Scanner for MS03-049?

Rodrigues, Philip phil.rodrigues at uconn.edu
Wed Nov 19 18:56:39 GMT 2003


Hi all,

Does anyone know of a good Linux-based, preferably open source, scanner
for MS03-049?

How about any good Windows one that can handle a Class B?  Class C?

Nessus can not check for MS03-049 without having admin rights to the
box.  The newest plugin comments are here:

http://cgi.nessus.org/plugins/dump.php3?id=11921

Mike Lang found this gem from Renaud, the author of Nessus:

"At this time, this plugin requires administrator privileges to log into
the remote Windows hosts and determine if the patch is installed by
looking at the registry.

[snip]

We know that it's not the best way to check for it - not everyone has
domains deployed. However it's the only method we are aware of.
Microsoft Security has been kind enough to investigate ways to determine
if a host is affected or not by other means, and the conclusion was to
actually install an agent on the tested hosts or to log in as admin to
check the registry.

If you try to various exploits that exist for this issue, you will
actually notice that network-wise, patched systems will issue the
*exact* same response as unpatched ones, mostly because the overflow
occurs later on.

The only "good" way to check for this flaw would be to actually send a
real shellcode and have it be executed. Needless to say, it's very
intrusive, and totally beyond the scope of Nessus."

Anyone have any bright ideas for canning thousands of student computers
over which we will never have admin rights?

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================
 



More information about the unisog mailing list