Remote MS03-026 vulnerability detection

[Abe <abe () itsec-ss nl>]

Hi,

Lately, I've been trying to find a way to detect whether a host is
vulnerable to the MS RPC issue fixed by MS03-026. This detection should
be possible remotely, without registry access and without disrupting
services.

I have discovered that, when multiple "RemoteActivation Requests" are
send to the target system, the delays between the requests and the
replies vary. After running multiple tests, I have found that, on
patched W2k systems, there is a very distinct pattern in the delays
between a RemoteActivation request and reply. Example:

Delay 1: 0.002550 seconds
Delay 2: 0.000305
Delay 3: 0.002438
Delay 4: 0.000301
Delay 5: 0.002458
Delay 6: 0.000307

On an unpatched system, the pattern is much more irregular:

Delay 1: 0.002298 seconds
Delay 2: 0.000687
Delay 3: 0.002254
Delay 4: 0.002833
Delay 5: 0.005187
Delay 6: 0.000663

Has anyone else found this? Could this be used as a way to detect
whether a system is patched or not? Does anyone know of another way to
detect this?

Regards,

Abe

ITsec Security Services