*Important* RPC Service vulnerability

Kr0m

OSNN Veteran Addict
Joined
4 Dec 2001
Messages
1,392
I'll post this here as well as the news section, due to the seriousness of this vulnerability.

Apparently there was a vulnerability found in Windows 2000 and XP on October 18, 2002 that Microsoft hasn't made users aware of. I can't seem to find any info regarding this matter on the MS site.

To quote Dave Aitel at Immunitysec.com:
"The vulnerability itself is within the DCE-RPC stack of Windows 2000 and related OS's. This vulnerability allows anyone who can connect to port 135 TCP to disable the RPC service. Disabling the RPC service causes the machine to stop responding to new RPC requests, disabling almost all functionality.
Alleviation:
Block port tcp/135 from network connections. There are also configuration changes that can make you immune to this attack, but these are not completely known at this time."

More info at:
Immunity Security Vulnerability Sharing Club
and
Security Tracker

I have personally had the 'pleasure' of experiencing this DoS. The culpret sent data to port 135 on my machine which in turn caused it to reboot. This could potentially be the next Winnuke if people don't protect themselves from this vulnerability, and if Microsoft does not soon come out with some way to fix this problem without using a firewall. :mad:
 
I had some A-hole try to do this to one of my computers this afternoon, luckily the firewall stopped it and gave me his IP 200.72.155.150;)
 
Hostname: No Reverse DNS Entries
IP Address: 200.72.155.150
Decimal Address: 3360201622
-------------------------------------------


---------------------------Whois Results---------------------------


---------------------------Arin Results---------------------------


OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC

NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: ARROWROOT.ARIN.NET
NameServer: BUCHU.ARIN.NET
NameServer: CHIA.ARIN.NET
NameServer: DILL.ARIN.NET
NameServer: NS.LACNIC.ORG
NameServer: NS.DNS.BR
NameServer: NS2.DNS.BR
Comment: This IP address range is under LACNIC responsibility for further
allocations to users in LACNIC region.
Please see http://www.lacnic.net/ for further details, or check the
WHOIS server located at whois.lacnic.net
RegDate: 2002-07-27
Updated: 2002-12-12

TechHandle: LACNIC-ARIN
TechName: LACNIC Hostmaster
TechPhone: (+55) 11 5509-3525
TechEmail: hostmaster@lacnic.net

OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Hostmaster
OrgTechPhone: (+55) 11 5509-3525
OrgTechEmail: hostmaster@lacnic.net

# ARIN Whois database, last updated 2002-12-17 20:00
# Enter ? for additional hints on searching ARIN's Whois database.
 
I already did a whois on him, I posted his IP in case anyone felt like playing with him.
 
I already did a whois on him, I posted his IP in case anyone felt like playing with him.

Let the games begin!

'Course, that just wouldn't be nice. I've toyed with many a user in retaliation, only to wake up to the fact that I was just as annoyingly retarded as the one who compromised my machine. It's more efficient (and civilized) to just find a fix and ignore the pest on the other end.

Still though, the opportunity is quite inviting... :rolleyes:
 
Microsoft needs to patch this NOW. I've been hit by this twice yesterday, and the guy is still trying today after I installed a firewall. Resolved 68.158.102.107 to adsl-158-102-107.mia.bellsouth.net - That's the guy I got logged trying to use the exploit, I'm going to send a complaint to his ISP.
 
I agree. I made posts about it in microsoft.public.security and grc.security newsgroups and only got a couple replies about it, none that lead me to believe that anyone else knew about this vulnerability. Nor did they give any positive information about it other than always run some sort of firewall.
 
you ppl shouldnt be posting other ppls ip's (imo) most ppl scanning ports and what not are proxied or using an already compromised box

if i seen my ip being post in public acusing me of some misdeed i would be more than a little pi**ed
 
The IPs that have been posted were not just scannning our systems, they were activly attempting to use this RPC exploit to bring our system down. If had just been a scan I would have ignored it.
 
big deal ....you still shouldnt post them in public

just send the log off to the isp and leave it at that
 
Thanks for the info! Downloading a firewall right now...wait...what firewall should I download? :) I'm behind a router...

I mean, which firewall should I get...
 
and... I'm pretty sure it happned to me this morning. Thing gave me a screen and restarted.
 
The Answer is here. . . . . . .

Blocking Windows XP/2000 host enumeration can be done in several ways:

1. Block access to TCP and UDP ports 135 - 139 and 445 at the network or host level.
2. Disable SMB services.
3. Set RestictAnonymouse to 2.

Most users assume that by disabling NetBIOS over TCP/IP, they have successfully disables SMB access to their system. This is incorrect. This settingonly disables the NetBIOS session service, TCP 139.

Windows 2000 runs another SMB listener on TCP 445. This port will remain active even if NetBIOS over TCP/IP is disabled. To disable SMB on TCP 445, open the Network and Dial-up Connections appletand select the Advanced menu, then Advanced settings, then deselect File and Printer Sharing for microsoft Networks on the appropriate adapter. With file and printer sharing disabled, null sessions will not be possible over 139 and 445. No reboot is required for this change.

You could also use a tool to monitor the traffic in and out of your system http://www.ntfs.org/forum/showthread.php?s=&threadid=30635 This tool will let you know what is going on with your TCP connection to your system.

You should also disable all ports and NetBios 135, 139, 445
 
rpc vulneralibility

Alexander Peter Kowalski (a win32 sofware engineer) has done
some extensive testing regarding this vulnerability.

You'll find a extensive article on

http://www.betuwe.net/~avatar/APK.html

click the "Z" and scroll down a few lines

avatar
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back