Full Disclosure mailing list archives
Re: RE: DCOM RPC exploit
From: Ron DuFresne <dufresne () winternet com>
Date: Sun, 27 Jul 2003 04:10:07 -0500 (CDT)
On Sun, 27 Jul 2003 Valdis.Kletnieks () vt edu wrote:
On Sat, 26 Jul 2003 23:49:05 PDT, "Steve W. Manzuik" said:A worm exploiting this might happen, but is it really that big of a deal?Compare the number of boxes that have the bug Slapper exploited with the number of boxes that have DCOM open to the world.... When I hear that a worm's finally been spotted, I'm yanking my laptop off the net and going home - and it's a Linux box. I'm just expecting to not get any useful connectivity for a while. And of course, anybody who's got half a clue and writes a worm is going to have it drop off a trojan/backdoor... And then those boxes get used as spam relays, front-end boxes for porn websites, keyboard sniffers, etc etc. Gonna take a LONG time to clean that mess up. Hell, we're *still* seeing Code Red traffic. And what we've *NOT* seen in the last 2 years is a CERT advisory of this magnitude against a Microsoft product that didn't spawn a "Holy Shit" scale worm.
[SNIP] Yet, this only further shows that much more risk mitigation up front is in what's allowed to pass to and from the network, not to mention better install//config defaults, which should be the basis for machines added to the network. Patching, at least getting the mass majority patched, long after an event, even trying to clue the admins and upstream providers is ineffective, at least at the rate that patches and updates and the great numbers of application/addon/trinket replaces known bad code *after* the m$ ladened admins have to maintain... The whole concept of rpc has been an issue across platforms in the various degrees of implimentation, either uninstalling or filtering traffic to dangerous protocols like this. we block the 111 and associated ports by default, why would not 135 be in the mix? This is not the first RPC nor DCOM issue in the not to distant past in this OS, there is a history that should guide one dealing with perimiters as well as admin, install, etc if security is part of the company culture/environment/policy. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: DCOM RPC exploit Steve W. Manzuik (Jul 26)
- Re: RE: DCOM RPC exploit Valdis . Kletnieks (Jul 27)
- Re: RE: DCOM RPC exploit Ron DuFresne (Jul 27)
- RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
- RE: RE: DCOM RPC exploit Paul Schmehl (Jul 27)
- RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
- RE: RE: DCOM RPC exploit Nick FitzGerald (Jul 27)
- Re: RE: DCOM RPC exploit Valdis . Kletnieks (Jul 27)