|
-
August 15th, 2006, 12:00 PM
#1
all patched up.. but still vulnerable??
Greeting's
It seems that Microsoft missed out on an exploit... The exploit now conformed by Microsoft will be addressed in future but with an uncertain time frame..
While the maximum damage that can be caused by this is limited to DoS.. It still needs to be addressed.
For now the only work around is BLOCKING PORT's 135-139 and 445..
Here is the link :
http://blogs.technet.com/msrc/archiv...28/443837.aspx
http://isc.sans.org/diary.php?storyid=1471
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD* 
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
August 15th, 2006, 12:22 PM
#2
Shouldn't those ports always be blocked?
-
August 15th, 2006, 12:36 PM
#3
Hey Hey,
MsMittens: from home probably, in fact most ISPs are prolly blocking them for you... but in a corporate environment.. especially with file sharing and so on.. .prolly not..
Btw for those of you that missed it... This was the original email yesterday...
After furiously patching since last week for catching up with MS06-040, we discovered that a old exploit for MS06-035 (again or still) works on a number fully patched systems including Windows 2003 Server, Windows XP and Windows 2000.
The exploit that works is: http://milw0rm.org/exploits/2057
All our tested systems (8 total) except one went into reboot after being hit with the exploit above. All tested systems have been patched with the latest available patches from Microsoft as of today, August 14th, 2006 4:00 PM MESZ, using both the standard Windows Update function and applying patches by hand.
Explicit download of KB917159 patch, applying it and reboot, with no result. I carefully checked the version of the srv.sys binary according to http://www.microsoft.com/technet/sec.../ms06-035.mspx and found it to be correct, meaning the patch should be applied correctly.
My only conclusion at this time is that the Microsoft delivered patch for MS06-035 does not work. Can anyone confirm this behaviour?
Thanks,
Frank
This is regarding MS06-035, CVE-2006-1314
There were one or two follow up emails as well. There's at least one more public exploit (besides the one above) for MS06-035 that's causing this DoS...
Peace
HT
-
August 15th, 2006, 12:41 PM
#4
MsMittens: from home probably, in fact most ISPs are prolly blocking them for you... but in a corporate environment.. especially with file sharing and so on.. .prolly not..
Why would a company have public internet access to those ports? Would it not be more common to block access that way or use VPN for access? Yes, I can see internal networks having it and the risk being there but common sense would dictate it not being accessible to the general internet at large.
-
August 15th, 2006, 12:51 PM
#5
Originally posted here by MsMittens
Why would a company have public internet access to those ports? Would it not be more common to block access that way or use VPN for access? Yes, I can see internal networks having it and the risk being there but common sense would dictate it not being accessible to the general internet at large.
I'm not talking public access... Generally those ports are blocked... read any "Remote" that Microsoft puts out.. they say to block ports 135-139 and 445... quite often when it doesn't even affect those ports... it's part of their standard "legalese" these days.
I'm talking about internal access... Internal Employees are one of the biggest risks these days... they bring in a virus or worm written for MS06-035 (not saying there is... but hypothetically)... it begins to spread.. suddenly all the machines the admin things they've patched start crashing...
And in my opinion the home user should usually take parts of the advisories with a grain of salt... I consider MS more of a corporate company than a end-user company... the advisories usually target corporate work arounds and mitigation.. 95% of the stuff that comes out is already protected against by ISPs and househould Router solutions..
-
August 15th, 2006, 01:05 PM
#6
True. I wonder how many companies have host-based firewalls on each host to prevent spreading (not just between internal networks but within a network).
-
August 15th, 2006, 01:07 PM
#7
Originally posted here by MsMittens
True. I wonder how many companies have host-based firewalls on each host to prevent spreading (not just between internal networks but within a network).
That would be an interesting question to have answered by people... The two corporate environments I was in prior to this didn't.. they both had say the built in XP firewall turned off...
-
August 15th, 2006, 03:19 PM
#8
Junior Member
Originally posted here by HTRegz
Btw for those of you that missed it... This was the original email yesterday...
What mailing list was that from HT?.
Cheers
-
August 15th, 2006, 03:35 PM
#9
Originally posted here by crowchy
What mailing list was that from HT?.
Cheers
Bugtraq
-
August 15th, 2006, 05:15 PM
#10
Junior Member
In most cases corporates have those ports open accross their networks as they are used for authenticating to domain controllers and accessing file server shares and what nots.
Ideally the ports should be locked down by host based firewalls to only be allowed between specific servers and the workstations that use those servers, but in many situations the configuring of that sort of setup seems to require too much work in a lot of peoples minds :/
The ports that should be locked down are 135, 137-139 and 445. These ports are common knowledge, or should be, to most people who have dealings with firewalls or the configuration of them.
The stream of viruses that made use of RPC and LSASS vulnerabilities should have taught just about everyone about these ports a long time ago
Sanity is the trademark of a weak mind
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote