Full Disclosure mailing list archives
RE: DCOM RPC exploit (dcom.c)
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 28 Jul 2003 11:12:27 -0500
-----Original Message----- From: Ron DuFresne [mailto:dufresne () winternet com] Sent: Monday, July 28, 2003 10:46 AM To: Schmehl, Paul L Cc: Robert Wesley McGrew; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] DCOM RPC exploit (dcom.c) And those sites during slammer that blocked 1434, as was advised when the patch was made available, though it was advised even long before that, were largely unafected. Sites that are properly blocking 135 and it's protocolcs will most likely be unaffected from any new worm wishing to exploit this repeat problem with DCOM/RPC.
This is simply and plainly false. I don't know why people can't seem to grasp this. I know of several major corporations who not only had 1434/UDP blocked at the firewall but also on a number of internal routers *and* had aggressive patching programs, and they *still* suffered from Slammer. All it takes is *one* infected box *inside* the network to negate all the hard work you've done trying to keep the worm out. When you have 150,000 machines worldwide, having 1% of those unpatched (which is a 99% *success* rate) means you have 1500! vulnerable machines. Most situations that I'm familiar with were in the tens - not even the hundreds - but it only took 10 or 15 machines to take down the entire network due to the nature of that worm. 10 or 15 boxes represents 1/100th of a percent of the total, yet that small number could completely destablize a network and cause untold hours of work for the admins and networking staff. Now anybody who wants to tell me that a 0.01% failure rate in a patching program proves the admins are incompetent is simply ignorant of the issues. I guess it's just impossible for people who don't actually run a large network to grasp the nature of the issues. You build your little home network, you put up a FreeBSD box as a NAT/Router/Firewall, and you think you understand networking in a large enterprise? You haven't a clue. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: DCOM RPC exploit (dcom.c), (continued)
- Re: Re: DCOM RPC exploit (dcom.c) Jennifer Bradley (Jul 27)
- Re: DCOM RPC exploit (dcom.c) dhtml (Jul 27)
- Re: DCOM RPC exploit (dcom.c) dhtml (Jul 27)
- Re: DCOM RPC exploit (dcom.c) CHeeKY (Jul 27)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Robert Wesley McGrew (Jul 28)
- RE: DCOM RPC exploit (dcom.c) gml (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Marc Maiffret (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Admin GSecur (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Thiago Campos (Jul 28)
- RE: DCOM RPC exploit (dcom.c) John . Airey (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Preston Newton (Jul 30)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
(Thread continues...)