[30836] in bugtraq
Re: [LSD] Critical security vulnerability in Microsoft Operating
daemon@ATHENA.MIT.EDU (Last Stage of Delirium)
Tue Jul 22 12:39:45 2003
Date: Tue, 22 Jul 2003 13:15:12 -0700
From: Last Stage of Delirium <contact@lsd-pl.net>
To: Todd Sabin <tsabin@razor.bindview.com>
In-Reply-To: <m3k7agsw47.fsf@jetcar.qnz.org>
Message-ID: <Pine.SGI.4.43.0307221311350.403459-100000@ix.put.poznan.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hello,
We confirm the existance of the following RPC attack vectors pointed out
by Todd Sabin with regard to the vulnerability described in MS03-026.
These are respectively:
- ncacn_np:\pipe\epmapper
- ncadg_ip_udp:135
- ncacn_ip_tcp:135
- ncacn_http:593
This means that at least:
- UDP port 135,
- TCP ports 135, 139, 445 and 593 can be used as remote attack vectors.
The possibility of using ncacn_http (and TCP port 80) for the purpose
of launching a remote attack depends on whether COM Internet Services
are enabled for DCOM on a Windows Server running IIS (as far as we know
they are not enabled by default).
Best Regards,
Members of LSD Research Group
http://lsd-pl.net
On Thu, 17 Jul 2003, Todd Sabin wrote:
>
> I think it's worth mentioning that Microsoft's advisory on this issue
> is incorrect in stating that the only attack vector is port 135. The
> vulnerability lies in one of the RPC interfaces that the endpoint
> mapper/RPCSS services. As such, it is accessible over any RPC
> protocol sequence that the endpoint mapper listens on. That includes:
>
> o ncacn_ip_tcp : TCP port 135
> o ncadg_ip_udp : UDP port 135
> o ncacn_np : \pipe\epmapper, normally accessible via SMB null
> session on TCP ports 139 and 445
> o ncacn_http : if active, listening on TCP port 593.
>
> Finally, if ncacn_http is active, and COM Internet Services is
> installed and enabled, which is NOT the default in any configuration
> I'm aware of, then you can also talk to the endpoint mapper over port
> 80. Just to be clear, I think this is a very uncommon scenario, but
> the possibility does exist.
>
> So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
> and 593. And make sure you don't have COM Internet Services running.
>
> --
> Todd Sabin <tsabin@optonline.net>
> BindView RAZOR Team <tsabin@razor.bindview.com>
>
