Re: is it even possible for a worm with dcom vuln?

• Previous message: Ronish Mehta: "Password Cracking Challenge..."
• In reply to: wirepair: "is it even possible for a worm with dcom vuln?"
• Next in thread: wirepair: "Re: is it even possible for a worm with dcom vuln?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: Mon, 28 Jul 2003 14:58:07 -0500

A highly-effective worm would be not be difficult to write for the reasons
below. Residential ISP's should start blocking 445 and 135 immediately.
Corporate networks should block these ports in both directions at every
major gateway as soon as possible.

It would only take one compromised node to turn a corporation's internal
network to mush. Coupled with an email or web-based delivery system, a
DCOM worm could easily start spawning itself in the center of even the
most security-concious organizations.

1) There *are* universal return address for both Win2K and WinXP. No I am
not going to post these anywhere, people can find them for themselves.
The non-english versions may or may not work with these, I have not had
the chance to test.

2) You can determine whether a host is 2K or XP using a number of
different ways. The easiest method is by looking at the Native LanMan
version you recieve when establishing a SMB session. I have heard that
there are ways to identify a system through DCOM queries as well, but
have no code in hand to prove it.

3) Since the easiest targets are Win2K and WinXP, simply scanning for 445,
determining XP/2K, and exploiting 135 would be very simple to do. All
systems with 445/tcp open are more than likely XP/2K. Any system with
445/tcp open more than likely has 135 open as well.

-HD

On Sunday 27 July 2003 12:09 pm, wirepair wrote:
> I would imagine the worm would need to
> be pretty advanced in finding the correct offsets prior to
> exploitation, without crashing svchost.exe. Now I am in no way down
> playing the threat of this vulnerability and I find it to probably
> be the largest thing to ever hit windows. I just want to hear other
> peoples thoughts on this subject. Or a worm could attack a single
> operating system/sp but that wouldn't be nearly as damaging as a worm
> that could attack all versions of windows (nt4-win2k3) and sp's.
>
> Any thoughts?
> -wire

• Previous message: Ronish Mehta: "Password Cracking Challenge..."
• In reply to: wirepair: "is it even possible for a worm with dcom vuln?"
• Next in thread: wirepair: "Re: is it even possible for a worm with dcom vuln?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]