Re: nessus scan - epmap (135/tcp)

[m sesser <security () sesser eu>]

hi,

thanks for all answers!

you're right - nessus is a bit outdated
but it's the standard package in my ubuntu repository

a small google research leads to the following nessus options:
uncheck: "optimize the test" and "Safe checks"
but my systems are still vulnerable on epmap (135/tcp)

i tested with metasploit: my systems are not vulnerable according to it.
for proof, i also tested a unpatched w2k sp4 server system in a vm.
--> exploit success

what about other (open source) security/vulnerability scanners?
openvas?

wmic is not available on w2k
can i simply copy the file(s) from a w2k3 system?

rgds,
markus


m sesser schrieb:
> hi list,
>
> some nessus scans have the following result:
>
> Vulnerability found on port epmap (135/tcp)
>  The remote host is running a version of Windows which has a flaw in
>  its RPC interface which may allow an attacker to execute arbitrary code
>  and gain SYSTEM privileges. There is at least one Worm which is
>  currently exploiting this vulnerability. Namely, the MsBlaster worm.
>
>  Solution: see 
> http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
>       Risk factor : High
>       CVE : CAN-2003-0352
>       BID : 8205
>       Other references : IAVA:2003-A-0011
>       Nessus ID : 11808
>
>
>
> the microsoft link leads to a scanner which should show, if a system is 
> patched or not:
> http://support.microsoft.com/kb/827363/EN-US/
>
> --> result: system is patched
>
> C:KB824146Scan.exe <hostname>
> Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86
> Copyright (c) Microsoft Corporation 2003. All rights reserved.
> <+> Starting scan (timeout = 5000 ms)
> Checking hostname
> hostname: patched with both KB824146 (MS03-039) and KB823980 (MS03-0
> <-> Scan completed
> Statistics:
>   Patched with both KB824146 (MS03-039) and KB823980 (MS03-026) .... 1
>   Patched with only KB823980 (MS03-026) ............................ 0
>   Unpatched ........................................................ 0
>   TOTAL HOSTS SCANNED .............................................. 1
>
>   DCOM Disabled .................................................... 0
>   Needs Investigation .............................................. 0
>   Connection refused ............................................... 0
>   Host unreachable ................................................. 0
>   Other Errors ..................................................... 0
>   TOTAL HOSTS SKIPPED .............................................. 0
>   TOTAL ADDRESSES SCANNED .......................................... 1
>
>
> which tool is right?
> is there a 3rd-party tool to test?
> is nessus (2.2.9 ubuntu) state of the art?
>
> thanks,
> markus

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------