Hello list,
In light of the current state of the internet with the DCOM vuln, I
would like to ask for some advice on a situation I had at work.
A little while ago(but before the DCOM vuln was released) I had a Win2k
box hacked. The box was outside our firewall, running minimal
services(ftp/w
Earlier today I posted some preliminary research that I had been doing into
the ramifications of disabling DCOM. I reported that SMS was affected by
it and several other things may be, including SUS, Group Policies and the
Management Snap-in. Since then, I have been corresponding with a gentle
Hey there Swami:
> Hi i found these offsets after so much tiring work
> anyways here is my first post with my proof of
> concept code i did tried on my network and all
> worked so please check and send me the suggestions
> and improvements
and Zero:
> Cleaned up the code a bit as it was messy - we
brought to you by:
--
kid : [EMAIL PROTECTED]
and
farp : [EMAIL PROTECTED]
#gcc -odcom_scanz dcom_scanz.c
# ./dcom_scanz
usage: dcom-isvuln [--debug]
# ./dcom_scanz 10.1.1.25
[+] Connecting to 10.1.1.25
[+] Sending DCERPC, Bind: call_id: 9 UUID: REMACT
[+] Sending REMAC
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 361-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
August 1st, 2003
Novacoast Security Advisory
Novell GroupWise 6.5 Vulnerability
Synopsis:
Novacoast has discovered a vulnerability in the Novell GroupWise 6.5 Wireless
Webaccess logging functionality. The software exposes all username and passwords
within the log file in clear text. This information could be us
The funniest part about that news bulletin is the
advertisement for Norton AntiVirus 2003 just to the right of the story.
Yes, it is possible that a malicious worm could be coded to exploit this
vulnerability and that millions of people could be affected...but why not make
the public scared
On Fri, 01 Aug 2003 13:38:01 EDT, amilabs said:
> Wouldn't you rather reconfigure the ipchains to let yourself in
> undetected whenever you wanted in a mild way?
That's why he said "or otherwise change"...
>> Whereas if they were using, say, NetBSD with IPFilter and turned the
>> securelevel to b
Has anyone proved that NT 4.0 is vulnerable? I keep seeing references
everywhere that it is... who has the proof?
-b
On Thu, 2003-07-31 at 15:02, Tinsley Paul wrote:
> NT4 Workstation is vulnerable but is no longer supported, unless you have an
> extended support contract with Microsoft. Your o
cdrtools-2.x contains a binary that can provide local root access for a
non root user.
http://www.secnetops.com/research/advisories/SRT2003-08-01-0126.txt
-KF
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-cha
> > Because 9 times out of 10 port 135 is blocked by some sort of firewall,
> > whilst port 80 is not blocked on a web server.
>
> Not telecommuters on dial-up IP's and Blue-Toothed into the net thru
> their Ericsson phones, and surfing from the airport and WIFI cafes of the
> world.
Bl
Wouldn't you rather reconfigure the ipchains to let yourself in
undetected whenever you wanted in a mild way?
Stopping the entire chains service will bring detection.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Reed
Sent: Friday, August 01, 2003
> Because 9 times out of 10 port 135 is blocked by some sort of firewall,
> whilst port 80 is not blocked on a web server.
Not telecommuters on dial-up IP's and Blue-Toothed into the net thru
their Ericsson phones, and surfing from the airport and WIFI cafes of the
world. Most Sysadmins are st
Although we encourage you to pay attention to all security bulletins and to
deploy patches in a timely manner, we want to call special attention to this
particular instance. We have become aware of some activity on the Internet
that we believe increases the likelihood of exploiting this vulnerabi
In some mail from Schmehl, Paul L, sie said:
>
> If I break in to a Linux box, for example, all I have to do, once I have
> root, is type:
> % /etc/rc.d/init.d/ipchains stop
>
> If it's a Windows box, I just kill the service:
> C:\ sc stop {firewall servicename}
>
> Or install the pstools to do
I've been doing some research on DCOM to try to figure out whether it's
even practical to disable it. Turns out that SMS uses DCOM, so it
that's how you're distributing patches, you *probably* don't want to
disable DCOM. It appears that Group Policies also use DCOM as does the
Management Snap-ins
Even with the new version…
Like I said I imagine it is a Dev-c++
problem with the variables buf1 buf2 and bindstr
I’m not sure how to tweak the code
to get it to compile with this compiler? Anyone?
Compiler: Default compiler
Building Makefile:
"E:\Dev-Cpp\Makefile.win"
Executi
> -Original Message-
> From: Jeff Bankston [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 01, 2003 8:04 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] CounterAttack
>
> Phil, I have to echo the other comments, because sometimes
> your return fire invites an escalation befo
The feds aren't the only ones. On another list I monitor a Microsoft
rep admitted that Microsoft believes there will be a major event, and
they are urging admins to "batten the hatches". Pretty rare for MS to
admit to that.
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
Th
>Well, it is the most widely supported default interface that is
>vulnerable. It would be a very unusual machine that is vulnerable on
>some other port and _NOT_ on 135, so what is the payoff for writing an
>exploit (at least a "prrof of concept") that tries other ports?
Because 9 times out of
Title: RE: [Full-Disclosure] DCOM Exploit MS03-026 attack vectors
I am aware of how that works, my question
was as to whether anybody had seen attacks/code using a port other than 135?
Sorry for any confusion.
From: Brad Bemis
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 31, 20
Form: Reply
Text: (22 lines follow)
I´m on vacation from 01.08.03 up to 01.09.03. In cases of CAP2, VPN or
Corporate products please contact Thomas Levy, -2004
--
Vodafone D2 GmbH
Abteilung TOAR
Christian Poersch
Am Seestern 1
40547 Düsseldorf
Tel. +49 (0)
Phil, I have to echo the other comments, because sometimes your return fire
invites an escalation before you know all of the facts. We spend alot of
time in the forensics of an attack to understand if first it is _us_ letting
the vunerability in where we coulde have simply made our systems, firewal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 360-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
August 1st, 2003
Please do not forget port 593/tcp and 593/udp.
If you (or someone else) heard something about the vulnerability working
over http (rumored to 80/tcp), port 593 is what you should be aware of.
The DCOM vuln is indeed usable over port 593.
-Original Message-
From: Jasper Blackwell [mailt
>[EMAIL PROTECTED]
>hope the helps:
>---
[snip]
No dumbass;
unless you consider that a 0day too lmao.
You're just a fucking lamer, XSS yourself for a while and stay the fuck away from what
was once a serious list but now it's scriptkiddie heaven.
--
This message has been sent via a
from the article:
"Security companies (...) have monitored hackers in discussion groups and
chat rooms exchanging tips about how to improve the effectiveness of their
programs."
like that's something very hard to be done... fear
At 00:33 1/8/2003 -0700, Larry Roberts wrote:
Group,
Not sure if
Sintelli have released a list of the most important vulnerabilities for
July 2003.
This document is available in PDF format at the following URL:
www.sintelli.com/riskindex/july2003.pdf
Regards
Sintelli Support
www.sintelli.com
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-viru
> -Original Message-
> From: Nick FitzGerald [mailto:[EMAIL PROTECTED]
> Sent: 31 July 2003 22:41
> To:
> Subject: RE: [Full-Disclosure] Patching networks redux
>
>
[snip]
>Please explain what best practices he refers to?
>
> I'm sure he was referring to standard computer security best
musta been after he read 0day at nothackers.org
sounds REAL original ,"Chris" good job, thanks huh?
morning wood
http://e2-labs.com
==
An alert distributed Thursday among U.S. government agencies warned of
widespread scanning and exploitation of victim comput
Sintelli have released a list of the most important vulnerabilities for
July 2003.
This document is available in PDF format at the following URL:
www.sintelli.com/riskindex/july2003.pdf
Regards
Sintelli Support
www.sintelli.com
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-vir
"Paul Tinsley" <[EMAIL PROTECTED]> wrote:
> Microsoft owns up to the exploit being usable on 135, 139 and 445, I have
> heard rumors of port 80 being vulnerable as well. ...
Brad Bemis is right -- other ports (and not just port 80) associated
with IIS _if_ COM Internet Services is enabled are
> -Original Message-
> From: Jasper Blackwell [mailto:[EMAIL PROTECTED]
> Sent: 01 August 2003 06:53
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] RPC DCOM Patches
>
>
> Hi All,
>
> >>Are NT 4 Workstations vulnerable too, or just NT 4 Servers?
>
> >NT 4.0 WS is bound to be vu
the code was fixed !
you have to compile the new version
Windows RPC DCOM Remote Exploit with 48 TARGETS (Fixed)//
http://www.k-otik.com/exploits/07.30.dcom48.c.php
Regards."Bassett, Mark" <[EMAIL PROTECTED]> wrote:
Bleh won't compile in dev-c++ getting 467 E:\Dev-Cpp\main.cppinvali
I did with SP2 Servers and Workstation, the patch work fine and it did
close the hole.
For your environment, better do it in a none production environment first,
just-in-case there are problems with other applications that uses RPC.
cheers,
Group,
Not sure if everyone saw this yet.
http://www.msnbc.com/news/946460.asp?cp1=1
Thanks,Larry RobertsCCIE #7886 (R&S /
Security)President - Nexperts, Inc "The Networking Experts"Office -
(602) 445-3915Cell - (480) 231-3713
Hello,
Dolbow, Phil wrote:
> If your network is PROBED by another system, where do you draw your
> line?
the same where s/PROBED/ATTACKED - in my opinion a probe is a prelude to
further attacks and therefore I can see no difference. (Sometimes the
difficulty is to decide: Is this a probe or not?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Hey hey guys. I believe it has something to do with CIS.
" COM Internet Services Proxy (a feature that is part of Windows 2000 that
allows a server to accept DCOM requests tunneled over HTTP)"
" The list of supported transports is as follows:
Local RPCncalrpc
TCP/IP ncacn_ip_tcp
SPX
39 matches
Mail list logo