RE: smbdie - GUI remote smb DoS tool
From: Dozal, Tim (tdozal@cisco.com)Date: 08/30/02
- Previous message: Matt Thoene: "Re: PDA security"
- Maybe in reply to: shawn merdinger: "smbdie - GUI remote smb DoS tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Aug 2002 14:52:53 -0700 From: "Dozal, Tim" <tdozal@cisco.com> To: <DAyers@pacbell.net>, <security-basics@securityfocus.com>
When I look at this as a tool I see it as a VERY effective and
non-destructive way to demonstrate how serious this particular
vulnerability is. The program was released about a week after the MS
announcement and up until this program released people were not taking
the patching of their systems serious. Then this tool surfaced and
there was a mad scramble to update ALL vulnerable systems. What would
have happened if the author wrote a virus program the used the buffer
overflow to destroy the box in stead of just causing a blue screen.
This could have possibly spread faster than Nimda. But lucky for us all
it was a tool that did no more damage then cause a blue screen reboot.
The reason I disagree with the VP decision to add this to their patterns
was more political than anything. I view the VP software companies as
responsible for stopping virus code. Virus code being anything that can
spread and self replicate itself. Since this program is not a virus I
disagree with its being added as a virus definition. This in no way
reflects the views of my company or others within it, just the way I see
it.
In response to the threat of the program yes I agree this program could
wreak havoc on a network if an internal employee was to take advantage
of it. That however is an internal company problem, not where I think a
VP company should focus. This seems like more of an internal Infosec
issue. When a vulnerability is announced, patch the systems, don't wait
until people have tools to exploit the problem. If all of us were on
the ball, the one week time between the MS announcement of the
vulnerability AND ITS PATCH should have been enough time to be fully
patched. That being the case SMBdie would have been worthless by the
time it became available.
Again just my 2 cents on the subject...
Tim
-----Original Message-----
From: Ayers, Diane [mailto:DAyers@pacbell.net]
Sent: Friday, August 30, 2002 10:09 AM
To: security-basics@securityfocus.com
Subject: RE: smbdie - GUI remote smb DoS tool
Please don't take this the wrong way but this seems like an odd comment
for someone that works for Cisco. I manage a large NT infrastructure
for a utility company and am responsible for maintaining availability
for critical NT infrastructure boxes. When a new vulnerability comes
out especially higher risk ones, it takes a period of time to patch a
significant number of servers in the enterprise. That leaves a number
of critical boxes vulnerable for a period of time.
SMBdie was a good demo of the vulnerability but I hardly categorize it
as a "tool". When a GUI comes out that any low level users can run and
impact your daily business, I categorize that as something other than a
tool. Statistics show that 50%-80% of attacks come internally rather
than externally. Adding these programs to DAT file signatures is
nothing new. WinNuke from the old NT 4.0 ping of death has been in DAT
files for years.
Diane
-----Original Message-----
From: Dozal, Tim [mailto:tdozal@cisco.com]
Sent: Thursday, August 29, 2002 2:30 PM
To: Wesley Shields; shawn merdinger
Cc: security-basics@securityfocus.com
Subject: RE: smbdie - GUI remote smb DoS tool
This "proof of concept tool" was very useful a few days ago in
demonstrating how easy this exploit can be taken advantage of. However
today I noticed the virus protection companies added this tools pattern
to their definitions so it can no longer live on a machine running VP
software or pass through the e-mail scanners that were updated today. I
don't know about the rest of you but I was really pissed about this. The
tool is NOT a virus, and I had been sending it to various IT friends for
the last few days to use as a demo tool for their various companies.
I'm curious if anybody knows of a REAL virus that has taken advantage of
this exploit, and also why the VP companies feel they have the right to
add a pattern for a "tool" into their DAT files?
Can somebody explain the logic here?
Tim
Btw, the MS description of this exploit requiring a valid
username/password seems to be total BS based on what this little tool is
able to do.
-----Original Message-----
From: Wesley Shields [mailto:wxs@csh.rit.edu]
Sent: Thursday, August 29, 2002 10:55 AM
To: shawn merdinger
Cc: security-basics@securityfocus.com
Subject: Re: smbdie - GUI remote smb DoS tool
On Wed, Aug 28, 2002 at 10:51:00AM -0500, shawn merdinger wrote:
> fyi,
>
> Yet another reason to disable netbios. This tool runs on Windows and
> has a GUI interface. Windows machines w/ SMB (port 139) access will
> reboot instantly.
>
> Tool is here: http://packetstormsecurity.org/0208-exploits/SMBdie.zip
>
> -scm
>
>
If you're going to post the proof of concept you may want to post the
patch.
MS02-045
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q326830&
-- WXS
- Previous message: Matt Thoene: "Re: PDA security"
- Maybe in reply to: shawn merdinger: "smbdie - GUI remote smb DoS tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
