nessus scan - epmap (135/tcp)

[christopher.riley () r-it at]

As somebody has already pointed out, the version of Nessus is a little 
outdated (and not from the newer 3.x branch). That said, you have to 
understand the way in which a vulnerability scanner works to truely 
appreciate the problem. Nessus (as well as other true vulnerability 
scanners) are prone to false positives due to the "passive" methods used 
to find vulnerable systems. I use the word passive here not to show that 
they don't send packets (although I think Tenable still offers their fully 
passive vuln scanner for this), but that they do not actively exploit the 
service. At least not if the vulnerability can be found through simple 
enumeration. Nessus will do just enough to enumerate the 
service/process/port in order to check for a known vulnerability. This is 
the main reason the vulnerability scanning and penetration testing are two 
seperate things.

In this case, the vulnerable service needs patch number KB823980 (and 
possibly KB824146) installed. The best sure fire way to check is a local 
tool that you can run on the (possibly) vulnerable box to check that the 
patch is listed as installed. 

You can use WMIC to output a full list -->  wmic qfe list full 
/format:htable > output.html

or you can search through for one specific patch using -->  wmic qfe list 
full | findstr "823980"

Chris John Riley

listbounce () securityfocus com@inet wrote on 18.12.2008 21:06:30:

> hi list,
>
> some nessus scans have the following result:
>
> Vulnerability found on port epmap (135/tcp)
>   The remote host is running a version of Windows which has a flaw in
>   its RPC interface which may allow an attacker to execute arbitrary 
code
>   and gain SYSTEM privileges. There is at least one Worm which is
>   currently exploiting this vulnerability. Namely, the MsBlaster worm.
>
>   Solution: see 
> http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
>        Risk factor : High
>        CVE : CAN-2003-0352
>        BID : 8205
>        Other references : IAVA:2003-A-0011
>        Nessus ID : 11808
>
>
>
> the microsoft link leads to a scanner which should show, if a system is 
> patched or not:
> http://support.microsoft.com/kb/827363/EN-US/
>
> --> result: system is patched
>
> C:KB824146Scan.exe <hostname>
> Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86
> Copyright (c) Microsoft Corporation 2003. All rights reserved.
> <+> Starting scan (timeout = 5000 ms)
> Checking hostname
> hostname: patched with both KB824146 (MS03-039) and KB823980 (MS03-0
> <-> Scan completed
> Statistics:
>    Patched with both KB824146 (MS03-039) and KB823980 (MS03-026) .... 1
>    Patched with only KB823980 (MS03-026) ............................ 0
>    Unpatched ........................................................ 0
>    TOTAL HOSTS SCANNED .............................................. 1
>
>    DCOM Disabled .................................................... 0
>    Needs Investigation .............................................. 0
>    Connection refused ............................................... 0
>    Host unreachable ................................................. 0
>    Other Errors ..................................................... 0
>    TOTAL HOSTS SKIPPED .............................................. 0
>    TOTAL ADDRESSES SCANNED .......................................... 1
>
>
> which tool is right?
> is there a 3rd-party tool to test?
> is nessus (2.2.9 ubuntu) state of the art?
>
> thanks,
> markus
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------


----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. 
Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for 
exchange of legally-binding communications.
----------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------