Full Disclosure mailing list archives

Re: DCOM Exploit MS03-026 attack vectors

From: "Jeremiah Cornelius" <jeremiah () nur net>
Date: Fri, 1 Aug 2003 12:02:48 -0700

    <snip>

Because 9 times out of 10 port 135 is blocked by some sort of firewall,
whilst port 80 is not blocked on a web server.


Not telecommuters on dial-up IP's and Blue-Toothed into the net thru
their Ericsson phones, and surfing from the airport and WIFI cafes of the
world.

    </snip>

Bluetooth phones as modems!  I have been calling on this issue for some
time, and generally received a dismissive response from System
Administrators and IT management.  No one wants the work load or
responsibility this entails.  I suppose that if you don't acknowledge the
problem's existence, you can't be faulted for lack of due care!  If they
keep their heads in the sand long enough, somebody is  going to find out
what Ostrich meat tastes like...

As this technology becomes more prevalent over the next 2 years or so, you
can kiss your idea of perimeter goodbye.  A better argument for 'defence in
depth' and 'crunchy centers' could not be made.  All hosts should be handled
as if they were accessible from untrusted segments - they soon will be, if
they are not already.

This is just the technology we already have on hand.  Remote, mobile, FAST
communications technologies are springing up like weeds.  Bluetooth scanning
is inherently more problematic than looking for a rogue WiFi AP.  The
technology is mobile, VERY short range/low power, and has legitimate
business use on multi-function devices.  You can't expect to wrap your
building in a Faraday cage -  there is no way to gatekeep this.  It will
have to be a condition we adapt ourselves to deal with.  Begin with hardened
hosts.  Even marketroid laptops.  Ultimately, something like mutual host
authentication/authorization is going to be needed everywhere on the
inside - but it's obviously not a cure-all.  If my laptop is a router for my
phone, which is a router for kiddeez...  Kiddee is authed to my server.

It's gonna' be a fun ride, and the best is yet to come!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

DCOM Exploit MS03-026 attack vectors Paul Tinsley (Jul 31)
- Re: DCOM Exploit MS03-026 attack vectors Nick FitzGerald (Aug 01)
- <Possible follow-ups>
- RE: DCOM Exploit MS03-026 attack vectors Brad Bemis (Jul 31)
  - RE: DCOM Exploit MS03-026 attack vectors Paul Tinsley (Aug 01)
- RE: DCOM Exploit MS03-026 attack vectors Jasper Blackwell (Jul 31)
  - Re: RE: DCOM Exploit MS03-026 attack vectors Richard Spiers (Aug 01)
    - Re: RE: DCOM Exploit MS03-026 attack vectors Geoincidents (Aug 02)
- RE: RE: DCOM Exploit MS03-026 attack vectors Parker, Jeff (MSE) (Aug 01)
- RE: DCOM Exploit MS03-026 attack vectors Bassett, Mark (Aug 01)
  - RE: DCOM Exploit MS03-026 attack vectors Bryan K. Watson (Aug 01)
    - Re: DCOM Exploit MS03-026 attack vectors Jeremiah Cornelius (Aug 01)
    - Re: DCOM Exploit MS03-026 attack vectors Ron DuFresne (Aug 02)
  - RE: DCOM Exploit MS03-026 attack vectors Nick FitzGerald (Aug 02)