Hello,

We confirm the existance of the following RPC attack vectors pointed out
by Todd Sabin with regard to the vulnerability described in MS03-026.
These are respectively:

- ncacn_np:\pipe\epmapper
- ncadg_ip_udp:135
- ncacn_ip_tcp:135
- ncacn_http:593

This means that at least:
- UDP port 135,
- TCP ports 135, 139, 445 and 593 can be used as remote attack vectors.

The possibility of using ncacn_http (and TCP port 80) for the purpose
of launching a remote attack depends on whether COM Internet Services
are enabled for DCOM on a Windows Server running IIS (as far as we know
they are not enabled by default).

Best Regards,
Members of LSD Research Group
http://lsd-pl.net


On Thu, 17 Jul 2003, Todd Sabin wrote:

>
> I think it's worth mentioning that Microsoft's advisory on this issue
> is incorrect in stating that the only attack vector is port 135.  The
> vulnerability lies in one of the RPC interfaces that the endpoint
> mapper/RPCSS services.  As such, it is accessible over any RPC
> protocol sequence that the endpoint mapper listens on.  That includes:
>
> o ncacn_ip_tcp :  TCP port 135
> o ncadg_ip_udp :  UDP port 135
> o ncacn_np     :  \pipe\epmapper, normally accessible via SMB null
>                   session on TCP ports 139 and 445
> o ncacn_http   : if active, listening on TCP port 593.
>
> Finally, if ncacn_http is active, and COM Internet Services is
> installed and enabled, which is NOT the default in any configuration
> I'm aware of, then you can also talk to the endpoint mapper over port
> 80.  Just to be clear, I think this is a very uncommon scenario, but
> the possibility does exist.
>
> So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
> and 593.  And make sure you don't have COM Internet Services running.
>
> --
> Todd Sabin                                          <tsabin@optonline.net>
> BindView RAZOR Team                            <tsabin@razor.bindview.com>
>