TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Phelps Troy A SrA 88 CG/SCSI wrote:
>
> We have also had the same problem, but one thing
> that came to light about this check is that it does
> not work if netbios is disabled. If anyone knows a
> sure way to make this vulnerability work please reply.
The knowledge base article indicates the scanner needs
administrative access to the scannee. Ergo, the need
for netbios. I suspect a lot of the tests requiring windows
account privileges could be determined by looking for
non-netbios tests that make netbios calls prior to
the calls related to the service being tested.
As far as testing for the vulnerability, Chris St. Clair
posted test results on Bugtraq indicating varying responses
based on the size of the ida request. He found a sweet spot
that would indicate a vulnerable machine without crashing
it. His post is available on the www.securityfocus.com
web site under Bugtraq archives. His post was dated 7/20/01.
David Dandar published perl code using Chris's methodology
to the unisog mailing list the same day.
Finally, the folks that originally announced the idq defect,
are making a windows scanning tool available as an exe file.
Not sure how it works but in a post to Bugtraq, Marc Maiffret
says:
"We are able to remotely scan IP addresses (web servers) for
the .ida vulnerability (CodeRed Worm) without having to test
your system via a buffer overflow, which can bring your web
server down. Instead we use a technique which we have taken
from Retina that allows CodeRed Scanner the ability to test
a web server remotely, without causing any harm to it."
It doesn't say whether it requires netbios access or an
account :)
http://www.eeye.com/html/Research/Tools/codered.html
I have not yet tried any of these methods yet.
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
