Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [LSD] Critical security vulnerability in Microsoft Operating Systems

From: Last Stage of Delirium <contact () lsd-pl net>
Date: Tue, 22 Jul 2003 13:15:12 -0700

Hello,

We confirm the existance of the following RPC attack vectors pointed out
by Todd Sabin with regard to the vulnerability described in MS03-026.
These are respectively:

- ncacn_np:\pipe\epmapper
- ncadg_ip_udp:135
- ncacn_ip_tcp:135
- ncacn_http:593

This means that at least:
- UDP port 135,
- TCP ports 135, 139, 445 and 593 can be used as remote attack vectors.

The possibility of using ncacn_http (and TCP port 80) for the purpose
of launching a remote attack depends on whether COM Internet Services
are enabled for DCOM on a Windows Server running IIS (as far as we know
they are not enabled by default).

Best Regards,
Members of LSD Research Group
http://lsd-pl.net


On Thu, 17 Jul 2003, Todd Sabin wrote:



I think it's worth mentioning that Microsoft's advisory on this issue
is incorrect in stating that the only attack vector is port 135.  The
vulnerability lies in one of the RPC interfaces that the endpoint
mapper/RPCSS services.  As such, it is accessible over any RPC
protocol sequence that the endpoint mapper listens on.  That includes:

o ncacn_ip_tcp :  TCP port 135
o ncadg_ip_udp :  UDP port 135
o ncacn_np     :  \pipe\epmapper, normally accessible via SMB null
                  session on TCP ports 139 and 445
o ncacn_http   : if active, listening on TCP port 593.

Finally, if ncacn_http is active, and COM Internet Services is
installed and enabled, which is NOT the default in any configuration
I'm aware of, then you can also talk to the endpoint mapper over port
80.  Just to be clear, I think this is a very uncommon scenario, but
the possibility does exist.

So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
and 593.  And make sure you don't have COM Internet Services running.

--
Todd Sabin                                          <tsabin () optonline net>
BindView RAZOR Team                            <tsabin () razor bindview com>
Previous By Date Next
Previous By Thread Next

Current thread: