• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

*Important* RPC Service vulnerability

Kr0m

Moderator
#1
I'll post this here as well as the news section, due to the seriousness of this vulnerability.

Apparently there was a vulnerability found in Windows 2000 and XP on October 18, 2002 that Microsoft hasn't made users aware of. I can't seem to find any info regarding this matter on the MS site.

To quote Dave Aitel at Immunitysec.com:
"The vulnerability itself is within the DCE-RPC stack of Windows 2000 and related OS's. This vulnerability allows anyone who can connect to port 135 TCP to disable the RPC service. Disabling the RPC service causes the machine to stop responding to new RPC requests, disabling almost all functionality.
Alleviation:
Block port tcp/135 from network connections. There are also configuration changes that can make you immune to this attack, but these are not completely known at this time."

More info at:
Immunity Security Vulnerability Sharing Club
and
Security Tracker

I have personally had the 'pleasure' of experiencing this DoS. The culpret sent data to port 135 on my machine which in turn caused it to reboot. This could potentially be the next Winnuke if people don't protect themselves from this vulnerability, and if Microsoft does not soon come out with some way to fix this problem without using a firewall. :mad:
 
R

rettahc

Guest
#2
I had some A-hole try to do this to one of my computers this afternoon, luckily the firewall stopped it and gave me his IP 200.72.155.150;)
 

Henyman

Secret Goat Fetish
Political User
#3
Hostname: No Reverse DNS Entries
IP Address: 200.72.155.150
Decimal Address: 3360201622
-------------------------------------------


---------------------------Whois Results---------------------------


---------------------------Arin Results---------------------------


OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC

NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: ARROWROOT.ARIN.NET
NameServer: BUCHU.ARIN.NET
NameServer: CHIA.ARIN.NET
NameServer: DILL.ARIN.NET
NameServer: NS.LACNIC.ORG
NameServer: NS.DNS.BR
NameServer: NS2.DNS.BR
Comment: This IP address range is under LACNIC responsibility for further
allocations to users in LACNIC region.
Please see http://www.lacnic.net/ for further details, or check the
WHOIS server located at whois.lacnic.net
RegDate: 2002-07-27
Updated: 2002-12-12

TechHandle: LACNIC-ARIN
TechName: LACNIC Hostmaster
TechPhone: (+55) 11 5509-3525
TechEmail: hostmaster@lacnic.net

OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3525
OrgTechEmail: hostmaster@lacnic.net

# ARIN Whois database, last updated 2002-12-17 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
 
R

rettahc

Guest
#4
I already did a whois on him, I posted his IP in case anyone felt like playing with him.
 

Lighter

. . . . . . . . .
#5
I already did a whois on him, I posted his IP in case anyone felt like playing with him.
Let the games begin!

'Course, that just wouldn't be nice. I've toyed with many a user in retaliation, only to wake up to the fact that I was just as annoyingly retarded as the one who compromised my machine. It's more efficient (and civilized) to just find a fix and ignore the pest on the other end.

Still though, the opportunity is quite inviting... :rolleyes:
 
G

G|ass

Guest
#7
Microsoft needs to patch this NOW. I've been hit by this twice yesterday, and the guy is still trying today after I installed a firewall. Resolved 68.158.102.107 to adsl-158-102-107.mia.bellsouth.net - That's the guy I got logged trying to use the exploit, I'm going to send a complaint to his ISP.
 

Kr0m

Moderator
#8
I agree. I made posts about it in microsoft.public.security and grc.security newsgroups and only got a couple replies about it, none that lead me to believe that anyone else knew about this vulnerability. Nor did they give any positive information about it other than always run some sort of firewall.
 
B

Burpster

Guest
#11
you ppl shouldnt be posting other ppls ip's (imo) most ppl scanning ports and what not are proxied or using an already compromised box

if i seen my ip being post in public acusing me of some misdeed i would be more than a little pi**ed
 
R

rettahc

Guest
#12
The IPs that have been posted were not just scannning our systems, they were activly attempting to use this RPC exploit to bring our system down. If had just been a scan I would have ignored it.
 
B

Burpster

Guest
#13
big deal ....you still shouldnt post them in public

just send the log off to the isp and leave it at that
 
#14
Thanks for the info! Downloading a firewall right now...wait...what firewall should I download? :) I'm behind a router...

I mean, which firewall should I get...
 
M

mcbweb

Guest
#16
The Answer is here. . . . . . .

Blocking Windows XP/2000 host enumeration can be done in several ways:

1. Block access to TCP and UDP ports 135 - 139 and 445 at the network or host level.
2. Disable SMB services.
3. Set RestictAnonymouse to 2.

Most users assume that by disabling NetBIOS over TCP/IP, they have successfully disables SMB access to their system. This is incorrect. This settingonly disables the NetBIOS session service, TCP 139.

Windows 2000 runs another SMB listener on TCP 445. This port will remain active even if NetBIOS over TCP/IP is disabled. To disable SMB on TCP 445, open the Network and Dial-up Connections appletand select the Advanced menu, then Advanced settings, then deselect File and Printer Sharing for microsoft Networks on the appropriate adapter. With file and printer sharing disabled, null sessions will not be possible over 139 and 445. No reboot is required for this change.

You could also use a tool to monitor the traffic in and out of your system http://www.ntfs.org/forum/showthread.php?s=&threadid=30635 This tool will let you know what is going on with your TCP connection to your system.

You should also disable all ports and NetBios 135, 139, 445
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,248
Members
89,017
Latest member
Seggar