A Win2000 Dos exploit has just been posted to a public hacking mailing list This will be one upped soon if history is anything to go by So the development of "blaster mark 2" is on track for tonight Hope all you windows admins are up to a new round of patching and have not removed the port 135 filters Kevin Stewart
-----Original Message----- From: Barry Murphy [mailto:barry(a)unix.co.nz] Sent: Thursday, 11 September 2003 10:23 a.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] Fw: New Vulnerability in Microsoft Systems (RPC II)
----- Original Message ----- Subject: New Vulnerability in Microsoft Systems (RPC II)
Dear Barry Murphy,
Vulnerability in Microsoft Windows Servers ------------------------------------------
Severity of Bug : CRITICAL Port / Service : Microsoft RPC
Versions Affected :
* Microsoft Windows NT Workstation 4.0 * Microsoft Windows NT Server 4.0 * Microsoft Windows NT Server 4.0, Terminal Server Edition * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003
3 new bugs have been found in the Microsoft implementation of RPC. Although these bugs are also related to DCOM activation, they _are_not_ the same issue addressed in July.
Exploits for this (these) problems already exist in the wild, as both Denial of Service and remote compromise. This problem could possibly be more serious than the previous (http://www.microsoft.com/security/security_bulletins/ms03-026.asp) one, since Microsoft have _not_ ruled out exploitation of RPC via HTTP. (Simply filtering access to ports 135, 139, 445 & 593 will not ensure safety from exploitation)
Microsoft has an end-user write up of the problem here : http://www.microsoft.com/security/security_bulletins/ms03-039.asp
Patches may be downloaded here :
Windows 2000 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3- 8B94-817EA8485DD1&displaylang=en
Windows XP :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A- B424-95D32CFC8CBA&displaylang=en
Windows 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B- 87A4-C208E9BA4787&displaylang=en
SensePost suggest that the patch be applied as soon as possible.
Sincerely.
======================================================= SensePost Research research(a)sensepost.com http://www.sensepost.com (tel) +27 12 667 4737 =======================================================
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog