HomeSec Warns Again About Microsoft's Insecurity 497
cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."
Re:Pretty Bad (Score:1, Informative)
Re:How big a threat is this? (Score:2, Informative)
Re:How big a threat is this? (Score:5, Informative)
The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).
Re:Pretty Bad (Score:5, Informative)
135/TCP
135/UDP
139/TCP
139/UDP
445/T
445/UDP
Also, it appears 4444 is being used,
Security Focus's incidentmailing list [securityfocus.com] is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch [securityfocus.com] (as of 29 Jul).
Re:Pretty Bad (Score:4, Informative)
installed and enabled.
Re:How big a threat is this? (Score:4, Informative)
Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.
MS patch does NOT fix the latestRPC vulnerability! (Score:1, Informative)
Dont believe me? Then try the dcom.c exploit that was spread in the past few days on bugtraq after updating your system. Guess what... its still vulnerable!
Re:No patch for Win98/SE? (Score:3, Informative)
Re:Pretty Bad (Score:3, Informative)
NetBEUI = Port 135 netBEUI is only required when you have non-Windows 2000 clients to support. However, NetBIOS over TCP/IP prevents any need for NetBEUI. These days NetBEUI is the usual answer for connection problems that turn out to be name resolution or NetBIOS configuration problems. The other ports listed, 139 and 445, are used for Server Message Block (which with Win2000 can run directly over TCP/IP rather than needing to run on top of NetBIOS) respectively. SMB is a file sharing protocol used in Windows. The attempt hits 445, and if it's succesful, it sends an RST to 139 (if NetBIOS is installed, otherwise 139 is never used). If there's no response from 445, it continues the SMB session over 139.
Re:How big a threat is this? (Score:5, Informative)
Linux Users? (Score:5, Informative)
Re:Pretty Bad (Score:3, Informative)
>ncadg_ip_udp : UDP port 135
>ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
Etc. Etc. Etc.
The ironic part is that a Win9x box doesn't run these services. Or any other services - to use a technical term, in comparison to XP and 2K, an out-of-the-box 9x install doesn't listen to jack shit. If you do the 30-second tweak to disable/unbind the NetBIOS crap, you can safely (!) run 9x without a firewall because such a box doesn't listen to 80, 135, 137, 139, 445 etc. Unpatched. (Well, as long as you don't use Outleak Excess or Internet Exploiter, but that's just plain sanity :)
XP? 2K? Nuh-uh. You can disable UPnP hole (SSDP/1900) from the Services panel, but I have yet to find a way (well, short of a firewall :) of stopping an XP box from listening to 135 and 445. After all, Joe Sixpack who owns just one computer obviously, always wants to be able to network it with NT 4.0 boxen over a LAN. But there's just no way of saying "Look, XP, I don't do that kind of kink. Ever. So stop listening to those ports".
Thanks, Bill. No, really. Thanks a bunch. Other than a noble desire to take one for the team by jumping on the proverbial grenade, why the hell did HomeSec chose these twits as their vendor of choice?
Re:Pretty Bad (Score:3, Informative)
Actually that is not correct. A "router" in a nutshell is just used to "route" traffic from point A to point B.
What what people need is a hardware based NAT switch with firewall firmware. It places that nice "buffer" zone between your machines and the web.
If if the NAT switch/firewall is compromised somehow, it will not get the hacker very far without the presence of an OS. Your boxes behind should still be safe (but left without networking).
Re:How big a threat is this? (Score:4, Informative)
Fixes (Score:3, Informative)
I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
You can get the fix from here [microsoft.com] for windows 2000, and here [microsoft.com] for windows xp.
The exploit [packetstormsecurity.nl] has it in the code:
target_ip.sin_port = htons(4444);
Also, notice the comment about the shell code:
Dan
Security consultant
ClickNews [clicknews.ro]
Port/Process utility for Windows? (Score:3, Informative)
Re:How big a threat is this? (Score:2, Informative)
No, 98 isn't in the list for this vulnerability (MS03-026). But it is in the list for a different one: MS03-030 (the one about MIDI files and DirectX and QUARTZ.DLL)...
Re:Pretty Bad (Score:3, Informative)
Personally, I use a linux system with two NICs as my router/gateway. netfilter/iptables provides possibly the most powerful and configurable IP filtering suite available, and even though I use only a small portion of its features, I know that if I want to make it do all kinds of weird things, I just have to pore through volumes of crappy documentation.
Of course with linux you must be careful to stay updated. This is true of any OS but less true with, say, openbsd which is what I used to use. I ended up using linux because it has advantages in terms of using it for other things than just a firewall box, and it's an athlon 700 so I can still get some decent use out of it.
Re:How big a threat is this? (Score:2, Informative)
Windows 2000 requires a minimum of 32Mb to run. it won't install on a machine with less than 32Mb RAM.
Re:Port/Process utility for Windows? (Score:4, Informative)
But you can get an idea about what ports are sitting out there either listening or actively transferring.
Re:How to distribute patch to hundreds of machines (Score:2, Informative)
If your desktop clients aren't Win2k and higher (therefore not vulnerable to the RPC hit) and don't have publicly exposed IP address (i.e. - inside a Internet firewall or proxy) then you are just talking about servers.
In that case don't have you any remote control software (e.g. - VNC, SMS, PC Anywhere, etc.)? If so just put the patches on a common network share and remote into the boxes to install. If you aren't talking about more than 10-20 boxes it shouldn't take too long. If you are talking about more than that perhaps script out AT jobs to the boxes to execute KixTart scripts or something.
Re:Don't know. (Score:2, Informative)