Hi Bob,
I'm very glad that XForce have just released the latest XPU with
'MssqlResolutionServiceBo' without any admin rights needed. Becos for
really large network, having admin rights for each system is not feasible.
I jointly know there there are some check that need to access to the
registry but I hope that there should be a work around for this. If not, it
won't reflect the correct vulnerabilities status of my servers. For example
in the case of this current released check 'MssqlResolutionServiceBo', it
doesn't totally send the Buffer overflow code to UDP port 1434 and stop the
SQL service but instead it just send a "ping" and waiting for a "reply"
back from the targeted SQL server on1434 to determine whether the targeted
SQL server is vulnerable anot. This check already give a good insight as in
whether the host is vulnerable, instead the need of admin rights inorder to
execute the some critical checks.
Anyway, thanks to your top technical gurus, Rob Graham for the SQL slammer
check.
Regards,
Cindy
"Mullins, Bob
(ISSAtlanta)" To: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED] cc: <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
t> Subject: FW: [ISSForum] ISS Security
Brief: Microsoft SQL Slammer Worm Propagation
01/29/2003 01:20
AM
Cindy,
There are quite a few checks in the scanner that require
authentication to run. This authentication is required in order to
access the registry and the file system on the target. If the scanner
cannot get access to the registry and file system, these types of checks
will not run. To ensure you do get the right level of access, you
should set up an account in the known accounts dialog. These
credentials are never sent over the wire in clear text. They are used
in several win32 function calls that cause the NTLM challenge/response
mechanism to be invoked to validate those credentials.
MssqlPreauthBo requires authentication because we decided to
check for the patch rather than write the check to overflow the buffer
and bring down the SQL Server. It's always a tough decision between a
check that requires authentication or a check that will DoS a service.
Some customers just cannot get authentication on all of the targets, so
patch and registry checks are not helpful to them. Others are never
willing to risk crashing a critical service such as SQL Server, so DoS
checks are useless to them.
In regard to scanning for machines vulnerable to the SQL
Slammer
worm, one of our top technical gurus, Rob Graham, came up with a very
simple way to distinguish between patched and non-patched machines. He
published a tool on his web site (http://www.robertgraham.com) over the
weekend that performs this scan, and we are in the process of adding a
new check to the scanner to do the same thing. So until the XPU for
internet scanner is released, I would recommend scanning with Rob's tool
if the check in the scanner doesn't work in your environment.
Regards,
Bob Mullins
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 27, 2003 9:23 PM
To: Rouland, Chris (ISSAtlanta)
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
ISS XForce
Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm
Propagation
Does it mean that if you have no admin rights on the targeting host,
although you selected to check this, it will not run? How do I execute
the check with admin rights? Isn't it dangerous to execute the check
with admin rights where the scan traffic is all in clear (plain text)?
I was also very curious about this particular check 'MssqlPreauthBo'
which require admin rights too. The actual exploit for this doesn't
require any admin rights if your TCP port 1433 is open and the no
correct patch applied, it should be vulnerable. Can you explain why for
this particular check 'MssqlPreauthBo' need admin rights?
In this case, if checks are not being run (becos without admin rights),
it won't reflect the actual vulnerabilites state of the machine and most
critical ISS ckecks required admin rights. Can someone pls answer me??
Regards,
Cindy
"Rouland, Chris
(ISSAtlanta)" To: "Stephen Tihor"
<[EMAIL PROTECTED]>, "ISS XForce" <[EMAIL PROTECTED]>
<[EMAIL PROTECTED] cc:
<[EMAIL PROTECTED]>
t> Subject: RE: [ISSForum]
ISS Security Brief: Microsoft SQL Slammer Worm Propagation
Sent by:
issforum-admin@i
ss.net
01/27/2003 04:52
AM
Stephen,
The MssqlMs02039Patch (SecChkId 9666) check for Internet Scanner works
by reading the path to where SQLServer is installed and then gets the
version resource from ssnetlib.dll. If the version is less than 636, we
flag the target as vulnerable.
You will need admin rights on the target to detect this.
-Chris
-----Original Message-----
From: Stephen Tihor [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 25, 2003 2:14 PM
To: ISS XForce
Cc: [EMAIL PROTECTED]
Subject: Re: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm
Propagation
Interestingly enough if have ISS internet scanner upda toe date with all
XPU's and scanned a machine Friday which turned out to be vulnerable
today. It was a stable production node so I doubt they enabled anything
new. Which suggests the ISS was not on point or was a Denial of Service
test since those were not
run against the machine being tested. Could someone tell
me which was the case?
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
