Re: DCOM RPC exploit (dcom.c)

[Chris Paget <chrisp () ngssoftware com>]

Len,

IMHO there's a difference between "security through obscurity" and posting
working exploit code.  Knowing that there is a vulnerability in DCOM, accessible
over a range of RPC mechanisms (primarily 135/tcp) is all that most
administrators need to know.  It's one thing knowing that you can kill a person
with a gun, and it's another to give away firearms.

Scanners are good; I agree they give out more information than an advisory, but
it's still a step away from giving the kiddies a tool.  Those in the know will
always be able to write an exploit from minimal details; whether or not the
pre-pubescent h4xx0rs get hold of it is another matter though.

Different people will have differing opinions on how much information and what
kind of disclosure policy is acceptable; for me, working exploit code so soon
after the advisory is just irresponsible.

As for the <2 week "grace period", it's not enough.  What if the patch is
broken in some way?  It was rushed out the door by Microsoft; how many admins
wait a month before applying a patch, just to see if anyone else has problems
with it?  I've just finished an audit on a multinational manufacturing company;
the exploit code came out before they'd patched.  How many other companies are
in the same boat?

I agree, exploit code may force people to patch, but that's not sufficient
justification in my book.

Chris




On Sat, 26 Jul 2003, Len Rose wrote:

> Disclaimer: I'm not supposed to have an opinion about anything
> other than how the list functions but I'm weak and unable to
> resist this one.
>
> Hi Chris,
>
> I don't feel that your position is valid. Once the vulnerability was
> announced then it was inevitable. I'm surprised that you feel that
> security by obscurity is a valid stance. Even those who have released
> "harmless" scanners have in fact aided those who would be writing such
> malware anyway since all they have to do is sniff the wire if they're
> searching for correct methodology.
>
>
> Chris Paget wrote:
>
> > <sarcasm>
> > I'd just like to thank FlashSky, Benjurry, and H D Moore for releasing this
> > code.  Really guys, sterling job.  Now the skript kiddies and VXers have got
> > virtually no work to do in order to write a worm that exploits this.
> > </sarcasm>
>
> Only those who mistakenly believe that hiding information from the masses
> will stop those who have the knowledge and intent to cause harm could feel
> this way.
>
> > Personally, I'm tempted to set up my firewall to NAT incoming requests on port
> > 135 to either www.metasploit.com or www.xfocus.org.  I know this is the
> > full-disclosure list, but working exploit code for an issue this huge is taking
> > it a bit far, especially less than 2 weeks after the advisory comes out.
>
> It wouldn't matter if it were 2 months.
>
> > Cheers, fellas.  When the worm comes out, I'll be thinking of you.
>
> Think of the joke sold to millions of people masquerading as an operating system
> coded by unemployed vms programmers, and visual basic "experts" instead.
>
> Len
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html