Hi, Lately, I've been trying to find a way to detect whether a host is vulnerable to the MS RPC issue fixed by MS03-026. This detection should be possible remotely, without registry access and without disrupting services. I have discovered that, when multiple "RemoteActivation Requests" are send to the target system, the delays between the requests and the replies vary. After running multiple tests, I have found that, on patched W2k systems, there is a very distinct pattern in the delays between a RemoteActivation request and reply. Example: Delay 1: 0.002550 seconds Delay 2: 0.000305 Delay 3: 0.002438 Delay 4: 0.000301 Delay 5: 0.002458 Delay 6: 0.000307 On an unpatched system, the pattern is much more irregular: Delay 1: 0.002298 seconds Delay 2: 0.000687 Delay 3: 0.002254 Delay 4: 0.002833 Delay 5: 0.005187 Delay 6: 0.000663 Has anyone else found this? Could this be used as a way to detect whether a system is patched or not? Does anyone know of another way to detect this? Regards, Abe ITsec Security Services
