Full Disclosure mailing list archives

RE: RE: DCOM RPC exploit

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 28 Jul 2003 17:16:55 +1200

"Steve W. Manzuik" <steve () entrenchtech com> wrote:

<<snip>>

I understand that admins are busy people -- I used to be one.  But in
reality are there that many boxes still out there with the ports required
for exploitation open?  Again, I should probably put my beer down (but its
almost Vegas week) and do some actual research.  I am fully aware that you
can exploit this over IIS if it is enabled.


Nothing to do with IIS (which will almost certainly be ignored as an 
attack vector should this DCOM RPC thing ever be used in a worm).  
Think "XP Home", think Win2K or XP Pro in SOHO settings (1-5 ?? 
machines on a LAN with Internet sharing over a DSL or cable 
connection).

Now imagine Paul's perspective -- he faces much that scenario 
"internally".  That is, he can (I think, more or less) block anything 
coming or going at the border that looks like it might be exploiting 
the RPC bug but neither he nor his department have any "authority" over 
several thousands (?) of student-owned and run machines inside "his" 
LAN or several dozen to several hundred (?) staff machines where the 
"owning" department or even just the user has elected to manage the 
machine themselves (which usually means exactly the opposite -- that 
they have chosen to not allow the machine to be sensibly managed at 
all).  In a corporate environment, such a setup is all but 
unimaginable, but in the "we invented the Interent and were using it 
for years before you lot came along" arena of (especially US) academia, 
this is pretty much the expected (I hesitate to say "desired") 
configuration.  Many large universities have only recently been able to 
implement _any_ kind of packet filtering, monitoring or firewalling 
because of its perceived threat to free spech and academic freedom (and 
there may still be several very large university sites where the IT 
staff have not been able to get over, around, under or through that 
hurdle, yet have a mass of un-managed machines connected to their 
largely wide-open "LAN").


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: DCOM RPC exploit Steve W. Manzuik (Jul 26)
- Re: RE: DCOM RPC exploit Valdis . Kletnieks (Jul 27)
  - Re: RE: DCOM RPC exploit Ron DuFresne (Jul 27)
  - RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
    - RE: RE: DCOM RPC exploit Paul Schmehl (Jul 27)
    - RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
    - RE: RE: DCOM RPC exploit Nick FitzGerald (Jul 27)