*Important* RPC Service vulnerability

Discussion in 'Windows Desktop Systems' started by Kr0m, Dec 12, 2002.

  1. Kr0m

    Kr0m Moderator

    Messages:
    1,390
    Location:
    Turtle Island
    I'll post this here as well as the news section, due to the seriousness of this vulnerability.

    Apparently there was a vulnerability found in Windows 2000 and XP on October 18, 2002 that Microsoft hasn't made users aware of. I can't seem to find any info regarding this matter on the MS site.

    To quote Dave Aitel at Immunitysec.com:
    "The vulnerability itself is within the DCE-RPC stack of Windows 2000 and related OS's. This vulnerability allows anyone who can connect to port 135 TCP to disable the RPC service. Disabling the RPC service causes the machine to stop responding to new RPC requests, disabling almost all functionality.
    Alleviation:
    Block port tcp/135 from network connections. There are also configuration changes that can make you immune to this attack, but these are not completely known at this time."

    More info at:
    Immunity Security Vulnerability Sharing Club
    and
    Security Tracker

    I have personally had the 'pleasure' of experiencing this DoS. The culpret sent data to port 135 on my machine which in turn caused it to reboot. This could potentially be the next Winnuke if people don't protect themselves from this vulnerability, and if Microsoft does not soon come out with some way to fix this problem without using a firewall. :mad:
     
  2. rettahc

    rettahc Guest

    I had some A-hole try to do this to one of my computers this afternoon, luckily the firewall stopped it and gave me his IP 200.72.155.150;)
     
  3. Henyman

    Henyman Secret Goat Fetish Political User

    Hostname: No Reverse DNS Entries
    IP Address: 200.72.155.150
    Decimal Address: 3360201622
    -------------------------------------------


    ---------------------------Whois Results---------------------------


    ---------------------------Arin Results---------------------------


    OrgName: Latin American and Caribbean IP address Regional Registry
    OrgID: LACNIC

    NetRange: 200.0.0.0 - 200.255.255.255
    CIDR: 200.0.0.0/8
    NetName: LACNIC-200
    NetHandle: NET-200-0-0-0-1
    Parent:
    NetType: Allocated to LACNIC
    NameServer: ARROWROOT.ARIN.NET
    NameServer: BUCHU.ARIN.NET
    NameServer: CHIA.ARIN.NET
    NameServer: DILL.ARIN.NET
    NameServer: NS.LACNIC.ORG
    NameServer: NS.DNS.BR
    NameServer: NS2.DNS.BR
    Comment: This IP address range is under LACNIC responsibility for further
    allocations to users in LACNIC region.
    Please see http://www.lacnic.net/ for further details, or check the
    WHOIS server located at whois.lacnic.net
    RegDate: 2002-07-27
    Updated: 2002-12-12

    TechHandle: LACNIC-ARIN
    TechName: LACNIC Hostmaster
    TechPhone: (+55) 11 5509-3525
    TechEmail: hostmaster@lacnic.net

    OrgTechHandle: LACNIC-ARIN
    OrgTechName: LACNIC Hostmaster
    OrgTechPhone: (+55) 11 5509-3525
    OrgTechEmail: hostmaster@lacnic.net

    # ARIN Whois database, last updated 2002-12-17 20:00
    # Enter ? for additional hints on searching ARIN's Whois database.
     
  4. rettahc

    rettahc Guest

    I already did a whois on him, I posted his IP in case anyone felt like playing with him.
     
  5. Lighter

    Lighter . . . . . . . . .

    Messages:
    229
    Location:
    NYC
    Let the games begin!

    'Course, that just wouldn't be nice. I've toyed with many a user in retaliation, only to wake up to the fact that I was just as annoyingly retarded as the one who compromised my machine. It's more efficient (and civilized) to just find a fix and ignore the pest on the other end.

    Still though, the opportunity is quite inviting... :rolleyes:
     
  6. Henyman

    Henyman Secret Goat Fetish Political User

    i jus felt like doing it anyhow:p
     
  7. G|ass

    G|ass Guest

    Microsoft needs to patch this NOW. I've been hit by this twice yesterday, and the guy is still trying today after I installed a firewall. Resolved 68.158.102.107 to adsl-158-102-107.mia.bellsouth.net - That's the guy I got logged trying to use the exploit, I'm going to send a complaint to his ISP.
     
  8. Kr0m

    Kr0m Moderator

    Messages:
    1,390
    Location:
    Turtle Island
    I agree. I made posts about it in microsoft.public.security and grc.security newsgroups and only got a couple replies about it, none that lead me to believe that anyone else knew about this vulnerability. Nor did they give any positive information about it other than always run some sort of firewall.
     
  9. canadian_divx

    canadian_divx Canadian_divx

    hey people, what prog do you use to do a "who is"????
     
  10. Henyman

    Henyman Secret Goat Fetish Political User

  11. Burpster

    Burpster Guest

    you ppl shouldnt be posting other ppls ip's (imo) most ppl scanning ports and what not are proxied or using an already compromised box

    if i seen my ip being post in public acusing me of some misdeed i would be more than a little pi**ed
     
  12. rettahc

    rettahc Guest

    The IPs that have been posted were not just scannning our systems, they were activly attempting to use this RPC exploit to bring our system down. If had just been a scan I would have ignored it.
     
  13. Burpster

    Burpster Guest

    big deal ....you still shouldnt post them in public

    just send the log off to the isp and leave it at that
     
  14. Nick M

    Nick M Moderator

    Messages:
    3,961
    Thanks for the info! Downloading a firewall right now...wait...what firewall should I download? :) I'm behind a router...

    I mean, which firewall should I get...
     
  15. Nick M

    Nick M Moderator

    Messages:
    3,961
    and... I'm pretty sure it happned to me this morning. Thing gave me a screen and restarted.
     
  16. mcbweb

    mcbweb Guest

    The Answer is here. . . . . . .

    Blocking Windows XP/2000 host enumeration can be done in several ways:

    1. Block access to TCP and UDP ports 135 - 139 and 445 at the network or host level.
    2. Disable SMB services.
    3. Set RestictAnonymouse to 2.

    Most users assume that by disabling NetBIOS over TCP/IP, they have successfully disables SMB access to their system. This is incorrect. This settingonly disables the NetBIOS session service, TCP 139.

    Windows 2000 runs another SMB listener on TCP 445. This port will remain active even if NetBIOS over TCP/IP is disabled. To disable SMB on TCP 445, open the Network and Dial-up Connections appletand select the Advanced menu, then Advanced settings, then deselect File and Printer Sharing for microsoft Networks on the appropriate adapter. With file and printer sharing disabled, null sessions will not be possible over 139 and 445. No reboot is required for this change.

    You could also use a tool to monitor the traffic in and out of your system http://www.ntfs.org/forum/showthread.php?s=&threadid=30635 This tool will let you know what is going on with your TCP connection to your system.

    You should also disable all ports and NetBios 135, 139, 445
     
  17. Kr0m

    Kr0m Moderator

    Messages:
    1,390
    Location:
    Turtle Island
  18. avatar

    avatar Guest

    rpc vulneralibility

    Alexander Peter Kowalski (a win32 sofware engineer) has done
    some extensive testing regarding this vulnerability.

    You'll find a extensive article on

    http://www.betuwe.net/~avatar/APK.html

    click the "Z" and scroll down a few lines

    avatar