A pretty complete timeline of the public
life of this vulnerability until the first worm ~ from a posting from Full
Disclosure Listserve
** 2003 Evolution of DCOM-RPC Exploit * *
Information taken from full-disclosure posting by Jeremiah Cornelius http://lists.netsys.com/pipermail/full-disclosure/2003-August/009278.html
For 16 days before
the MSBlaster worm made its debut, semi-skilled attackers were already able to
use this vulnerability at will.
*Timeline:*
**
*July 16*
Microsoft Security Bulletin MS03-026
MS Announces bulletin and availability of patches for vulnerability discovered
by LSD, a Security Research group in Poland.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
LSD makes public
announcement of vulnerability, after withholding disclosure on agreement with
Microsoft. The group witholds their exploit code, due to
the serious implications of this as an exploit. A whitepaper on the
vulnerability is publicly released this day.
http://lsd-pl.net/special.html
Announcement of the DCOM-RPC vulnerability is widely distributed in the security and blackhat communities, including the Full-Disclosure mailing list.
*July 17*
Official CERT advisory CA-2003-16 is published, formalizing the issue as
CERT VU#568148.
http://www.cert.org/advisories/CA-2003-16.html
The Mitre Corp CVE
is updated to include this vulnerability as CVE candidate CAN-2003-0352.
Network Associates makes their first published bulletin on DCOM-RPC
http://vil.nai.com/vil/content/v_100499.htm
Symantec provides
an advisory
http://www.symantec.co.uk/avcenter/security/Content/8205.html
*July 18 - 24*
Discussion of possible methods for exploiting DCOM-RPC vulnerability circulates
on numerous public discussion boards and mailing lists. Initial
non-functional proof-of-concept code appears by various authors on the Full
Disclosure mailing list.
*July 21*
Early, working exploits are publicly leaked by various parties, and circulate on
mailing lists.
http://lists.netsys.com/pipermail/full-disclosure/2003-July/006851.html
*July 25*
A working exploit for DCOM-RPC is published for general availability by Xfocus
Team, a "grayhat" research group in the People's Republic of
China. Analysis of the exploit with working code is published on their site.
http://www.cert.org/advisories/CA-2003-16.html
The Xfocus exploit is refined by HD Moore of the Metasploit Project - as dcom.c
This is the first exploit to give an attacker a working, remote
command shell with escalated privileges against multiple versions of Windows.
Code is published.
http://www.metasploit.com/tools/dcom.c
http://news.com.com/2100-1002_3-5055759.html?tag=fd_top
http://lists.netsys.com/pipermail/full-disclosure/2003-July/007092.html
*July 26*
Compiled, 'ready to run' versions of the Metasploit dcom.c code are made
available on the Internet.
http://lists.netsys.com/pipermail/full-disclosure/2003-July/007103.html
*July 31*
Stanford University has several networks penetrated by hostile attackers,
probably making use of the Metasploit version of this exploit. Approximately
2000 individual computers were compromised.
http://securecomputing.stanford.edu/alerts/windows-rpc-update-5aug2003.html
Concurrent
attacks, of similar severity and breadth are announced by MIT and UC Berkeley.
CERT adds an advisory based on exploit and denial-of-service activity.
http://www.cert.org/advisories/CA-2003-19.html
*August 11*
MSBlaster (W32/Lovesan.worm) makes its first public appearance, adding unaided -
self-replicating exploitation of vulnerable hosts.
http://www.trusecure.com/knowledge/hypeorhot/2003/tsa03011.shtml
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html