all patched up.. but still vulnerable??
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: all patched up.. but still vulnerable??

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    all patched up.. but still vulnerable??

    Greeting's

    It seems that Microsoft missed out on an exploit... The exploit now conformed by Microsoft will be addressed in future but with an uncertain time frame..

    While the maximum damage that can be caused by this is limited to DoS.. It still needs to be addressed.

    For now the only work around is BLOCKING PORT's 135-139 and 445..



    Here is the link :
    http://blogs.technet.com/msrc/archiv...28/443837.aspx
    http://isc.sans.org/diary.php?storyid=1471
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Shouldn't those ports always be blocked?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    MsMittens: from home probably, in fact most ISPs are prolly blocking them for you... but in a corporate environment.. especially with file sharing and so on.. .prolly not..

    Btw for those of you that missed it... This was the original email yesterday...

    After furiously patching since last week for catching up with MS06-040, we discovered that a old exploit for MS06-035 (again or still) works on a number fully patched systems including Windows 2003 Server, Windows XP and Windows 2000.

    The exploit that works is: http://milw0rm.org/exploits/2057

    All our tested systems (8 total) except one went into reboot after being hit with the exploit above. All tested systems have been patched with the latest available patches from Microsoft as of today, August 14th, 2006 4:00 PM MESZ, using both the standard Windows Update function and applying patches by hand.
    Explicit download of KB917159 patch, applying it and reboot, with no result. I carefully checked the version of the srv.sys binary according to http://www.microsoft.com/technet/sec.../ms06-035.mspx and found it to be correct, meaning the patch should be applied correctly.

    My only conclusion at this time is that the Microsoft delivered patch for MS06-035 does not work. Can anyone confirm this behaviour?

    Thanks,
    Frank

    This is regarding MS06-035, CVE-2006-1314
    There were one or two follow up emails as well. There's at least one more public exploit (besides the one above) for MS06-035 that's causing this DoS...

    Peace
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    MsMittens: from home probably, in fact most ISPs are prolly blocking them for you... but in a corporate environment.. especially with file sharing and so on.. .prolly not..
    Why would a company have public internet access to those ports? Would it not be more common to block access that way or use VPN for access? Yes, I can see internal networks having it and the risk being there but common sense would dictate it not being accessible to the general internet at large.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by MsMittens
    Why would a company have public internet access to those ports? Would it not be more common to block access that way or use VPN for access? Yes, I can see internal networks having it and the risk being there but common sense would dictate it not being accessible to the general internet at large.
    I'm not talking public access... Generally those ports are blocked... read any "Remote" that Microsoft puts out.. they say to block ports 135-139 and 445... quite often when it doesn't even affect those ports... it's part of their standard "legalese" these days.

    I'm talking about internal access... Internal Employees are one of the biggest risks these days... they bring in a virus or worm written for MS06-035 (not saying there is... but hypothetically)... it begins to spread.. suddenly all the machines the admin things they've patched start crashing...

    And in my opinion the home user should usually take parts of the advisories with a grain of salt... I consider MS more of a corporate company than a end-user company... the advisories usually target corporate work arounds and mitigation.. 95% of the stuff that comes out is already protected against by ISPs and househould Router solutions..
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    True. I wonder how many companies have host-based firewalls on each host to prevent spreading (not just between internal networks but within a network).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by MsMittens
    True. I wonder how many companies have host-based firewalls on each host to prevent spreading (not just between internal networks but within a network).
    That would be an interesting question to have answered by people... The two corporate environments I was in prior to this didn't.. they both had say the built in XP firewall turned off...
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Junior Member
    Join Date
    Aug 2006
    Posts
    10
    Originally posted here by HTRegz

    Btw for those of you that missed it... This was the original email yesterday...
    What mailing list was that from HT?.

    Cheers

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by crowchy
    What mailing list was that from HT?.

    Cheers
    Bugtraq
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  10. #10
    Junior Member
    Join Date
    Aug 2006
    Posts
    3
    In most cases corporates have those ports open accross their networks as they are used for authenticating to domain controllers and accessing file server shares and what nots.

    Ideally the ports should be locked down by host based firewalls to only be allowed between specific servers and the workstations that use those servers, but in many situations the configuring of that sort of setup seems to require too much work in a lot of peoples minds :/

    The ports that should be locked down are 135, 137-139 and 445. These ports are common knowledge, or should be, to most people who have dealings with firewalls or the configuration of them.

    The stream of viruses that made use of RPC and LSASS vulnerabilities should have taught just about everyone about these ports a long time ago
    Sanity is the trademark of a weak mind

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •