Printable View
Greeting's
It seems that Microsoft missed out on an exploit... The exploit now conformed by Microsoft will be addressed in future but with an uncertain time frame..
While the maximum damage that can be caused by this is limited to DoS.. It still needs to be addressed.
For now the only work around is BLOCKING PORT's 135-139 and 445..
Here is the link :
http://blogs.technet.com/msrc/archiv...28/443837.aspx
http://isc.sans.org/diary.php?storyid=1471
Shouldn't those ports always be blocked?
Hey Hey,
MsMittens: from home probably, in fact most ISPs are prolly blocking them for you... but in a corporate environment.. especially with file sharing and so on.. .prolly not..
Btw for those of you that missed it... This was the original email yesterday...
There were one or two follow up emails as well. There's at least one more public exploit (besides the one above) for MS06-035 that's causing this DoS...Quote:
After furiously patching since last week for catching up with MS06-040, we discovered that a old exploit for MS06-035 (again or still) works on a number fully patched systems including Windows 2003 Server, Windows XP and Windows 2000.
The exploit that works is: http://milw0rm.org/exploits/2057
All our tested systems (8 total) except one went into reboot after being hit with the exploit above. All tested systems have been patched with the latest available patches from Microsoft as of today, August 14th, 2006 4:00 PM MESZ, using both the standard Windows Update function and applying patches by hand.
Explicit download of KB917159 patch, applying it and reboot, with no result. I carefully checked the version of the srv.sys binary according to http://www.microsoft.com/technet/sec.../ms06-035.mspx and found it to be correct, meaning the patch should be applied correctly.
My only conclusion at this time is that the Microsoft delivered patch for MS06-035 does not work. Can anyone confirm this behaviour?
Thanks,
Frank
This is regarding MS06-035, CVE-2006-1314
Peace
HT
Why would a company have public internet access to those ports? Would it not be more common to block access that way or use VPN for access? Yes, I can see internal networks having it and the risk being there but common sense would dictate it not being accessible to the general internet at large.Quote:
MsMittens: from home probably, in fact most ISPs are prolly blocking them for you... but in a corporate environment.. especially with file sharing and so on.. .prolly not..
I'm not talking public access... Generally those ports are blocked... read any "Remote" that Microsoft puts out.. they say to block ports 135-139 and 445... quite often when it doesn't even affect those ports... it's part of their standard "legalese" these days.Quote:
Originally posted here by MsMittens
Why would a company have public internet access to those ports? Would it not be more common to block access that way or use VPN for access? Yes, I can see internal networks having it and the risk being there but common sense would dictate it not being accessible to the general internet at large.
I'm talking about internal access... Internal Employees are one of the biggest risks these days... they bring in a virus or worm written for MS06-035 (not saying there is... but hypothetically)... it begins to spread.. suddenly all the machines the admin things they've patched start crashing...
And in my opinion the home user should usually take parts of the advisories with a grain of salt... I consider MS more of a corporate company than a end-user company... the advisories usually target corporate work arounds and mitigation.. 95% of the stuff that comes out is already protected against by ISPs and househould Router solutions..
True. I wonder how many companies have host-based firewalls on each host to prevent spreading (not just between internal networks but within a network).
That would be an interesting question to have answered by people... The two corporate environments I was in prior to this didn't.. they both had say the built in XP firewall turned off...Quote:
Originally posted here by MsMittens
True. I wonder how many companies have host-based firewalls on each host to prevent spreading (not just between internal networks but within a network).
What mailing list was that from HT?.Quote:
Originally posted here by HTRegz
Btw for those of you that missed it... This was the original email yesterday...
Cheers
BugtraqQuote:
In most cases corporates have those ports open accross their networks as they are used for authenticating to domain controllers and accessing file server shares and what nots.
Ideally the ports should be locked down by host based firewalls to only be allowed between specific servers and the workstations that use those servers, but in many situations the configuring of that sort of setup seems to require too much work in a lot of peoples minds :/
The ports that should be locked down are 135, 137-139 and 445. These ports are common knowledge, or should be, to most people who have dealings with firewalls or the configuration of them.
The stream of viruses that made use of RPC and LSASS vulnerabilities should have taught just about everyone about these ports a long time ago :)