Re: nessus scan - epmap (135/tcp)

["Chris Griffin" <chris () logossecurity com>]

What i recommend doing is looking into that nessus plugin and reviewing the code
for what exactly its looking at.

It could be seeing a reg entry, or a file version to base its claim on.
I had a similar problem in the past so I changed the plugin that gave
me so many problems to look
for something different based on my environment. I still got a few
false positives but
it did make life much easier.





On Thu, Dec 18, 2008 at 8:43 AM, m sesser <security () sesser eu> wrote:
> hi list,
>
> some nessus scans have the following result:
>
> Vulnerability found on port epmap (135/tcp)
>  The remote host is running a version of Windows which has a flaw in
>  its RPC interface which may allow an attacker to execute arbitrary code
>  and gain SYSTEM privileges. There is at least one Worm which is
>  currently exploiting this vulnerability. Namely, the MsBlaster worm.
>
>  Solution: see
> http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
>      Risk factor : High
>      CVE : CAN-2003-0352
>      BID : 8205
>      Other references : IAVA:2003-A-0011
>      Nessus ID : 11808
>
>
>
> the microsoft link leads to a scanner which should show, if a system is
> patched or not:
> http://support.microsoft.com/kb/827363/EN-US/
>
> --> result: system is patched
>
> C:KB824146Scan.exe <hostname>
> Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86
> Copyright (c) Microsoft Corporation 2003. All rights reserved.
> <+> Starting scan (timeout = 5000 ms)
> Checking hostname
> hostname: patched with both KB824146 (MS03-039) and KB823980 (MS03-0
> <-> Scan completed
> Statistics:
>  Patched with both KB824146 (MS03-039) and KB823980 (MS03-026) .... 1
>  Patched with only KB823980 (MS03-026) ............................ 0
>  Unpatched ........................................................ 0
>  TOTAL HOSTS SCANNED .............................................. 1
>
>  DCOM Disabled .................................................... 0
>  Needs Investigation .............................................. 0
>  Connection refused ............................................... 0
>  Host unreachable ................................................. 0
>  Other Errors ..................................................... 0
>  TOTAL HOSTS SKIPPED .............................................. 0
>  TOTAL ADDRESSES SCANNED .......................................... 1
>
>
> which tool is right?
> is there a 3rd-party tool to test?
> is nessus (2.2.9 ubuntu) state of the art?
>
> thanks,
> markus
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------