Hi, I already had many discussions with ISS about the "admin rights" problem. For some checks (mainly the IIS ones) I made tests to find out how these checks were performed. Most of them just queried the registry of the server to find out wether the corresponding patch was installed or not and sometimes tried to find out the version of the vulnerable dll or exe file. So there was nearly always a false negativ if no NetBIOS access to the server was possible.
And certainly this method just works on Windows Boxes... As much as i appreciate the release of the new check and the really nice commandline scanner, but in my opinion this should have been done BEFORE the Worm hits the internet!! We had exactly the same problem with CodeRed, the Internet Scanner IisIsapiIdqBo check was just a patch check and so did not work if the scanner could not connect to the server via SMB / NetBIOS. After CodeRed hits the net, ISS provided a flex check for testing via HTTP. So to sum it up, IMHO if there is a serverside vulnerability which can be exploited WITHOUT any privileges on the attacked host, it MUST be possible to check for it without any privileges. Regards Bjoern -----Original Message----- From: Chontzopoulos Dimitris [mailto:[EMAIL PROTECTED]] Posted At: Wednesday, January 29, 2003 9:43 PM Posted To: ISS Mailingliste Conversation: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation "These are actually pretty interesting questions as to the admin rights needed on machines. In a way, I can understand why admin rights would be needed. But there are numerous checks out there that require admin rights to check for it, but to exploit it, anybody can do it." I believe that it is a good point that the Security Scanner requires administrative rights in order to make some checks. Just imagine what could happen if the Security Scanner required no administrative rights in order to identify certain security issues. It could be THE unbeatable tool for any Hacker/ Cracker/you-name-it around the globe. The fact that exploits can be run without (in some, not all cases) administrative privileges has nothing to do with having administrative privileges in order to identify certain security issues. I also believe that the Security Scanner is not a mere application able to *crash* a machine by exploiting some security issues it may have, it is THE tool in order to identify the problem as it is and NOT provide you with a "False Positive" or "False Negative" just like Nessus does in some cases (at least for me, I don't know about other people). I really feel a lot better when I come to think that you HAVE to HAVE administrative rights in order to identify certain Security issues, I don't know about you people. Just try for yourself and contrast between Security Scanner and Nessus; you will find that only certain checks require administrative privileges, regarding the Security Scanner, and that Nessus can identify less Security Issues (although they exist on the scanned machine) and that it produces more "False Positives". In my opinion, Security Scanner is THE most comprehensive and professional Security/Vulnerability Assessment tool that exists in the market today. The thing is that it has dependencies regarding the checks it performs in order to give you true results. Again, Security Scanner is not a tool to "Blue Screen" your machines (although it can also do that), it is a tool to assess your current environment. There are other tools out there that are designed *just* to "Blue Screen" your machines. Cheers, Dimitris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wisniewski, Michael Sent: Tuesday, January 28, 2003 7:06 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation These are actually pretty interesting questions as to the admin rights needed on machines. In a way, I can understand why admin rights would be needed. But there are numerous checks out there that require admin rights to check for it, but to exploit it, anybody can do it. I would like to suggest that maybe there should be an option that will run the checks, admin or not, and give you the results. One of my gripes was with open writable netbios shares. If the "everyone" group is able to right to it, then isn't it an open share? Shouldn't this be flagged as a vulnerability? Why would I need to login to the machine as an "admin" in order to detect a share the whole world can write to? Luckily, I have been working with Tech support to resolve this issue. It works, but just lists the IP/host that has a writable share, and not what the share actually is. I think there's many checks like this that should be performed regardless if you're an admin or not. I could understand if you're an admin of a small 25 node LAN, but when you have hundreds and thousands of hosts, it is impossible to be an admin of every one of them....or even the majority of them. Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 8:23 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation Does it mean that if you have no admin rights on the targeting host, although you selected to check this, it will not run? How do I execute the check with admin rights? Isn't it dangerous to execute the check with admin rights where the scan traffic is all in clear (plain text)? I was also very curious about this particular check 'MssqlPreauthBo' which require admin rights too. The actual exploit for this doesn't require any admin rights if your TCP port 1433 is open and the no correct patch applied, it should be vulnerable. Can you explain why for this particular check 'MssqlPreauthBo' need admin rights? In this case, if checks are not being run (becos without admin rights), it won't reflect the actual vulnerabilites state of the machine and most critical ISS ckecks required admin rights. Can someone pls answer me?? Regards, Cindy "Rouland, Chris (ISSAtlanta)" To: "Stephen Tihor" <[EMAIL PROTECTED]>, "ISS XForce" <[EMAIL PROTECTED]> <[EMAIL PROTECTED] cc: <[EMAIL PROTECTED]> t> Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation Sent by: issforum-admin@i ss.net 01/27/2003 04:52 AM Stephen, The MssqlMs02039Patch (SecChkId 9666) check for Internet Scanner works by reading the path to where SQLServer is installed and then gets the version resource from ssnetlib.dll. If the version is less than 636, we flag the target as vulnerable. You will need admin rights on the target to detect this. -Chris -----Original Message----- From: Stephen Tihor [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:14 PM To: ISS XForce Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation Interestingly enough if have ISS internet scanner upda toe date with all XPU's and scanned a machine Friday which turned out to be vulnerable today. It was a stable production node so I doubt they enabled anything new. Which suggests the ISS was not on point or was a Denial of Service test since those were not run against the machine being tested. Could someone tell me which was the case? _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
