Remote MS03-026 vulnerability detection
From: Abe (abe_at_itsec-ss.nl)
Date: 08/21/03
- Previous message: KF: "SRT2003-08-11-0729 - Linux based antivirus software contains several local overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Aug 2003 13:33:07 +0200 To: bugtraq@securityfocus.com
Hi,
Lately, I've been trying to find a way to detect whether a host is
vulnerable to the MS RPC issue fixed by MS03-026. This detection should
be possible remotely, without registry access and without disrupting
services.
I have discovered that, when multiple "RemoteActivation Requests" are
send to the target system, the delays between the requests and the
replies vary. After running multiple tests, I have found that, on
patched W2k systems, there is a very distinct pattern in the delays
between a RemoteActivation request and reply. Example:
Delay 1: 0.002550 seconds
Delay 2: 0.000305
Delay 3: 0.002438
Delay 4: 0.000301
Delay 5: 0.002458
Delay 6: 0.000307
On an unpatched system, the pattern is much more irregular:
Delay 1: 0.002298 seconds
Delay 2: 0.000687
Delay 3: 0.002254
Delay 4: 0.002833
Delay 5: 0.005187
Delay 6: 0.000663
Has anyone else found this? Could this be used as a way to detect
whether a system is patched or not? Does anyone know of another way to
detect this?
Regards,
Abe
ITsec Security Services
- Previous message: KF: "SRT2003-08-11-0729 - Linux based antivirus software contains several local overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
