[31299] in bugtraq
Remote MS03-026 vulnerability detection
daemon@ATHENA.MIT.EDU (Abe)
Thu Aug 21 11:49:42 2003
Message-ID: <3F44ADF3.D399D794@itsec-ss.nl>
Date: Thu, 21 Aug 2003 13:33:07 +0200
From: Abe <abe@itsec-ss.nl>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
Lately, I've been trying to find a way to detect whether a host is
vulnerable to the MS RPC issue fixed by MS03-026. This detection should
be possible remotely, without registry access and without disrupting
services.
I have discovered that, when multiple "RemoteActivation Requests" are
send to the target system, the delays between the requests and the
replies vary. After running multiple tests, I have found that, on
patched W2k systems, there is a very distinct pattern in the delays
between a RemoteActivation request and reply. Example:
Delay 1: 0.002550 seconds
Delay 2: 0.000305
Delay 3: 0.002438
Delay 4: 0.000301
Delay 5: 0.002458
Delay 6: 0.000307
On an unpatched system, the pattern is much more irregular:
Delay 1: 0.002298 seconds
Delay 2: 0.000687
Delay 3: 0.002254
Delay 4: 0.002833
Delay 5: 0.005187
Delay 6: 0.000663
Has anyone else found this? Could this be used as a way to detect
whether a system is patched or not? Does anyone know of another way to
detect this?
Regards,
Abe
ITsec Security Services
