RE: MS03-039 has been released - critical

["Steven M. Christey" <coley () mitre org>]

> According to ISS, http://xforce.iss.net/xforce/alerts/id/152, they
> claim that functional exploit code is already in use on the Internet.

I don't think the advisory claims that.  The "functional exploit code"
they describe is for the null-pointer Denial of Service vulnerability
that was reported by Xfocus in July, which does appear to be in active
use (the CVE ID is CAN-2003-0605).

That null-pointer bug was not fixed by the "old" Microsoft bulletin
(MS03-026), but it is fixed in the new bulletin (MS03-039).

The ISS advisory only says that there is "significant potential" for a
worm that takes advantage of the new vulnerabilities.

> anyone know of a 'sploit for this one yet?  Or even proof of concept
> code?

Note: there are 2 distinct overflows, as reported by Microsoft.

A Nessus plugin has been developed for one of the new overflows, as
posted to this list.

Whether it is the same overflow as the one described by eEye, I'm not
sure (someone who knows DCOM at the packet level might be able to
tell, though).

Whether the overflow found by NSFOCUS is the same as the overflow
found by eEye, I'm not sure (NSFOCUS has not published their advisory
yet, and the Microsoft bulletin is unclear as to which researchers
found which overflows).

- Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html