Re: Alert: Microsoft Security Bulletin - MS03-039

From: Marc Maiffret (marc_at_EEYE.COM)
Date: 09/12/03

  • Next message: Jeffrey Altman: "Re: Norton Internet Security 2003 blacklist fault?" 
    Date:         Thu, 11 Sep 2003 19:11:35 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    | -----Original Message-----
    | From: Windows NTBugtraq Mailing List
    | [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of James Foster
    | Sent: Thursday, September 11, 2003 1:12 PM
    | To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    | Subject: Re: Alert: Microsoft Security Bulletin - MS03-039
    |
    | Clarification of points:
    | -Foundstone Enterprise, FS 1000, Managed Service, and Foundstone
    | Professional are all accurate
    | -Microsoft's tool appears to be inaccurately identifying Windows 9x
    | boxes as vulnerable
    | -eEye's tool appears to be dropping hosts on large network scans

    Thank you for the note on our tool. We have had over 250 thousand downloads
    and have not had any reports of dropping hosts. We went ahead though and
    redid our QA process to verify our tool against systems and other tools to
    make sure we were working accurately and non-intrusively. We were not able
    to reproduce any bugs within our tool. However, if anyone is experiencing
    any problems please feel free to contact info@eeye.com.

    Also, in our testing we did not experience Microsoft's tool having the bugs
    pointed out above. We believe those bugs to be fixed in their latest
    versions. It was their older versions that had more problems.

    We did however find a problem in your latest free Foundstone tool (Version
    2.00, at 7:06pm PDT) on auditing Windows NT 4.0 systems. We thought we would
    include some technical information here of why your tool might be failing to
    correctly identify NT 4.0 systems, rather than just leave it as a vague
    statement of "you have a bug".

    The Foundstone scanner tries all the right UUIDs to figure out if a machine
    is 9x/Me or NT-family, but a false positive issue with NT4 machines still
    exists because of the format of REMACT packet being used to detect the
    vulnerability. It turns out that NT4 machines don't like the old-style
    packet (the style that XFocus used in their original exploit), but if you
    generate a packet from scratch using the same CoGetInstanceFromFile()
    technique you describe in "your" MS03-039 advisory, you should arrive at a
    smaller and much simpler packet that works cross-version. Obviously we could
    be mistaken in understanding why your tool is broken on NT4.0, so you'll
    have to do a bit more QA yourselves.

    As you're no doubt aware, sniffing the traffic from the Retina DCOM scanning
    tool will provide all the necessary example packets.

    | Can't speak for products, just the free tools. Check out Foundstone
    | Labs' advisory on details of the CoGetInstanceFromFile prototype if you
    | are interested in creating a packet for yourself using the supplied
    | Microsoft API.
    |
    | -Kudos to Barns for finding the bug.

    thank you.

    | James C. Foster
    | Director, Research and Development
    | Foundstone, Inc.
    | Strategic Security
    | 949.297.5600 Tel
    | 949.463.3373 Mobile
    | 949.297.5575 Fax
    | http://www.foundstone.com <http://www.foundstone.com/>

    Again we are committed to accuracy so if anyone finds any problems with our
    free tools please contact info@eEye.com with exact tool version numbers and
    as much detailed information as possible.

    Signed,
    Marc Maiffret
    Co-Founder/Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 

    ----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----
  • Next message: Jeffrey Altman: "Re: Norton Internet Security 2003 blacklist fault?"

    Relevant Pages

    • Risks Digest 24.59
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Workshop on Web Security, ... FDA - MedWatch - Medical Device Safety - Change in Daylight ... Subject: REVIEW: "FISMA Certification and Accreditation Handbook", ...
      (comp.risks)
    • RE: CISSP-ISSMP
      ... the materials and touched the technology. ... trough a certification process and get certified. ... I am proud to be a certified security professional:) ... Certs are sort of new to the scene. ...
      (Pen-Test)
    • RE: CISSP-ISSMP
      ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)
    • Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
      ... arrogance regarding security have influenced the ... In this situation, bugs can be patched without fuss, and simple ... There are no secrets in Mozilla. ... to avoid using Internet Explorer until Microsoft patches ...
      (Bugtraq)
    • [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #649 - 5 msgs
      ... Firewall disablers ... Send Full-Disclosure mailing list submissions to ... RE: Security Certifications ... Security Certification Consortium has developed and released a potentially destructive trojan application, which masquerades as a valid standard for professional certification in the field of information security. ...
      (Full-Disclosure)