On Mon, Jul 28, 2003 at 07:01:51AM -0600, Slighter, Tim wrote: > In relation to the recent Nessus vulnerability check for the Microsoft RPC > DCOM. This is the behavior that I have witnessed. Can run the scan with > this vulnerability checked and with options "safe checks" enabled and a > vulnerable system will be correctly discovered. Follow this up by disabling > "safe checks' and the vulnerable system can be crashed. Next step is to get > the patch from Microsoft and patch the system. Run the scan again with > "safe checks" disabled and the system can still be crashed. > > Two possible options here? > > 1) The patch provided by Microsoft does not work
There are three DCOM related plugins at this point : - smb_nt_ms03-026.nasl checks for the presence of the patch in the registry - msrpc_dcom.nasl checks for the flaw that everyone is talking about in a non-intrusive way. If you applied the patch in MS03-026, it should not give you any alert - dcom_rpc_dos.nasl is an INTRUSIVE check and is not patched by MS03-026. It's a flaw that the guy at XFocus.org first published on bugtraq (see http://www.securityfocus.com/bid/8234). I suppose it's the guy who crashed your RPC service, as there is not patch whatsoever for this vulnerability (but it should not allow people to execute arbitrary code, just disable RPC) -- Renaud
