It appears that the plugin was updated overnight to fix this so many thanks to whoever
did this.
However, if you run dcomcnfg on a machine and use "Default properties" to disable DCom
on this machine then the plugin falsely reports it as vulnerable. I've tested this
with the patch on, on Win2K, XP and NT 4.0WS and the return value that it checks is
always 0x00050007 in these cases. I haven't (yet) tested it against an unpatched but
disabled box.
The following patch appears to fix this...
--- msrpc_dcom.nasl.old Tue Jul 29 22:30:13 2003
+++ msrpc_dcom.nasl Wed Jul 30 12:23:47 2003
@@ -72,6 +72,7 @@
chk[0] = raw_string (0x00,0x04,0x00,0x08);
+chk[1] = raw_string (0x00,0x05,0x00,0x07);
report = "";
@@ -99,7 +100,7 @@
display('len = ', len, '\n');
display('stub = ', hexstr(stub), '\n');
}
- if (stub >!< chk[0])
+ if ((stub >!< chk[0]) && (stub >!< chk[1]))
{
if (debug) display("Warning: Vulnerable MSRPC host found!\n");
security_hole(port:port);
-----Original Message-----
From: Renaud Deraison [mailto:[EMAIL PROTECTED]
Sent: 29 July 2003 15:21
To: [EMAIL PROTECTED]
Subject: Re: msrpc_dcom.nasl and NT 4
On Tue, Jul 29, 2003 at 01:12:46PM +0100, Hemsley, Trevor wrote:
> Is there something that can be done with this to get it to report NT 4 systems more
> accurately?
Yes, give Nessus the credentials to log into the remote NT server and
inspect its registry.
-- Renaud
