[unisog] RE: New RPC Vulnerability -> SCANMS false positive

Gary Flynn flynngn at jmu.edu
Thu Sep 11 17:53:56 GMT 2003



Steve Bernard wrote:

> FYI, after applying the new RPC patches (MS03-039), ISS's 'scanms.exe' tool
> flags hosts as being vulnerable to the previous RPC vulnerability
> (MS03-036). I haven't seen an updated version of 'scanms' yet. The new
> signatures from E-Eye seem to work well.

There is an updated ISS tool now at:

http://www.iss.net/support/product_utilities/Xfrpcss.php

I've been using it since this morning but haven't got any
data yet on false positives/negatives. I just changed the
executable name in the scripts I'm running and everything
worked the same because I'm just grepping for "VULN".

It does seem to take longer and eat up more CPU than scamms.
Its probably a combination of producing the "port not open"
report for every IP and the extra stuff its testing.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list