Vulnerability

Discussion in 'Windows Desktop Systems' started by Kr0m, Dec 10, 2002.

  1. Kr0m

    Kr0m Moderator

    Messages:
    1,390
    Location:
    Turtle Island
    First off, I'd like to say, Good Job! on the new site, props to all of those involved.

    Secondly I'd like to mention a vulnerability than can be potentially very bothersome for new users to the XP/Win2k and I think NT world. From what I've read theres no fix for it yet other than blocking port 135. I'm posting it here so any l33t script kiddie newbs or hacker newbs don't find out about it yet, at least from me. I'll post what I typed into the Private channel this morning, and I've found many links regarding this so called "new winnuke".

    My Story:
    [08:53] <Kr0m`> This port 135 exploit is pretty serious for unfirewalled users
    [08:54] <Kr0m`> brings back the old 'winnuke' days
    [08:55] <Kr0m`> oddly enough I didn't have zonealarm running yesterday, and I was idling on irc.enterthegame.com network(gaming community......
    [08:55] <Kr0m`> while I was watching TV on the couch lastnight, my monitor turned on and XP was rebooting on its own, ive got reboot on critical errors disabled so I figured something was up
    [08:56] <Kr0m`> once I rebooted, I turned ZAPro on, set the max settings, joined IRC again, and the chanels I was in...
    [08:57] <Kr0m`> and noticed other people talking about the same thing happening to them...
    [08:57] <Kr0m`> So in hopes of baiting the culpret, I publicly said that my machine rebooted on its own too, and should I run a firewall and what was a good firewall to get, and that I was running XP too..
    [08:58] <Kr0m`> sure enough, within seconds ZAPro blocked attempts to port 135
    [08:59] <Kr0m`> which in turn gave me the tard's IP, and with ircN, i can do /nickfind IP to match that IP to anyone that is on any channels that I'm on..
    [08:59] <Kr0m`> which it did
    [09:00] <Kr0m`> I /whois'd him, post his info and channels he was on, and his nickname and IP, and others joined his channels, and he said in the channel he was on something in another language with my nick, and he immediately quit irc
    [09:01] <Kr0m`> at any rate, the point of this story is, anyone that isn't firewalled, theres a RPC exploit out there for people running NT,2000, XP
    [09:01] <Kr0m`> no patch yet
    [09:02] <Kr0m`> I've found some info which I think concerns this matter..
    [09:03] <Kr0m`> http://lists.insecure.org/lists/vulnwatch/2002/Oct-Dec/0009.html
    [09:03] <Kr0m`> its been detected for almost a month now, and MS hasnt supplied us a fix yet
    [09:03] <Kr0m`> Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3
    [09:04] <Kr0m`> obviously this isnt prone to just win2k sp3 machines
    [09:05] <Kr0m`> I was going to post this into the forums, but declined to
    [09:06] <Kr0m`> I want people to know about it to defend themselves, but in turn it will make the lamers out there(the ones that dont know about it yet) want to do it
    [09:08] <Kr0m`> The vulnerability itself is within the DCE-RPC stack of Windows 2000
    [09:08] <Kr0m`> and related OS's. This vulnerability allows anyone who can connect to
    [09:08] <Kr0m`> port 135 TCP to disable the RPC service. Disabling the RPC service
    [09:08] <Kr0m`> causes the machine to stop responding to new RPC requests, disabling
    [09:08] <Kr0m`> almost all functionality.

    This was made public back in October, but I never knew about it until lastnight. I've been busy in the gaming community.

    The link to info regarding this: vulnwatch


    If any of you find out helpful information about this issue, please share it.
     
  2. xsivforce

    xsivforce Prodigal Son Folding Team

    Messages:
    8,547
    Location:
    Texas, USA
    Whoa, thanks for the heads up. :eek:
     
  3. Grandmaster

    Grandmaster Electronica Addict Political User Folding Team

    Messages:
    10,574
    Location:
    Santa Clara, CA
    Thanks dude. Thankfully I have a hardware firewall. :cool:
     
  4. MdSalih

    MdSalih The Boss

    Messages:
    1,730
    Location:
    Birmingham, UK
    Nice find m8... get info on it... if its a new exploit... stick it up as a stick on the Security news section... might as well as make a thread in the forums too

    MdSalih
     
  5. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Thanks Kr0m!! :)

    *Adds port 135 to the router's packet filter page*
     
  6. Kr0m

    Kr0m Moderator

    Messages:
    1,390
    Location:
    Turtle Island
    I think it's a good idea we hold off on making this public on the site. At least until MS finds some sort of patch or fix for this. Like I said before, the more gimps or script kiddies know about this, the more it will be tried or happen. I just wanted to let you guys know.. to keep your firewalls or whatever it is you use, set to block info coming to port 135. This isn't new, I mentioned before that it's been on Security Sites since October. I've seen some attempts to various ports before, including port 135 but I never actually knew what the assassins were trying to do with this one until lastnight when I had my firewall down.
     
  7. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    I don't even use a firewall :p
     
  8. MdSalih

    MdSalih The Boss

    Messages:
    1,730
    Location:
    Birmingham, UK
    bah... this new theme is freaky... cant find the IP button ? :p

    MdSalih
     
  9. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    Hehe, it's the ! top right :D
     
  10. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    hax0r me on irc,
     
  11. MdSalih

    MdSalih The Boss

    Messages:
    1,730
    Location:
    Birmingham, UK
    DO I LOOK THAT STUPID :p

    was a joke ;)

    MdSalih
     
  12. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    Do you look stupid?
    Did you add you member pic yet?
     
  13. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    *zips lips* :eek:
     
  14. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    not going to answer him?
    well, I will.. =)
     
  15. Kr0m

    Kr0m Moderator

    Messages:
    1,390
    Location:
    Turtle Island
    Hmm, ive been thinkin about this, should we make this more public than it already is? Some probably know about it, but id guess that the avg person doesnt, especially the ones without firewalls. It should be on the front page if we do post it.
     
  16. Grandmaster

    Grandmaster Electronica Addict Political User Folding Team

    Messages:
    10,574
    Location:
    Santa Clara, CA
    I think we should..will help people get more secure from this..but like you said there is a drawback when the script kiddies find out about this..
     
  17. MdSalih

    MdSalih The Boss

    Messages:
    1,730
    Location:
    Birmingham, UK
    I already said do it :p... so gogogogoogo :)

    MdSalih