Thorough scanning of our Server 2003 Service Pack 1 box has resulted in the
discovery of possible vulnerabilities related to the RPC DCOM systems within
Windows. Two test were used to check for RPC DCOM vulnerabilities: The first
test involved using ISS Internet Scanner with a policy to check for the
WinRpcssDcomBo vulnerability. The second test involved the use of Microsoft's
"KB824146scan" tool to check for missing patches KB824146 (MS03-039) and
KB823980 (MS03-026). These test were performed against a pre-SP1 Server 2003
box and resulted in negatives from both ISS (No vulnerabilities found) and
KB824146Scan ("X.X.X.X: patched with both KB824146 (MS03-039) and KB823980
(MS03-026)). The same test preformed against the same box with SP1 installed
netted different results. ISS came back with the WinRpcssDcomBo vulnerability
and KB824146Scan came back with "X.X.X.X: this host needs further
investigation". No configuration changes outside of the Service Pack install
were made to the Server 2003 box after installation (the firewall was left
off, etc.).
I've concluded that either:
A) The Server 2003 SP1 box is know vulnerable to RPC DCOM exploits as
covered in MS03-039, etc.
B) The Server 2003 SP1 box is responding to RPC DCOM queries in a way that
is making both ISS and KB824146Scan think it's vulnerable/missing patches.
Any other thought's/suggestions/ideas/conclusions would be greatly
appreciated. Of course I have lots of data (Windump, Netmon) that can be
looked at. {8^)
|
Similar Threads
Linear Mode
