Full Disclosure mailing list archives
Re: Authorities eye MSBlaster suspect
From: Jeremiah Cornelius <jeremiah () nur net>
Date: Fri, 29 Aug 2003 09:42:32 -0700
morning_wood wrote:
LSD presumably developed an exploit internally - never released anything but a high-level white paper on the vulnerability in concurrent time with the MS KB and patch.It seems to me that it is each admins responsiblity, if they were affected ( infected ) not the coder. if this were the case the LastStage(of)Delerium would be the blamed party for developing and releasing the exploit, but alas.. they are not of USA orgin.
It was the Chinese group that released the first exploit. Followed with an improved version in precompiled form from various sources. - Donnie, you were one of the first posters of the .exe to this list I think!
A pretty complete timeline of the public life of this vulnerability until the first worm:
** 2003 Evolution of DCOM-RPC Exploit * *For 16 days before the MSBlaster worm made its debut, semi-skilled attackers were
already able to use this vulnerability at will. *Timeline:*** *July 16*
Microsoft Security Bulletin MS03-026MS Announces bulletin and availability of patches for vulnerability discovered by LSD,
a Security Research group in Poland.http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/M <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>S03-026.asp <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>
LSD makes public announcement of vulnerability, after withholding disclosure on agreement with Microsoft. The group witholds their exploit code, due to the serious implications of this as an exploit. A whitepaper on the vulnerability is publicly
released this day. http://lsd-pl.net/special.htmlAnnouncement of the DCOM-RPC vulnerability is widely distributed in the security and
blackhat communities, including the Full-Disclosure mailing list. *July 17*Official CERT advisory CA-2003-16 is published, formalizing the issue as CERT VU#568148.
http://www.cert.org/advisories/CA-2003-16.htmlThe Mitre Corp CVE is updated to include this vulnerability as CVE candidate CAN-2003-0352.
Network Associates makes their first published bulletin on DCOM-RPC http://vil.nai.com/vil/content/v_100499.htm Symantec provides an advisory http://www.symantec.co.uk/avcenter/security/Content/8205.html *July 18 - 24*Discussion of possible methods for exploiting DCOM-RPC vulnerability circulates on numerous public discussion boards and mailing lists. Initial non-functional proof-of-concept code appears by various authors on the Full Disclosure mailing list.
*July 21*Early, working exploits are publicly leaked by various parties, and circulate on mailing lists.
http://lists.netsys.com/pipermail/full-disclosure/2003-July/006851.html *July 25*A working exploit for DCOM-RPC is published for general availability by Xfocus Team, a "grayhat" research group in the People's Republic of China. Analysis of the exploit with working code is published on their site.
http://www.cert.org/advisories/CA-2003-16.htmlThe Xfocus exploit is refined by HD Moore of the Metasploit Project - as dcom.c This is the first exploit to give an attacker a working, remote command shell with escalated privileges against multiple versions of Windows. Code is published.
http://www.metasploit.com/tools/dcom.c http://news.com.com/2100-1002_3-5055759.html?tag=fd_top http://lists.netsys.com/pipermail/full-disclosure/2003-July/007092.html *July 26*Compiled, 'ready to run' versions of the Metasploit dcom.c code are made available on the Internet.
http://lists.netsys.com/pipermail/full-disclosure/2003-July/007103.html http://illmob.org/rpc/ *July 31*Stanford University has several networks penetrated by hostile attackers, probably making use of the Metasploit version of this exploit. Approximately 2000 individual computers were compromised.
http://securecomputing.stanford.edu/alerts/windows-rpc-update-5aug2003.htmlConcurrent attacks, of similar severity and breadth are announced by MIT and UC Berkeley. CERT adds an advisory based on exploit and denial-of-service activity.
http://www.cert.org/advisories/CA-2003-19.html *August 11*MSBlaster (W32/Lovesan.worm) makes its first public appearance, adding unaided - self-replicating exploitation of vulnerable hosts.
http://www.trusecure.com/knowledge/hypeorhot/2003/tsa03011.shtml http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html http://vil.nai.com/vil/content/v_100547.htm -- Jeremiah Cornelius, CISSP, CCNA, MCSE farm9.com Security"Administration for Windows networks is similar to maintaining a 12-year old GM Truck. Brand new, W2K+3 already has 190K miles of wear."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Authorities eye MSBlaster suspect Larry Roberts (Aug 29)
- Re: Authorities eye MSBlaster suspect Florian Weimer (Aug 29)
- Re: Authorities eye MSBlaster suspect Stephen Clowater (Aug 29)
- Re: Authorities eye MSBlaster suspect Jeremiah Cornelius (Aug 29)
- Re: Authorities eye MSBlaster suspect Nick FitzGerald (Aug 29)
- Re: Authorities eye MSBlaster suspect Stephen Clowater (Aug 29)
- <Possible follow-ups>
- Re: Authorities eye MSBlaster suspect 00005702 (Aug 29)
- Re: Authorities eye MSBlaster suspect Charles Ballowe (Aug 29)
- Re: Authorities eye MSBlaster suspect morning_wood (Aug 29)
- Re: Authorities eye MSBlaster suspect madsaxon (Aug 29)
- Re: Authorities eye MSBlaster suspect Jeremiah Cornelius (Aug 29)
- Re: Authorities eye MSBlaster suspect Ben Nelson (Aug 29)
- Re: Authorities eye MSBlaster suspect Daniel C. Sobral (Aug 29)
- Re: Authorities eye MSBlaster suspect Charles Ballowe (Aug 29)
- Re: Authorities eye MSBlaster suspect Rob Carlson (Aug 29)
- RE: Authorities eye MSBlaster suspect Chris DeVoney (Aug 29)
- Re: Authorities eye MSBlaster suspect morning_wood (Aug 29)
- Authorities eye MSBlaster suspect (long reply) Chris DeVoney (Aug 29)
- Re: Authorities eye MSBlaster suspect (long reply) Paul Schmehl (Aug 29)
- Re: Authorities eye MSBlaster suspect Florian Weimer (Aug 29)
- Re: Authorities eye MSBlaster suspect Valdis . Kletnieks (Aug 29)
- Re: Authorities eye MSBlaster suspect morning_wood (Aug 29)
- Re: Authorities eye MSBlaster suspect Valdis . Kletnieks (Aug 29)