[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems
From: Last Stage of Delirium (contact_at_lsd-pl.net)
Date: 07/22/03
- Previous message: Next Generation Insight Security Reseach Team: "[VulnWatch] Witango & Tango 2000 Application Server Remote System Buffer Overrun"
- In reply to: Todd Sabin: "[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jul 2003 13:15:12 -0700 To: Todd Sabin <tsabin@razor.bindview.com>
Hello,
We confirm the existance of the following RPC attack vectors pointed out
by Todd Sabin with regard to the vulnerability described in MS03-026.
These are respectively:
- ncacn_np:\pipe\epmapper
- ncadg_ip_udp:135
- ncacn_ip_tcp:135
- ncacn_http:593
This means that at least:
- UDP port 135,
- TCP ports 135, 139, 445 and 593 can be used as remote attack vectors.
The possibility of using ncacn_http (and TCP port 80) for the purpose
of launching a remote attack depends on whether COM Internet Services
are enabled for DCOM on a Windows Server running IIS (as far as we know
they are not enabled by default).
Best Regards,
Members of LSD Research Group
http://lsd-pl.net
On Thu, 17 Jul 2003, Todd Sabin wrote:
>
> I think it's worth mentioning that Microsoft's advisory on this issue
> is incorrect in stating that the only attack vector is port 135. The
> vulnerability lies in one of the RPC interfaces that the endpoint
> mapper/RPCSS services. As such, it is accessible over any RPC
> protocol sequence that the endpoint mapper listens on. That includes:
>
> o ncacn_ip_tcp : TCP port 135
> o ncadg_ip_udp : UDP port 135
> o ncacn_np : \pipe\epmapper, normally accessible via SMB null
> session on TCP ports 139 and 445
> o ncacn_http : if active, listening on TCP port 593.
>
> Finally, if ncacn_http is active, and COM Internet Services is
> installed and enabled, which is NOT the default in any configuration
> I'm aware of, then you can also talk to the endpoint mapper over port
> 80. Just to be clear, I think this is a very uncommon scenario, but
> the possibility does exist.
>
> So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
> and 593. And make sure you don't have COM Internet Services running.
>
> --
> Todd Sabin <tsabin@optonline.net>
> BindView RAZOR Team <tsabin@razor.bindview.com>
>
- Previous message: Next Generation Insight Security Reseach Team: "[VulnWatch] Witango & Tango 2000 Application Server Remote System Buffer Overrun"
- In reply to: Todd Sabin: "[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
