...blah blah blah snipped some stuff about w2k being almost good blah blah
blah...
> Regardless of how you feel about the .NET concept (personally I feel
> distributed code is a security nightmare waiting to happen)
> 2003 server is
> an improvement. You can actually run it more than 30 days wit
use cybersecurity adviser Richard Clarke
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dan
Stromberg
Sent: Monday, July 28, 2003 10:47 AM
To: David R. Piegdon
Cc: Dan Stromberg; [EMAIL PROTECTED]
Subject: [inbox] Re: Re: [Full-Disclosure] DCOM RPC exploit (dco
This tool is quite detectable on NT systems. Ran it against one of our
NT farms and here is the info that showed up in the NT system log
Event ID: 10003
User: n/a
Source: DCOM
Type: Error
Access denied attempting to launch a DCOM Server using
DefaultLaunchPermission
The server is:
{0002DF01.
A man named Tom once bragged:
> I used nmap to scan a random /16 for systems with
> port 135 open,
> Then I ran the win32 binary I compiled from from
> the c code posted to this list
> against that list of ips.
> I got 156 command prompts.
Then Donny chimed in with:
> i too have experienced these
On Tue, 29 Jul 2003, Schmehl, Paul L wrote:
> >Anyone else know what the last column of the output means?
> >i.e. '5.6' or '0.0'?
I've been playing with the underlying RPC calls a bit, which make me think
that maybe it's the 'COMVERSION' structure that's returned in the
'ServerVersion' parameter
I used nmap to scan a random /16 for systems with port 135 open,
I fed the results of systems with that port open into enum (enum -S $ip)
and grepped for a "SharedDocs" share, which indicates XP box.
Then I ran the win32 binary I compiled from from the c code posted to this list
against that li
> FYI, Incidents.org reports: "Widespread scans for unpatched Windows
> machines underway (RPC vulnerability). Patch systems and block ports
> 135-139 & 445".
NetBIOS Scans haven't necessarily increased. I can't believe that
any port is more sought out than NetBIOS. I see 139 and 445 m
Peter Kruse wrote:
> FYI, Incidents.org reports: "Widespread scans for unpatched Windows
> machines underway (RPC vulnerability). Patch systems and block ports
> 135-139 & 445".
>
> This might be caused by several tools in the hands of kiddies probing
> IP´s for vulnerable systems. This could also
Hi all,
FYI, Incidents.org reports: "Widespread scans for unpatched Windows
machines underway (RPC vulnerability). Patch systems and block ports
135-139 & 445".
This might be caused by several tools in the hands of kiddies probing
IP´s for vulnerable systems. This could also be caused by a worm
[SNIP]
>
> So, when you(pl) shake your head and think, "They could do so much
> better if they just had a clue", keep in mind that the real world
> doesn't always give you what you want or need, and you have to learn to
> deal with what exists, not with what you'd like to see exist. And t
> -Original Message-
> From: Robert Banniza [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 29, 2003 11:26 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
>
> Just received this from ISS minutes ago...Another RPC
>
Just received this from ISS minutes ago...Another RPC vulnerability
scanning tool:
http://www.iss.net/support/product_utilities/ms03-026rpc.php
Couple things we have noticed
1) OS identification is pretty much hit and miss
2) We have seen where XP SP1 unpatched doesn't show vulnerable (this
On Tue, Jul 29, 2003 at 10:33:47AM -0500, Schmehl, Paul L wrote:
> > > ... I'd be surprised if any organisation exists (outside of the
> > > military) that insists on knowing the MAC addresses of machines before
> > > they get connected to the network. (In our case we monitor MAC addresses
> > > i
OK, I admit it. I am a Techie Admin who is in management. I get to pick
the product, source it, install it, fix it, Admin it, everything except
actually purchase. Unfortunately, I am in a corporate environment where
corporate purchasing policy overtakes my life experience, research, and
so called e
> -Original Message-
> From: Nick FitzGerald [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 29, 2003 9:01 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> > ... I'd be surprised if any
> > organisation ex
> -Original Message-
> From: Nick FitzGerald [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 28, 2003 10:12 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> ...if s/he is under-resourced. It need not be the way you
> desc
Jean-Baptiste Marchand <[EMAIL PROTECTED]> to me:
> Actually, the modification date that appears in the CVS tag is the one
> you can trust ;-) :
>
> $Id: min_srv_res_win.en.tip,v 1.11 2003/05/14 10:01:45 marchand Exp $
Indeed, as has also been pointed out by others in private Email!
Thanks for
[EMAIL PROTECTED] replied to me:
> Why do I get the distinct impression that only myself and Paul Schmel
> actually understand what the realities of life are these days? There is
> really very little control over "users", whether they are in a "edu" or not.
Why do I get the distinct impression th
* Nick FitzGerald <[EMAIL PROTECTED]> [29/07/03 - 12:30]:
[...]
> Also, if you've read that page in the past, please note that it gets
> updated from time to time but its author seems to neglect updating the
> date near the top of the page.
Actually, the modification date that appears in the
> -Original Message-
> From: Nick FitzGerald [mailto:[EMAIL PROTECTED]
> Sent: 29 July 2003 04:12
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
[snip]
> Of course, convincing a bean-counter of the value of taking a longer-
> term v
"Admin GSecur" <[EMAIL PROTECTED]> wrote:
> I completely agree, unfortunately this is a constant problem in any
> enterprise size network. So many times it only takes a less experienced
> network admin to bring a network to it's knees.
True, but even that can be mitigated somewhat -- of course,
access to
> the machine?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:full-disclosure-
[EMAIL PROTECTED] On Behalf Of Robert Wesley
> McGrew
> Sent: Monday, July 28, 2003 1:11 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-
Disclosure] DCOM RPC explo
bilities
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] Behalf Of Robert
| Wesley McGrew
| Sent: Monday, July 28, 2003 10:11 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
|
|
|
|
| On Mon, 28 Jul 2003, Schmehl, Paul L w
On Mon, 28 Jul 2003 12:10:56 CDT, Robert Wesley McGrew <[EMAIL PROTECTED]> said:
> Any worm using this would need to know the return address before
> attempting to exploit If a worm were to stick to targetting one return
> address (say, English XP SP1), everytime it ran across something slightly
, 2003 1:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
On Mon, 28 Jul 2003, Schmehl, Paul L wrote:
> > 2) For this DCOM RPC problem in particular, everyone's
> > talking about worms. How would the worm know what return
> > add
On Mon, 28 Jul 2003, Schmehl, Paul L wrote:
> > 2) For this DCOM RPC problem in particular, everyone's
> > talking about worms. How would the worm know what return
> > address to use? Remote OS fingerprinting would mean it would
> > be relatively large, slow, and unreliable (compared with
> >
To answer my own question, I just noticed this on the metasploit site :
"Update: A return address has been identified for both Windows 2000 and
Windows XP that works independent of the service pack. This information
can be easily obtained by analyzing the DLL's that are loaded by the
svchost.exe
ge-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Schmehl,
Paul L
Sent: Monday, July 28, 2003 12:12 PM
To: Ron DuFresne
Cc: Robert Wesley McGrew; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
> -Original Message-
> From: Ron DuFresne [mail
[SNIP]
> This is simply and plainly false. I don't know why people can't seem to
> grasp this. I know of several major corporations who not only had
> 1434/UDP blocked at the firewall but also on a number of internal
> routers *and* had aggressive patching programs, and they *still*
> s
> -Original Message-
> From: Ron DuFresne [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 28, 2003 10:46 AM
> To: Schmehl, Paul L
> Cc: Robert Wesley McGrew; [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> And those sites during s
On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> IMHO it is TIME to sue corporations like microsoft for their stupidity
> - and their believe that people/customers are even more stupid.
> they sell their software and tell about their "g
[SNIP]
>
> What fingerprinting? If you've got 135/UDP open to the Internet, you're
> screwed. Slammer didn't fingerprint. It simply hit every box it could
> find on port 1434/UDP, and the exploit either worked or it didn't. Most
> worms do the same. They attack indiscriminately, and
> -Original Message-
> From: Robert Wesley McGrew [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 28, 2003 3:01 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
> 1) How would you propose to change the
> scene/industry/commu
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: 27 July 2003 16:38
> To: Nathan Seven
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
[snip]
>
> It may be a corner case, but based on the
[EMAIL PROTECTED]>,
"[EMAIL PROTECTED]" < >
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
On 27 Jul 2003, Paul Schmehl wrote:
> On Sun, 2003-07-27 at 14:24, Jason wrote:
> >
> > Ok:
> > In short it goes like this.
> >
> > Click S
Good of a point as any to jump into this, with a couple of questions to
steer conversation towards something resembling productivity ;). For the
record, I support full-disclosure with "reasonable" vendor notification,
taking into account a time to acknowledge and a time to patch, and I also
suppo
Paul Schmehl wrote:
On Sun, 2003-07-27 at 21:03, Jason wrote:
Are there policies governing the use of computers on campus networks?
There are at UTD, and I know there are at many other campuses. And
they're publicly posted and routinely taught. But again, this isn't
about me or UTD. It's abo
M RPC exploit (dcom.c)
- Original Message -
From: Chris Paget <mailto:[EMAIL PROTECTED]>
To: Len Rose <mailto:[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Sent: Sunday, July 27, 2003 12:08 PM
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
Len,
IMHO there's a differ
[SNIP]
> >
> > "Ron, you are just as clueless as you were when Slammer hit."
> >
> > Way to add value there, Bravo!
> >
> It's at least as valuable as your rant about no excuses. Ron comes from
> the same place you do and refuses to see the other side of the issue,
> much like you. No p
---
> FIGHT BACK AGAINST SPAM!
> Download Spam Inspector, the Award Winning Anti-Spam Filter
> http://mail.giantcompany.com
>
>
> - Original Message -
> From: "El Guille" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday
Etaoin Shrdlu <[EMAIL PROTECTED]> wrote:
> There've been a lot of moronic statements made in this thread, true enough,
No there's a surprise... 8-)
> but I've actually learned a couple of things here. It's been mostly
> interesting, strange though that may seem, including (I think it was
> N
On Sun, 2003-07-27 at 21:03, Jason wrote:
>
> True, a university is not a corporation and has different requirements
> all together. This does not mean that just because students are learning
> to program the university is absolved of teaching the student to program
> securely. A reasonable sta
manohar singh wrote:
>
> Well,
>
> So far about a 100 emails on this subject (dcom.c),
> and all this is doing is irritate everybody.
Well, normally I'd agree with you (although I wouldn't feel the need to
post about it), but not this time.
> Guys, this IS an unmoderated list, and people WILL
Paul Schmehl wrote:
[snip]
It takes a lot more work than that. What do you do about the machines
that *do* need DCOM? Ever notice there are students learning
programming at a university? It's not like a corporation where you can
shove changes down people's throats without planning carefully firs
ive noticed ever since i posted to bugtraq and this list my site http://illmob.org has been under attack from ddos... lameH D Moore <[EMAIL PROTECTED]> wrote:
On Saturday 26 July 2003 07:16 pm, Chris Paget wrote:> Personally, I'm tempted to set up my firewall to NAT incoming requests> on port 135 t
Paul Schmehl <[EMAIL PROTECTED]> wrote:
<>
> It takes a lot more work than that. What do you do about the machines
> that *do* need DCOM? Ever notice there are students learning
> programming at a university? It's not like a corporation where you can
> shove changes down people's throats withou
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> IMHO it is TIME to sue corporations like microsoft for their stupidity
> - and their believe that people/customers are even more stupid.
> they sell their software and tell about their "great security-concepts",
> but they actually do nothing abo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> > Ok:
> > In short it goes like this.
> >
> > Click Start->Run
> > Type "dcomcnfg.exe"
> > Turn it off
>
> Great! Now go click all 5000 computers we have to take care of. This
> is exactly what I'm talking about. You smugly criticize networks for
Well,
So far about a 100 emails on this subject (dcom.c),
and all this is doing is irritate everybody.
Guys, this IS an unmoderated list, and people WILL
post exploits. Clear and simple. Let's just grow up,
and get back to work instead of cribbing in public
forums.
ms
--- [EMAIL PROTECTED]
On Sun, 2003-07-27 at 17:06, Knud Erik Højgaard wrote:
>
> Even I, with my limited knowledge, was able to reproduce what seems to have
> the same effect using "active registry monitor" and a few minutes of spare
> time. However it seems quite a few things use this DCOM stuff, so rolling
> out the h
On Sun, 2003-07-27 at 17:09, Ron DuFresne wrote:
>
> Blame the provider of the OS you are trying to tame. sheesh, whine whine
> whine, I can't do my job Im underpaind and over worked, I can't secure my
> network cause some fools gonna tell me they can't play their fav game with
> friend on anothe
tcpdumb <[EMAIL PROTECTED]> wrote:
> Well that's not entirely accurate. At least RaMeN had some nice features
> such as fixing the security hole it used to gain access to the vulnerable
> Host. ;) (Even if it's just a feature to prevent multiple attacks, it's
> basically a good idea)
Could you pl
On Sun, 2003-07-27 at 16:23, Jason wrote:
>
> Pg 189 of the document located at the link previously provided. The link
> is included here again for convenience.
> http://downloads.securityfocus.com/library/S24NTSec.doc
>
> Interestingly it makes use of a free program for windows available at
>
On Sun, 27 Jul 2003 16:38:15 -0400 Justin Shin
([EMAIL PROTECTED]) wrote:
>
>Also, I think it is time to sue corporations that sell
>buggy/vulnerable software AND make little effort to make
>people aware of the problems. Microsoft is improving,
>actually, but in my opinion they should make securi
Paul Schmehl wrote:
> On Sun, 2003-07-27 at 14:24, Jason wrote:
>>
>> Ok:
>> In short it goes like this.
>>
>> Click Start->Run
>> Type "dcomcnfg.exe"
>> Turn it off
>
> Great! Now go click all 5000 computers we have to take care of.
Even I, with my limited knowledge, was able to reproduce what s
On Saturday 26 July 2003 07:16 pm, Chris Paget wrote:
> Personally, I'm tempted to set up my firewall to NAT incoming requests
> on port 135 to either www.metasploit.com or www.xfocus.org. I know
> this is the full-disclosure list, but working exploit code for an issue
> this huge is taking it a b
On 27 Jul 2003, Paul Schmehl wrote:
> On Sun, 2003-07-27 at 14:24, Jason wrote:
> >
> > Ok:
> > In short it goes like this.
> >
> > Click Start->Run
> > Type "dcomcnfg.exe"
> > Turn it off
>
> Great! Now go click all 5000 computers we have to take care of. This
> is exactly what I'm talking abou
> However, a worm is N-E-V-E-R good and A-L-W-A-Y-S malicious. What would be the
> "good" intent of releasing any program that self-replicates to other vulnerable
> system and wreaks havoc?
Well that's not entirely accurate. At least RaMeN had some nice features such as
fixing the security ho
Paul Schmehl wrote:
On Sun, 2003-07-27 at 14:24, Jason wrote:
Ok:
In short it goes like this.
Click Start->Run
Type "dcomcnfg.exe"
Turn it off
Great! Now go click all 5000 computers we have to take care of. This
is exactly what I'm talking about. You smugly criticize networks for
not fixin
Well people I guess this post, which was originally about me not being able to compile
this (because I am stoopid :) is now about something completely different.
My opinion: released vulnerabilities are good. Why? Two reasons. One, they allow the
security admins to take a look at how the vul
On Sun, 2003-07-27 at 14:24, Jason wrote:
>
> Ok:
> In short it goes like this.
>
> Click Start->Run
> Type "dcomcnfg.exe"
> Turn it off
Great! Now go click all 5000 computers we have to take care of. This
is exactly what I'm talking about. You smugly criticize networks for
not fixing problem
security snot wrote:
I don't understand how having any of the
poorly written public exploits for this vulnerability will help in the
securing process in any way. Unless you mean that the threat of a worm is
more realistic because now hackers, along with security professionals,
both have access to
!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com
- Original Message -
From: "David R. Piegdon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 27, 2003 8:25 PM
Subject: Re: Re: [Full-Disclosure] DC
I have tested it against Windows XP (German edition) without Service Pack.
It just causes the NT authority to shutdown and the Computer needs a reboot.
regards,
need to change ret. address I guess. Tested in W2K SP4 (spanish), ret
address use 0x77A53B13, works fine
saluT
_
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
IMHO it is TIME to sue corporations like microsoft for their stupidity
- and their believe that people/customers are even more stupid.
they sell their software and tell about their "great security-concepts",
but they actually do nothing about it.
in
Paul Schmehl wrote:
On Sat, 2003-07-26 at 23:22, Jason wrote:
The war begins...
I'm not going to debate the release of code with anyone. Simply put,
best practices should have mitigated this in a huge way from the
beginning. All of the remaining threat should have been tested and
patched by
(I originally quoted parts of the original message here, but I decided to
make a generic, reusable summary incase more PaidtoPlay admins come out.)
Joe Admin of Faceless Corp wrote:
>blah, blah, blah ... can't be expected to secure our machines ... blah ...
>willing to sacrifice the routers of t
Do you use visio? How about anything else that uses MSDE
-KF
Are *you* serious?
Running MSSQL server on my laptop that I also use to
VPN in is IMO a pretty fucking corner-case...
___
Full-Disclosure - We believe in it.
Charter: http://lists.net
On Sun, 27 Jul 2003 01:30:11 PDT, Neeko Oni <[EMAIL PROTECTED]> said:
> (Oh, and why aren't those 70-80% patched at SP4 with RPC firewalled?)
Umm... because there's a *lot* of PC's that are sitting on people's kitchen
tables without a sysadmin who knows what SP4 is?
> > You've obviously never a
I don't think you were reading the advisories properly... ;)
MSDE (Microsoft SQL Server Desktop Edition) was vulnerable, which many
products use, including Office, Visual Studio .NET, etc. Just to
refresh your memory, here's a list of products that contain MSDE
http://www.sqlsecurity.com/forum/a
On Sat, 2003-07-26 at 23:22, Jason wrote:
> The war begins...
>
> I'm not going to debate the release of code with anyone. Simply put,
> best practices should have mitigated this in a huge way from the
> beginning. All of the remaining threat should have been tested and
> patched by now.
>
Wha
Sir,
While I fully support the spread of malicious software to the masses, I
disagree with your reasoning. I don't understand how having any of the
poorly written public exploits for this vulnerability will help in the
securing process in any way. Unless you mean that the threat of a worm is
mor
On Sun, 27 Jul 2003 10:49:40 EDT, Chris Paget said:
> I agree completely that maybe the best way to stop all this is to make vendors
> liable for flaws in their products. I heard rumours that this was being
> considered in the US - anyone know what the score is?
Be careful what you ask for, you
24 hours after sending the code to the list, I still beleive it was the
right thing to do, being already published on the web (metasploit.com) and
refered to in news article (news.com). From then, it was only a matter of
hours until someone spill the beans to a mailling list, as I did.
the 2 week
Having vendors liable for software bugs is the worst thing in the
world for software!
I'm just a newbie to programming and security... but imagine all the
small software shops/startups and open source projects that would be
closed because people are too afraid of being sued!! Especially when
you'
On Sun, 2003-07-27 at 01:30, Ron DuFresne wrote:
> >
> > You can't firewall 135 inside your network or you'd have no network.
>
> but, you can at the outgouing gateway, as well as log the events there to
> help in locating inside infections. Slammer and some of the other recent
> worms giving a g
On Sun, 27 Jul 2003 00:41:22 PDT, Nathan Seven said:
> Running MSSQL server on my laptop that I also use to
> VPN in is IMO a pretty fucking corner-case...
On the other hand, if you're a big financial company with 50K warm bodies on
the payroll, there's a good chance you have 1 or 2 developers th
On Sun, 27 Jul 2003, Georgi Guninski wrote:
> IMHO releasing the exploit is ethical and legal.
> The root of the problem is m$, they should take responsibility for the worms.
I agree completely that maybe the best way to stop all this is to make vendors
liable for flaws in their products. I hea
Chris Paget wrote:
Personally, I'm tempted to set up my firewall to NAT incoming requests on port
135 to either www.metasploit.com or www.xfocus.org. I know this is the
full-disclosure list, but working exploit code for an issue this huge is taking
it a bit far, especially less than 2 weeks after
Hi there!
I have tested it against Windows XP (German edition) without Service Pack. It just
causes the NT authority to shutdown and the Computer needs a reboot.
regards,
Lukas aka tcpdumb
___
Full-Disclosure - We believe in it.
Charter: http:/
<[EMAIL PROTECTED]>
> Cc: "Chris Paget" <[EMAIL PROTECTED]>; "Len Rose" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Sunday, July 27, 2003 5:20 AM
> Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
>
>
> > On Sat, 2003-07-
Note: I'm pretty sure this'll spawn a lot of vicious hatemail and/or a
subthread or two about how *horrible* I am for posting Chris's mail to me.
Honestly, I don't care. It'll be nice to see how many people reading this
list are "PaymeforCSandPorn" admins. I think our writing is far more
readabl
Hmmm-
I think I can sum it up with "full disclosure" !=
"moderate disclosure"
If it wasn't that exploit published here, it would
have been some other exploit published somewhere else,
and you know it.
I myself have SLAs to my clients as to how quickly I
apply security patches, so my ass is cover
--- Paul Schmehl <[EMAIL PROTECTED]> wrote:
>
> Are you really serious? Recall Slammer? There were
> networks that were
> locked down pretty tight. Slammer couldn't get in,
> right? Then one
> developer who got his unpatched copy of SQL inside
> the network, by
> logging in through VPN with hi
On 26 Jul 2003, Paul Schmehl wrote:
> On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:
> >
> > I'm just trying to understand how corporate networks would/should be at
> > risk with this, why port 135 would not be filtered already limiting
> > exposure. Is there a reason why it would not be that I
Paul Schmehl <[EMAIL PROTECTED]> replied to Ron DuFresne wrote:
<>
> Are you really serious? Recall Slammer? There were networks that were
> locked down pretty tight. Slammer couldn't get in, right? Then one
> developer who got his unpatched copy of SQL inside the network, by
> logging in thro
Inline.
Chris Paget wrote:
Comments inline.
On Sun, 27 Jul 2003, Jason wrote:
The war begins...
I hope so. Discussion of the hows and why's and morals of security and
disclosure is *always* a good thing - which was partly why I made the original
post.
Hence the JUSTIFIED at the end of my ma
ROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 10:46 PM
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
> This childish flaming is why everyone wishes death upon you donnie,
please get a clue.
>
> There are more constructive ways to make a point, please
"gregh" <[EMAIL PROTECTED]> wrote:
> Just my $0.02:
>
> Shoot the messenger - that always stops the bad event happening.
>
> Sorry for the sarcasm. I can never see the point in "If we don't tell
> the enemy how to build a nuclear weapon they never will so we are
> safer as a result" logic.
The
Comments inline.
On Sun, 27 Jul 2003, Jason wrote:
> The war begins...
I hope so. Discussion of the hows and why's and morals of security and
disclosure is *always* a good thing - which was partly why I made the original
post.
> I'm not going to debate the release of code with anyone. Simply
On Sat, 26 Jul 2003 22:29:56 CDT, Ron DuFresne said:
> I'm just trying to understand how corporate networks would/should be at
> risk with this, why port 135 would not be filtered already limiting
> exposure. Is there a reason why it would not be that I'm missing? The
It's the rare corporate net
The war begins...
I'm not going to debate the release of code with anyone. Simply put,
best practices should have mitigated this in a huge way from the
beginning. All of the remaining threat should have been tested and
patched by now.
Now to the points you make.
Chris Paget wrote:
Len,
IMHO
On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:
>
> I'm just trying to understand how corporate networks would/should be at
> risk with this, why port 135 would not be filtered already limiting
> exposure. Is there a reason why it would not be that I'm missing?
Are you really serious? Recall S
This childish flaming is why everyone wishes death upon you donnie, please get a clue.
There are more constructive ways to make a point, please try your best to try them.
You might be suprised how much less hated you might become around here.
-Shanphen
Oh yeah, please do try the tools drop down
tzert" <[EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Sent: Saturday, July 26, 2003 6:19 PM
> Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
signature.asc
Description: This is a digitally signed message part
written
and has a few bugs but its nice code IMHO, what u expect after the vuln
releases
- Original Message -
From: "christopher neitzert" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 6:19 PM
Subject: RE: [F
- Original Message -
From: Chris
Paget
To: Len
Rose
Cc: [EMAIL PROTECTED]
Sent: Sunday, July 27, 2003 12:08 PM
Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
Len,IMHO there's a difference between "security through
obscurity" and postingworking exploit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
From: "Chris Paget" <[EMAIL PROTECTED]>
>
>
>
> I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing
this
> code. Really guys, sterling job. Now the skript kiddies and VXers
have got
> virtually no work to do in order to write a
>
> Len,
>
> IMHO there's a difference between "security through obscurity" and posting
> working exploit code. Knowing that there is a vulnerability in DCOM, accessible
> over a range of RPC mechanisms (primarily 135/tcp) is all that most
> administrators need to know. It's one thing knowing th
Chris Paget wrote:
I know this is the
full-disclosure list, but working exploit code for an issue this huge is taking
it a bit far, especially less than 2 weeks after the advisory comes out.
I'm aware of at least 7 exploits for this vuln now. Are you really going
to complain that you get to see
1 - 100 of 122 matches
Mail list logo