Re: MS-Blast scripts
- From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 14 Aug 2003 23:52:49 +0200
Even though this was discussed elsewhere, I'll just go and take the
credits this time ;) I don't remember who posted this on FD, but he/she
had a point:
Just like with WLAN, there will be more and more weak points emerging,
like web-enabled cellular phones, PDAs and all kinds of communication
devices that momentarily plug into a trusted machine and are given
unlimited access to the network. To follow your argumentation, you'd
have to consider the CEOs office machine as untrusted as soon as he
connects his Communicator to it. This will most likely raise problems in
the future, and I'd say it's a good reason to look closer at ID systems.
But then we could place an ISA box right in front of every workstation,
what do you think? Anyway, sorry for being the cause for additional work
on your side :)
Mark
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Thursday, August 14, 2003 11:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: MS-Blast scripts
>
>
> http://www.ISAserver.org
>
>
> Hi Mark,
>
> Cool, that's what I was thinking. None of my networks have
> been touched, but that might be due to all laptops require
> ICF. However, there has been an element of luck, because no
> VPN clients introduced the bug and none of my VPN servers
> have VPNq installed yet, and the CMAK client pieces have not
> been distributed.
>
> This does bring up a very very good point. Untrusted machines
> (machines such as laptops and VPN clients should not connect
> directly to the trusted network. VPN clients can connect to a
> DMZ can access published servers. Laptops should connect to
> their own network and access resources via published servers
> as well. Sort of like what we all naturally do with WLAN hosts.
>
> Hey Mark, you just gave me an idea for another article :-)
>
> Thanks!
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> Sent: Thursday, August 14, 2003 4:08 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: MS-Blast scripts
>
>
> http://www.ISAserver.org
>
>
> Tom,
>
> may I cite NAI on this:
>
> ====================
> This worm spreads by exploiting a recent vulnerability in
> Microsoft Windows. The worm scans the local class C subnet,
> or other random subnets, on port 135. Discovered systems are
> targeted. Exploit code is sent to those systems, instructing
> them to download and execute the file MSBLAST.EXE from a
> remote system via TFTP.
> The worm contains a payload to initiate a Denial of Service
> attack against windowsupdate.com after August 16. The worm
> only checks the local system date upon execution. If an
> infected system is left on and the date rolls over to Aug 16,
> the payload will not kick off until the system is restarted.
>
> This payload involves sending 20 bytes SYN packets to
> windowsupdate.com on TCP port 80 for the purpose of
> preventing users from patching their systems via Windows
> Update. The source IP address is spoofed on each packet,
> using a random local CLASS B IP.
>
> [...]
>
> However, unless the system has been (MS03-026) patched, it is
> susceptible to the buffer overflow attack from an infected
> host machine. An infected machine (running msblast.exe) will
> send out malformed packets across the local subnet to the RPC
> service running on port 135. When these packets are received
> by any unpatched system, it will create a buffer overflow and
> crash the RPC service on that system. All this can occur
> without the worm actually being on the machine. This means
> that the remote shell will still get created on TCP port
> 4444, and the system may unexpectedly crash upon receiving
> malformed exploit code.
> ====================
>
> I agree that imho the only way for the worm to get into a
> secured network would be by physically moving an infected
> machine into it. Of course there's always a chance that some
> machine has its own internet access for whatever reasons
> (maybe online banking) and gets infected that way.
>
> When the exploit was being discussed the first time, I said I
> was pretty sure that my setups would be safe, and you know
> what - they still are thanks to ISA and a proper
> configuration. By now I have the machines patched, so
> everything's at ease :)
>
> Mark
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory:
> http://www.serverfiles.com No.1 Exchange > Server Resource
> Site: http://www.msexchange.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory:
> http://www.serverfiles.com No.1 Exchange > Server Resource
> Site: http://www.msexchange.org Windows Security Resource
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: m.hippenstiel@xxxxxxxxxxxx To unsubscribe send a
> blank email to $subst('Email.Unsub')
>
Other related posts:
