Based on user responses, this is, in fact, working exploit that will
work on already patched systems. It's only a matter of time for
compiled binary to surface.
Here it is:
http://forum.securitylab.ru/forum_posts.asp?TID=56 42&PN=0&TPN=3
I'd repost the 'sploit source, but/. gots "junk" filters that block shellcodes.
The U.S. has re-modeled itself on an econoic and political model borrowed from Argentina in the '70's, and the rest of the world is charging along behind. E.U.? wants to be as big a Banana Republic as U.S. and China...
This guy has S*hit for brains, and demonstrates this in every one of his hit piece M$ troll "articles".
Restrict 135 - Yeah Baby!
Except the major worm infestations haven't used the Internet as the primary exploit vector when demolishing the infrastructure at medium and large enterprises. Blaster and Slammer were "carted in" via laptops, poorly configured VPNs, permissive network sharing with business partners and improperly segmented test/development networks. Slammer just took a major grocery-chain's national WAN down for more than a day. This, 8.5 MONTHS after protecting the edge, and main production boxes for the exploit and blocking SQL discovery.
There are tag vulnerabilities in the wild, outside the scope of the latest MS patch, 7 days ago. These are capable of planting trojans -- bypassing AV message filters in HTML-formatted mails with Outlook clients, and can be set in invisible-frames, etc.
Enderle thinks that because he ran through pro-forma auditing that he has the expertise to second guess Schnierer and Geer? Gimme a break! I take Marc Ranum's criticism of these guy's work - not some paid-for-troll who scoffs at the bulk of the working code deployed over the past 40 years as "Open Source-ery".
Like the NEW exploit for DCOM/RPC that is effective against ALL 32-Bit Windows variants, and renders vulnerable systems with best, current patch levels?
Automated patching won't help, when your patches, including 03-039 are fabricated under the same losing circumstances as the fudamantally flawed OS platform.
"Trust our crap patches! Brought to you by applying our time-proven methods!"
Timliness is not improved by better automation of the distribution and application. Witness:
[Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
From: "Alex"
To: , ,
CC:
Date:
Today 11:08:53
Exploit code can be found here:
http://www.securitylab.ru/40754.html
This code work with all security fixes. It's very dangerous.
----- Original Message -----
From: "3APA3A"
To: ; ;
Cc:
Sent: Friday, October 10, 2003 6:48 PM
Subject: Bad news on RPC DCOM vulnerability
Dear bugtraq@securityfocus.com,
There are few bad news on RPC DCOM vulnerability:
1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
again actual.
2. It was reported by exploit author (and confirmed), Windows XP SP1
with all security fixes installed still vulnerable to variant of the
same bug. Windows 2000/2003 was not tested. For a while only DoS exploit
exists, but code execution is probably possible. Technical details are
sent to Microsoft, waiting for confirmation.
Dear ISPs. Please instruct you customers to use personal fireWALL in
Windows XP.
--
http://www.security.nnov.ru
You know my name - look up my number (The Beatles)
If the queue isn't named "0" then it is almost certainly named lp.
If yer using KDE, switch to CUPS for your printing system, and use the enormously well - concieved and realized add printer wizard for an remote LPR queue. You might have to add a CUPS package for LPD compatibility, depending on your distro.
If you are not using KDE, install and configure CUPS anyway - with all the foomatic and GIMP-print add-ons. The web-based administration tool that ships as part of CUPS will do the job nearly as well as the KDE wizard - with the benefit of links to full documentation on-line.
I looked in the sky Where an elephant's eye
Was looking at me From a bubblegum tree
And all that I knew Was the hole in my shoe;
Which was letting in water,
letting in water, letting in water...
I walked through a field That just wasn't real with
One hundred tin soldiers Which stood at my shoulders
And all that I knew was The hole in my shoe;
Which was letting in water,
letting in water, letting in water...
I climbed on the back of a giant albatross Which flew through a crack in a cloud
To a place where happiness reigned all year round, and music played, ever so loudly...
I started to fall And suddenly woke
And the dew on the grass Had soaked through my coat
And all that I knew was The hole in my shoe;
Which was letting in water,
This is the kind of needless complexity in the plumbing that has led the gaggle of MS operating systems into hell.
"Hey, but it makes for a clean Desktop!" Screw all of that. Message-passing framework in init? I hear that Redmond is hiring my friend!
You want a system that the majority of systems administrators don't understand, then obscure it with additional services that have interdependancies, and pass messages to eachother, instead of stdin/stdout. Oh. Why don't you also include a non-standard, non-posix interpreter here too!
Yeah! All it needs is Python! Python in/bin ! No thanks.
I remember how much I/HATED/ the inflexibility caused when Solaris made/bin a link to/usr/bin.
The idea of Python being a part of essential system services is a real bother. It's much easier to break a full language interpreter and its extensions than it is to break a staticly-linked shell. I get a little uneasy about the "RedHat-centric" quality of this. RedHat needs Python to install and run its Ananconda - so they already have the dependancy. I didn't like this for hardened, edge devices, so I have gone back to reccomending Debian bases when doing this on Linux. If I were to include python on a firewall or proxy, I might as well let gcc live there too!
This whole plan would fork the start-up styles of embedded appliances, floppy distros, desktops and servers. I understand the benefits that are being touted - I just don't think they are worth the drawbacks. You want something clean, with a set of library functions provided for distros to standardize their initscripts? The NetBSD rcNG is mucho cool in this regard.
Question for the clueful? How does OS X handle this init? Is it just traditional BSD rc?
Whenever the word "sanctity" is used in political or commercial endevours, be very suspect of the speaker. It's almost a dead-givaway for someone with a separate agenda.
If you want to read the tired, old arguments abouy X and diversity in toolkits, ten proceed down the page!
If you want to reinforce the idea that market-share==quality and viability, then we have a great story about Windows 2003, abit farther up the main page!
Know-nothings with less than 7-years implementing complex server systems are advised to comment in excruciating prose.
I am not going to take the same road as my previous district (of which I was an underling, and not in charge)
Is that a School District? We've started doing alot of infosec in this area. These customers are heavy into Novell 5.x . EVERY one of them would suffer from a security/vulnerability stance if they were to make greater use of Windows servers.
"Longhorn"?
Better never than LATE!
Palladium? Well, rome wasn't sacked in a day!
Reagan: "I don't recall"
Kissinger is refeshingly blunt: "The illegal we do immediately. The unconstitutional takes a little longer."
of all the Kazaa users figuring out this "opennap" thing...
Bless you, my son!
To: "Brown, Bobby (US - Hermitage)"
CC: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, full-disclosure-admin@lists.netsys.com, NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM, Secure@microsoft.com
Date: Today 14:37:47
Not much info on the page but here goes the juicy part.
Exploit: http://www.securitylab.ru/_exploits/rpc2.c.txt
Shellcode: http://www.securitylab.ru/_exploits/shell.asm.txt
Based on user responses, this is, in fact, working exploit that will work on already patched systems. It's only a matter of time for compiled binary to surface.
Dimitri
Here it is: http://forum.securitylab.ru/forum_posts.asp?TID=56 42&PN=0&TPN=3
I'd repost the 'sploit source, but /. gots "junk" filters that block shellcodes.
Turn blue, holding your breath.
The U.S. has re-modeled itself on an econoic and political model borrowed from Argentina in the '70's, and the rest of the world is charging along behind. E.U.? wants to be as big a Banana Republic as U.S. and China...
ZARAZA is waiting for an ack from MS (or NAK timeout ;-) ).
Restrict 135 - Yeah Baby!
Except the major worm infestations haven't used the Internet as the primary exploit vector when demolishing the infrastructure at medium and large enterprises. Blaster and Slammer were "carted in" via laptops, poorly configured VPNs, permissive network sharing with business partners and improperly segmented test/development networks. Slammer just took a major grocery-chain's national WAN down for more than a day. This, 8.5 MONTHS after protecting the edge, and main production boxes for the exploit and blocking SQL discovery.
There are tag vulnerabilities in the wild, outside the scope of the latest MS patch, 7 days ago. These are capable of planting trojans -- bypassing AV message filters in HTML-formatted mails with Outlook clients, and can be set in invisible-frames, etc.
Enderle thinks that because he ran through pro-forma auditing that he has the expertise to second guess Schnierer and Geer? Gimme a break! I take Marc Ranum's criticism of these guy's work - not some paid-for-troll who scoffs at the bulk of the working code deployed over the past 40 years as "Open Source-ery".
Automated patching won't help, when your patches, including 03-039 are fabricated under the same losing circumstances as the fudamantally flawed OS platform.
"Trust our crap patches! Brought to you by applying our time-proven methods!"
Timliness is not improved by better automation of the distribution and application. Witness:
Gort, Klaatu Barada Nikto!
If yer using KDE, switch to CUPS for your printing system, and use the enormously well - concieved and realized add printer wizard for an remote LPR queue. You might have to add a CUPS package for LPD compatibility, depending on your distro.
If you are not using KDE, install and configure CUPS anyway - with all the foomatic and GIMP-print add-ons. The web-based administration tool that ships as part of CUPS will do the job nearly as well as the KDE wizard - with the benefit of links to full documentation on-line.
Where an elephant's eye
Was looking at me
From a bubblegum tree
And all that I knew
Was the hole in my shoe;
Which was letting in water,
letting in water,
letting in water...
I walked through a field
That just wasn't real with
One hundred tin soldiers
Which stood at my shoulders
And all that I knew was
The hole in my shoe;
Which was letting in water,
letting in water,
letting in water...
I climbed on the back of a giant albatross
Which flew through a crack in a cloud
To a place where happiness reigned all year round,
and music played, ever so loudly...
I started to fall
And suddenly woke
And the dew on the grass
Had soaked through my coat
And all that I knew was
The hole in my shoe;
Which was letting in water,
letting in water,
letting in water...
That'd be great if the Internet were nothing but discreet individuals, manually driving browsers over port 80.
But there is email, FTP, voip, etc...
All have functionality based on having nxdomain returned.
Plus VS is using this to collect data on browsers.
I read the article. One word to describe Mark McLaughlin: "ASSHOLE".
It's a space station."
It might be USB, but I think the new ones are FireWire(tm).
Oh, good. One more flavor. :-)
"Hey, but it makes for a clean Desktop!" Screw all of that. Message-passing framework in init? I hear that Redmond is hiring my friend!
You want a system that the majority of systems administrators don't understand, then obscure it with additional services that have interdependancies, and pass messages to eachother, instead of stdin/stdout. Oh. Why don't you also include a non-standard, non-posix interpreter here too!
I remember how much I /HATED/ the inflexibility caused when Solaris made /bin a link to /usr/bin .
The idea of Python being a part of essential system services is a real bother. It's much easier to break a full language interpreter and its extensions than it is to break a staticly-linked shell. I get a little uneasy about the "RedHat-centric" quality of this. RedHat needs Python to install and run its Ananconda - so they already have the dependancy. I didn't like this for hardened, edge devices, so I have gone back to reccomending Debian bases when doing this on Linux. If I were to include python on a firewall or proxy, I might as well let gcc live there too!
This whole plan would fork the start-up styles of embedded appliances, floppy distros, desktops and servers. I understand the benefits that are being touted - I just don't think they are worth the drawbacks. You want something clean, with a set of library functions provided for distros to standardize their initscripts? The NetBSD rcNG is mucho cool in this regard.
Question for the clueful? How does OS X handle this init? Is it just traditional BSD rc?
If you want to read the tired, old arguments abouy X and diversity in toolkits, ten proceed down the page!
If you want to reinforce the idea that market-share==quality and viability, then we have a great story about Windows 2003, abit farther up the main page!
Know-nothings with less than 7-years implementing complex server systems are advised to comment in excruciating prose.
Is that a School District? We've started doing alot of infosec in this area. These customers are heavy into Novell 5.x . EVERY one of them would suffer from a security/vulnerability stance if they were to make greater use of Windows servers.
Vinton Cerf
Richard Stevens
Maynard G. Krebs!!!??!???
How recently did you work for Safeway?
It's a laptop without a case, display and keypoard!