cheers,
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris -
Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and
unknown IIS vulnerabilities
| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On
<mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM%5dOn> Behalf Of Russ
| Sent: Wednesday, September 10, 2003 1:48 PM
| To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
| Subject: Re: Alert: Microsoft Security Bulletin - MS03-039
|
|
| I knew this was coming...
|
| ---------------- Original message -------------------
| Russ,
| I installed the patch (MS03-039). Now corporate (still running scans
| for MS03-026) says I'm vulnerable. I know the technical bulletin
| describes this in detail. If I understand correctly the scanning tool
| needs to be updated. Corporate in their infinite wisdom wants me to
| back out the MS03-039 patch. Is anyone else dealing with this?
| ---------------- Original message -------------------
|
| Well, I have to say that "Corporate" needs to get their head out of
| their...well, Ok, let me be nicer.
|
| Given that MS03-039 is "Critical" according to Microsoft, and "Needs
| to be applied immediately" for non-TruSecure customers according to
| me, maybe Corporate should rethink what they are doing.
|
| I would not be at all surprised to hear this problem a lot,
| particularly due to a number of MS03-026 scanning techniques being
| used;
|
| 1. File checking alone will indicate the wrong file versions/hashes.
| Of course if they were checking for MS03-026, it would make more sense
| to check for a version number *or higher* rather than strict checking,
| but if you're checking hashes only it can only fail.
|
| 2. Registry checking alone will indicate MS03-026 and MS03-039 are
| installed. MS03-039 doesn't remove or alter the registry keys for
| KB823980 (MS03-026).
|
| 3. Checking for both will fail since the files will be updated but the
| registry key is still there.
|
| IMO, the check should be for MS03-026, and only if that fails, then a
| check for MS03-039 should be performed. Of course if you're trying to
| scan thousands of machines that can make for problems.
|
| Finally, all of the above only applies if you're thinking all you need
| is MS03-026. The simple fact is that you need MS03-039, now that its
| released, forget about MS03-026 and start scanning all over again.
|
| Then again, you could just disable DCOM and be done with it for now.
|
| Cheers,
| Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
|
| ----
| Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
|
| With a growth rate exceeding 110%, the TICSA security practitioner
| certification is one of the hottest IT credentials available. And now,
| for a limited time, you can save 33% off of the TICSA certification
| exam! To learn more about the TICSA certification, and to register as
| a TICSA candidate online, just go to
|
| http://www.trusecure.com/offer/s0100/
|
| ----
|
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ---- ---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: Gavin Haslett: "EEye RPC Scanning Tool"
- Maybe in reply to: Russ: "Alert: Microsoft Security Bulletin - MS03-039"
- Next in thread: Marc Maiffret: "Re: Alert: Microsoft Security Bulletin - MS03-039"
- Reply: Marc Maiffret: "Re: Alert: Microsoft Security Bulletin - MS03-039"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
