BugTraq
[LSD] Critical security vulnerability in Microsoft Operating Systems Jul 17 2003 04:27AM
Last Stage of Delirium (contact lsd-pl net) (1 replies)
Re: [LSD] Critical security vulnerability in Microsoft Operating Systems Jul 17 2003 09:04PM
Todd Sabin (tsabin razor bindview com) (1 replies)
Re: [LSD] Critical security vulnerability in Microsoft Operating Systems Jul 22 2003 08:15PM
Last Stage of Delirium (contact lsd-pl net)

Hello,

We confirm the existance of the following RPC attack vectors pointed out
by Todd Sabin with regard to the vulnerability described in MS03-026.
These are respectively:

- ncacn_np:\pipe\epmapper
- ncadg_ip_udp:135
- ncacn_ip_tcp:135
- ncacn_http:593

This means that at least:
- UDP port 135,
- TCP ports 135, 139, 445 and 593 can be used as remote attack vectors.

The possibility of using ncacn_http (and TCP port 80) for the purpose
of launching a remote attack depends on whether COM Internet Services
are enabled for DCOM on a Windows Server running IIS (as far as we know
they are not enabled by default).

Best Regards,
Members of LSD Research Group
http://lsd-pl.net

On Thu, 17 Jul 2003, Todd Sabin wrote:

>
> I think it's worth mentioning that Microsoft's advisory on this issue
> is incorrect in stating that the only attack vector is port 135. The
> vulnerability lies in one of the RPC interfaces that the endpoint
> mapper/RPCSS services. As such, it is accessible over any RPC
> protocol sequence that the endpoint mapper listens on. That includes:
>
> o ncacn_ip_tcp : TCP port 135
> o ncadg_ip_udp : UDP port 135
> o ncacn_np : \pipe\epmapper, normally accessible via SMB null
> session on TCP ports 139 and 445
> o ncacn_http : if active, listening on TCP port 593.
>
> Finally, if ncacn_http is active, and COM Internet Services is
> installed and enabled, which is NOT the default in any configuration
> I'm aware of, then you can also talk to the endpoint mapper over port
> 80. Just to be clear, I think this is a very uncommon scenario, but
> the possibility does exist.
>
> So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
> and 593. And make sure you don't have COM Internet Services running.
>
> --
> Todd Sabin <tsabin (at) optonline (dot) net [email concealed]>
> BindView RAZOR Team <tsabin (at) razor.bindview (dot) com [email concealed]>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus