Home | Free Register | Submit Question

Security

NAVIGATION
CATEGORIES
REFERRENCE
LINKS
Home » Development Group »» Security

  • Is MS06-018 a DoS or a system compromise ?

    0 answers - 2656 bytes - related search similar search Add To My Delicious Add To My Stumble Upon Add To My Google Mark Add To My Facebook Add To My Digg

    Hello Nick and people on the list
    I have seen 2 servers last month which have been
    hacked and actively used to scan TCP 3372 on foreign
    IPs
    There were servers which had port 3372 accessible
    (a firewall rule misconfiguration was making TCP ports
    >3000 accessible on the Internet)
    I was not able to find any tool which was used to
    hack the server on this port, but I think DTC was the culprit.
    These servers had also port 53 (DNS) accessible, they
    were running win2k with about 3 weeks of patch missing,
    no other services were on (no iis, "server" service turned off,
    on TCP/IP binded on NIC, )
    I found tools on the hacked servers : "infoscan.exe" 1.0
    from uhhuhy (cnhonker.com), and dfind.exe from class101.org,
    and log files of recent scans which were corresponding to the
    complaints the server's owner received.
    The tools were placed in recycler directory, the hacker seems to
    have been able to send commands or get a remote shell.
    I'd be interested to hear information about remote code
    execution on this port if you find some, these details make
    me think a serious problem exists in DTC service.
    Thanks and have a nice day
    Maxime Ducharme
    d'origine
    De : Nick Boyce [mailto:nick.boyce (AT) gmail (DOT) com]
    E : 13 mai, 2006 20:25
    : bugtraq (AT) securityfocus (DOT) com
    : Is MS06-018 a DoS or a system compromise ?
    There seems to be some confusion in MS Security Bulletin MS06-018,
    "Vulnerability in Microsoft Distributed Transaction Coordinator".
    The bulletin itself
    ()
    states :
    "An attacker could cause the Microsoft Distributed
    Transaction Coordinator (MSDTC) to stop responding.
    Note that the denial of service vulnerability would
    not allow an attacker to execute code or to elevate
    their user rights, but it could cause the affected
    system to stop accepting requests."
    whereas the linked download pages for both the Win2K and WinXP patches
    state :
    "A security issue has been identified in the
    Microsoft Distributed Transaction Controller
    service that could allow an attacker to compromise
    your Windows-based system and gain control over it."
    The related McAfee advisory
    () states :
    "Exploitation can at most lead to a denial of service
    and therefore the risk factor is at medium."
    so I guess DoS is what it is but it would still be nice if someone
    in the know could confirm the download pages are wrong anyone
    from Microsoft here ?
    Cheers
    Nick Boyce

Re: Is MS06-018 a DoS or a system compromise ?


max 4000 letters.
Your nickname that display:
In order to stop the spam: 9 + 8 =
SPONSORED
QUESTION

SPONSORED
EMSDN