Vulnerability

Kr0m

OSNN Veteran Addict
#1
First off, I'd like to say, Good Job! on the new site, props to all of those involved.

Secondly I'd like to mention a vulnerability than can be potentially very bothersome for new users to the XP/Win2k and I think NT world. From what I've read theres no fix for it yet other than blocking port 135. I'm posting it here so any l33t script kiddie newbs or hacker newbs don't find out about it yet, at least from me. I'll post what I typed into the Private channel this morning, and I've found many links regarding this so called "new winnuke".

My Story:
[08:53] <Kr0m`> This port 135 exploit is pretty serious for unfirewalled users
[08:54] <Kr0m`> brings back the old 'winnuke' days
[08:55] <Kr0m`> oddly enough I didn't have zonealarm running yesterday, and I was idling on irc.enterthegame.com network(gaming community......
[08:55] <Kr0m`> while I was watching TV on the couch lastnight, my monitor turned on and XP was rebooting on its own, ive got reboot on critical errors disabled so I figured something was up
[08:56] <Kr0m`> once I rebooted, I turned ZAPro on, set the max settings, joined IRC again, and the chanels I was in...
[08:57] <Kr0m`> and noticed other people talking about the same thing happening to them...
[08:57] <Kr0m`> So in hopes of baiting the culpret, I publicly said that my machine rebooted on its own too, and should I run a firewall and what was a good firewall to get, and that I was running XP too..
[08:58] <Kr0m`> sure enough, within seconds ZAPro blocked attempts to port 135
[08:59] <Kr0m`> which in turn gave me the tard's IP, and with ircN, i can do /nickfind IP to match that IP to anyone that is on any channels that I'm on..
[08:59] <Kr0m`> which it did
[09:00] <Kr0m`> I /whois'd him, post his info and channels he was on, and his nickname and IP, and others joined his channels, and he said in the channel he was on something in another language with my nick, and he immediately quit irc
[09:01] <Kr0m`> at any rate, the point of this story is, anyone that isn't firewalled, theres a RPC exploit out there for people running NT,2000, XP
[09:01] <Kr0m`> no patch yet
[09:02] <Kr0m`> I've found some info which I think concerns this matter..
[09:03] <Kr0m`> http://lists.insecure.org/lists/vulnwatch/2002/Oct-Dec/0009.html
[09:03] <Kr0m`> its been detected for almost a month now, and MS hasnt supplied us a fix yet
[09:03] <Kr0m`> Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3
[09:04] <Kr0m`> obviously this isnt prone to just win2k sp3 machines
[09:05] <Kr0m`> I was going to post this into the forums, but declined to
[09:06] <Kr0m`> I want people to know about it to defend themselves, but in turn it will make the lamers out there(the ones that dont know about it yet) want to do it
[09:08] <Kr0m`> The vulnerability itself is within the DCE-RPC stack of Windows 2000
[09:08] <Kr0m`> and related OS's. This vulnerability allows anyone who can connect to
[09:08] <Kr0m`> port 135 TCP to disable the RPC service. Disabling the RPC service
[09:08] <Kr0m`> causes the machine to stop responding to new RPC requests, disabling
[09:08] <Kr0m`> almost all functionality.

This was made public back in October, but I never knew about it until lastnight. I've been busy in the gaming community.

The link to info regarding this: vulnwatch


If any of you find out helpful information about this issue, please share it.
 
#4
Nice find m8... get info on it... if its a new exploit... stick it up as a stick on the Security news section... might as well as make a thread in the forums too

MdSalih
 

Kr0m

OSNN Veteran Addict
#6
I think it's a good idea we hold off on making this public on the site. At least until MS finds some sort of patch or fix for this. Like I said before, the more gimps or script kiddies know about this, the more it will be tried or happen. I just wanted to let you guys know.. to keep your firewalls or whatever it is you use, set to block info coming to port 135. This isn't new, I mentioned before that it's been on Security Sites since October. I've seen some attempts to various ports before, including port 135 but I never actually knew what the assassins were trying to do with this one until lastnight when I had my firewall down.
 

Kr0m

OSNN Veteran Addict
#15
Hmm, ive been thinkin about this, should we make this more public than it already is? Some probably know about it, but id guess that the avg person doesnt, especially the ones without firewalls. It should be on the front page if we do post it.
 

Grandmaster

Electronica Addict
Political User
#16
I think we should..will help people get more secure from this..but like you said there is a drawback when the script kiddies find out about this..
 
#17
Originally posted by MdSalih
Nice find m8... get info on it... if its a new exploit... stick it up as a stick on the Security news section... might as well as make a thread in the forums too

MdSalih
I already said do it :p... so gogogogoogo :)

MdSalih
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,971
Messages
673,300
Members
89,016
Latest member
Poseeut