Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032
I agree that firewall is not the place to catch this. Any properly configured HIPS should be able to catch this or nay other similar-configured exploit without any issues though. We have OKENA and simple rule to prohibit (or prompt) program executions from within IE has stopped this (and dozen of others) exploit from working. FWIW, McAfee caught it as well, identifying it as Exploit-CodeBase but I'm sure this can be easily bypassed with little coding. Thanks, Dimitri |-+--> | | Nathan Wallwork| | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 09/09/2003 04:17 PM| | | | |-+--> >--| | | | To: Drew Copley <[EMAIL PROTECTED]> | | cc: [EMAIL PROTECTED], "'GreyMagic Software'" <[EMAIL PROTECTED]>, "'Bugtraq'"| |<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, | |"'NTBugtraq'" <[EMAIL PROTECTED]>, "'Microsoft Security Response Center'" | |<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> | | Subject: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032 | >--| On Mon, 8 Sep 2003, Drew Copley wrote: > The only sure way to detect this, I already wrote about [to Bugtraq]. That > is by setting a firewall rule which blocks the dangerous mimetype string > [Content-Type: application/hta]. Everything else in the exploit can change. Just so we are clear, the firewall wouldn't tbe he right place to catch this because that string could be split by packet fragmentation, so you'd need to look for it at an application level, after the data stream has been reassembled. Of course, if anyone thinks it is easier to protect their browser with a proxy than fix the browser they've got other issues. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Blocking Music Sharing.
Just block ALL the traffic outbound and allow only necessary ports, like HTTP/S, FTP, SMTP, DNS etc. Requires more work on your end managing the firewall rules but a better practice and protection in the long run. Dimitri |-+--> | | "Johnson, Mark"| | | <[EMAIL PROTECTED]>| | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 09/15/2003 12:37 PM| | | | |-+--> >--| | | | To: <[EMAIL PROTECTED]> | | cc: | | Subject: [Full-Disclosure] Blocking Music Sharing. | >--| Due to the legal issues, I am trying to block access to sites like Kazaa and Limewire in the office. If I am not mistaken, these networks can use different ports each time, so there is no way to block it at the firewall. Is this right? And if so, what is the best way to block access to these types of sites? Many thanks, Mark J. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Not much info on the page but here goes the juicy part. Exploit: http://www.securitylab.ru/_exploits/rpc2.c.txt Shellcode: http://www.securitylab.ru/_exploits/shell.asm.txt Based on user responses, this is, in fact, working exploit that will work on already patched systems. It's only a matter of time for compiled binary to surface. Dimitri |-+--> | | "Brown, Bobby (US -| | | Hermitage)"| | | <[EMAIL PROTECTED]>| | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 10/10/2003 03:34 PM| | | | |-+--> >--| | | | To: "'Alex'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED], | |[EMAIL PROTECTED] | | cc: [EMAIL PROTECTED] | | Subject: RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability | >--| For us that can not interpret the site, what more information can be provided. Bobby -Original Message- From: Alex [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability Exploit code can be found here: http://www.securitylab.ru/40754.html This code work with all security fixes. It's very dangerous. - Original Message - From: "3APA3A" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability > Dear [EMAIL PROTECTED], > > There are few bad news on RPC DCOM vulnerability: > > 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is > again actual. > 2. It was reported by exploit author (and confirmed), Windows XP SP1 > with all security fixes installed still vulnerable to variant of the > same bug. Windows 2000/2003 was not tested. For a while only DoS exploit > exists, but code execution is probably possible. Technical details are > sent to Microsoft, waiting for confirmation. > > Dear ISPs. Please instruct you customers to use personal fireWALL in > Windows XP. > > -- > http://www.security.nnov.ru > /\_/\ > { , . } |\ > +--oQQo->{ ^ }<-+ \ > | ZARAZA U 3APA3A } > +-o66o--+ / > |/ > You know my name - look up my number (The Beatles) > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet Explorer 6 DoS Bug
Worked on W2kAS SP4 with IE6.0 SP1 and all hotfixes. Full IE version is 6.0.2800.1106CO Dimitri |-+--> | | KF <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 07/07/2003 09:19 AM| | | | |-+--> >--| | | | To: [EMAIL PROTECTED] | | cc: [EMAIL PROTECTED] | | Subject: Re: [Full-Disclosure] Internet Explorer 6 DoS Bug | >--| I can NOT duplicate this on IE 6.0.2800.1106.xpsp2-030422-1633 it simply asks me to open or save the file... if I choose open with notepad for example ... nothing odd happens... notepad says function not found. If I try to save the file to disk it says "aux This filename is a reserved device name please choose another name". I tryed searching for what to open the file with on the ms extension search thing and also came up with nothing odd... What *exact* version of IE do you use? -KF [EMAIL PROTECTED] wrote: >Hi, >I found a bug in IE6 ón Windows XP with all Service Packs and Patches installed: >If you enter C:\aux in the adressline of the IE (not EXPLORER, InternetExplorer) >and hit enter, the window will freeze. This bug is simmilar to C:\con\con >but not as dagerous. But its the same reason, naimly that windows trys to >open aux, a hardware device in earlier windows versions. >I already sended an email to Microsoft but they said the bug wouldn't exist. > >Bye > >Fabian Becker (www.neonomicus.ionichost.com) >[EMAIL PROTECTED] > > > > > >Mehr Power für Ihre eMail - mit den neuen Leistungspaketen bei http://www.epost.de > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet Explorer 6 DoS Bug
Also worked on Windows2003 .NET Enterprise Server with IE6 SP ver 6.0.3718.0 Dimitri |-+--> | | "Dimitri Limanovski" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 07/07/2003 02:22 PM| | | | |-+--> >--| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Re: [Full-Disclosure] Internet Explorer 6 DoS Bug | >--| Worked on W2kAS SP4 with IE6.0 SP1 and all hotfixes. Full IE version is 6.0.2800.1106CO Dimitri |-+--> | | KF <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 07/07/2003 09:19 AM| | | | |-+--> >--| | | | To: [EMAIL PROTECTED] | | cc: [EMAIL PROTECTED] | | Subject: Re: [Full-Disclosure] Internet Explorer 6 DoS Bug | >--| I can NOT duplicate this on IE 6.0.2800.1106.xpsp2-030422-1633 it simply asks me to open or save the file... if I choose open with notepad for example ... nothing odd happens... notepad says function not found. If I try to save the file to disk it says "aux This filename is a reserved device name please choose another name". I tryed searching for what to open the file with on the ms extension search thing and also came up with nothing odd... What *exact* version of IE do you use? -KF [EMAIL PROTECTED] wrote: >Hi, >I found a bug in IE6 ón Windows XP with all Service Packs and Patches installed: >If you enter C:\aux in the adressline of the IE (not EXPLORER, InternetExplorer) >and hit enter, the window will freeze. This bug is simmilar to C:\con\con >but not as dagerous. But its the same reason, naimly that windows trys to >open aux, a hardware device in earlier windows versions. >I already sended an email to Microsoft but they said the bug wouldn't exist. > >Bye > >Fabian Becker (www.neonomicus.ionichost.com) >[EMAIL PROTECTED] > > > > > >Mehr Power für Ihre eMail - mit den neuen Leistungspaketen bei http://www.epost.de > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html