Just a quick update. It appears that there are at least 6 or 7 exploits now published out there for this that give you remote shell into the compromised machine. Compiled versions for Windows and Linux are up on web sites as well. EEye has published a free scanner for this like they did for Code Red.
The following list has been pretty chatty concerning the vulnerability. http://lists.netsys.com/mailman/listinfo/full-disclosure joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, July 26, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] Details of MS03-26 published by XFocus... Warning worm watch is on... This isn't AD related but is core Windows... XFocus who recently published some concept code (perl and c) to crash RPC on any Windows 2000 machine running RPC and DCOM has now reconstructed and published concept code to exploit the RPC/DCOM hole found by LSD earlier this month. This hole is worse than the previous hole XFocus published info about because it allows for remote unauthenticated code execution on the machines. MS has a patch for this hole which you should require to have on all of your WinNT based (Windows NT, Windows 2000, Windows XP, Windows 2003) machines. The security bulliten is MS03-26 (http://www.microsoft.com/technet/security/bulletin/MS03-026.asp) aka hot fix KB823980. Everyone who has a Windows machine should apply this fix ASAP. Do not feel safe because you are behind a firewall. If a firewall was all we needed we never would have felt SQL Slammer. Patch your systems. To make this AD related a bit I would like to again request of Microsoft that they actually use the operatingsystemhotfix attribute and populate it with qfecheck output so a very large company can scan AD in minutes versus spending hours or days trying to connect to all machines. Oh yeah, that property probably should have been multivalued... Obviously this won't catch all of the machines, but a large number of them should be accounted for much more quickly. joe List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
