Re: DCOM RPC exploit (dcom.c)

[Jason <security () brvenik com>]

The war begins...

I'm not going to debate the release of code with anyone. Simply put, 
best practices should have mitigated this in a huge way from the 
beginning. All of the remaining threat should have been tested and 
patched by now.

Now to the points you make.

Chris Paget wrote:
> Len,
>
> IMHO there's a difference between "security through obscurity" and posting
> working exploit code.  Knowing that there is a vulnerability in DCOM, accessible
> over a range of RPC mechanisms (primarily 135/tcp) is all that most
> administrators need to know.  It's one thing knowing that you can kill a person
> with a gun, and it's another to give away firearms.

RPC services have been a risk forever. Knowing that the majority of 
clients do not use DCOM, an RPC service, is all that the administrators 
needed to know. Do you build a *nix system and leave all(any) RPC 
services enabled?

** DCOM should have been disabled for 99% of the systems they have. **

> Scanners are good; I agree they give out more information than an advisory, but
> it's still a step away from giving the kiddies a tool.  Those in the know will
> always be able to write an exploit from minimal details; whether or not the
> pre-pubescent h4xx0rs get hold of it is another matter though.

I would rather have a pre-pubescent cracker knocking on the door with a 
published sploit that I was forced to patch against any day when 
compared to the 1337 h4x0r w17h 4 g04l and the funding to achieve it.

Ohhh, now we are going to complain about having to put in all those 
extra hours and spend all that overtime money. Umm, be happy you still 
have a job.

** Far too many people wait to patch until there is "published" exploit 
code. **

> Different people will have differing opinions on how much information and what
> kind of disclosure policy is acceptable; for me, working exploit code so soon
> after the advisory is just irresponsible.

Jihad, count me out.

> As for the <2 week "grace period", it's not enough.  What if the patch is
> broken in some way?  It was rushed out the door by Microsoft; how many admins
> wait a month before applying a patch, just to see if anyone else has problems
> with it?  I've just finished an audit on a multinational manufacturing company;
> the exploit code came out before they'd patched.  How many other companies are
> in the same boat?

Sorry, no sympathy here.

** If you have assets worth protecting you hire people who are capable 
of protecting them. **

Here are some parting questions:

* How many of the systems in your typical multinational organization 
require the use of DCOM? ( slim to none? )

* How many of the systems that require DCOM need rpc exposed to 
everyone? ( slim to none? )

* How many of the systems exposed to everyone have weak administrative 
passwords? ( nearly all? )

* How many of the systems vulnerable internally would have been 
protected by an IPS if it had a way of protecting? ( slim to none? )

* How many of the systems vulnerable internally are protected with an 
IDS? ( slim to none? )

* How many of the systems vulnerable from the internet are implemented 
and administered by an MCSE or equivelant? ( nearly all? )

> I agree, exploit code may force people to patch, but that's not sufficient
> justification in my book.
>
> Chris

And some random thoughts.

* I am still a firm believer in the ability of the human race to learn 
by making mistakes. ( it can be fun )

* I do not believe that those mistakes need not remove you from the 
human race. ( it should be fun if it does )

* I like beer! 1 l0v3 s3x!

* These are my opinions and not those of my employer.

* It is like shock and awe all over again... ONLY IT IS BETTER AND 
JUSTIFIED!!!

* I have a clue stick, need a whack?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html