HomeSec Warns Again About Microsoft's Insecurity

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

Re:Pretty Bad

[Type_O_Negative]

Port 135.

Re:How big a threat is this?

[Anonymous Coward]

they just suck. Windows 98/98SE doesn't enter non support phase until Jan 16 next year.

Re:How big a threat is this?

[diersing]

It could be bad if the Windows admins out there aren't paying attention. But, most sysadmins in MS shops realize the frequency of these kind of patches and are good about applying them timely. This was released over 10 days ago (I got notified on the 19th), and have already applied it to the 350+ MS servers on our network. If the lazy admin has configured auto-update they are protected as well.

The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).

Re:Pretty Bad

[pascalb3]

Check out CERT, a good site for this stuff. Here's [cert.org] their warning (more info than DHS). A list of what they have to block:
135/TCP
135/UDP
139/TCP
139/UDP
445/TC P
445/UDP

Also, it appears 4444 is being used,

Security Focus's incidentmailing list [securityfocus.com] is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch [securityfocus.com] (as of 29 Jul).

Re:Pretty Bad

[Troed]

Mod parent down. Bugtraq posting [securityfocus.com] listing several other attack vectors:

• ncacn_ip_tcp : TCP port 135
• ncadg_ip_udp : UDP port 135
• ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
• ncacn_http : if active, listening on TCP port 593.
• 
  ... and finally, even port 80 might be used if ncacn_http is active, and COM Internet Services is
  installed and enabled.
  

Re:How big a threat is this?

[mark_lybarger]

maybe you were going for +1 phunny, but i'll swing anyway.

Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.

MS patch does NOT fix the latestRPC vulnerability!

[Anonymous Coward]

The newest RPC vulnerability does NOT have a patch from MS and is still exploitable with all windows patches applied if RPC ports are open. The patch that is available from MS is for a previous RPC vulnerability(yes two RPC vulnerabilities in one month).

Dont believe me? Then try the dcom.c exploit that was spread in the past few days on bugtraq after updating your system. Guess what... its still vulnerable!

Re:No patch for Win98/SE?

[akiaki007]

I believe this only effects the NT based computers, since it is a RPC hack and 98 and below aren't NT based computers, thus don't run an RPC server!

Re:Pretty Bad

[I8TheWorm]

Actually, 135, 139, and 445.

NetBEUI = Port 135 netBEUI is only required when you have non-Windows 2000 clients to support. However, NetBIOS over TCP/IP prevents any need for NetBEUI. These days NetBEUI is the usual answer for connection problems that turn out to be name resolution or NetBIOS configuration problems. The other ports listed, 139 and 445, are used for Server Message Block (which with Win2000 can run directly over TCP/IP rather than needing to run on top of NetBIOS) respectively. SMB is a file sharing protocol used in Windows. The attempt hits 445, and if it's succesful, it sends an RST to 139 (if NetBIOS is installed, otherwise 139 is never used). If there's no response from 445, it continues the SMB session over 139.

Re:How big a threat is this?

[saskwach]

Someone did their reporting wrong. The huge gaping flaw that was announced recently pertained only to computers with the NT kernel (WinNT, Win2000, WinServ2003, WinXP). This vulnerability does NOT affect 98/98SE/ME/95/3.1/whathaveyou.

Linux Users?

[Chibi Merrow]

I'm a tech on a Windows network for the local government here and we immediately disable Automatic updates on machines now. Lord knows it's not because we're Linux users (I'm the only one) but because the updates all too often BREAK things that were already working.

Re:Pretty Bad

[Tackhead]

> ncacn_ip_tcp : TCP port 135
>ncadg_ip_udp : UDP port 135
>ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445

Etc. Etc. Etc.

The ironic part is that a Win9x box doesn't run these services. Or any other services - to use a technical term, in comparison to XP and 2K, an out-of-the-box 9x install doesn't listen to jack shit. If you do the 30-second tweak to disable/unbind the NetBIOS crap, you can safely (!) run 9x without a firewall because such a box doesn't listen to 80, 135, 137, 139, 445 etc. Unpatched. (Well, as long as you don't use Outleak Excess or Internet Exploiter, but that's just plain sanity :)

XP? 2K? Nuh-uh. You can disable UPnP hole (SSDP/1900) from the Services panel, but I have yet to find a way (well, short of a firewall :) of stopping an XP box from listening to 135 and 445. After all, Joe Sixpack who owns just one computer obviously, always wants to be able to network it with NT 4.0 boxen over a LAN. But there's just no way of saying "Look, XP, I don't do that kind of kink. Ever. So stop listening to those ports".

Thanks, Bill. No, really. Thanks a bunch. Other than a noble desire to take one for the team by jumping on the proverbial grenade, why the hell did HomeSec chose these twits as their vendor of choice?

Re:Pretty Bad

[TheViffer]

Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?

Actually that is not correct. A "router" in a nutshell is just used to "route" traffic from point A to point B.

What what people need is a hardware based NAT switch with firewall firmware. It places that nice "buffer" zone between your machines and the web.

If if the NAT switch/firewall is compromised somehow, it will not get the hacker very far without the presence of an OS. Your boxes behind should still be safe (but left without networking).

Re:How big a threat is this?

[kikta]

Pretty sure they don't. I believe this is something only on the NT side of the house.

Fixes

[DanV]

If I understand right, 4444 is the port the exploit for the DCOM bug connects to.
I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
You can get the fix from here [microsoft.com] for windows 2000, and here [microsoft.com] for windows xp.

The exploit [packetstormsecurity.nl] has it in the code:

target_ip.sin_port = htons(4444);

Also, notice the comment about the shell code:
/* port 4444 bindshell */

Dan
Security consultant
ClickNews [clicknews.ro]

Port/Process utility for Windows?

[simetra]

Is there a utility/app/shareware thing that will tell you what process on WinNT/2K/XP is associated with whatever ports are active? Thanks. Really, I mean that.

Re:How big a threat is this?

[timelorde]

windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

No, 98 isn't in the list for this vulnerability (MS03-026). But it is in the list for a different one: MS03-030 (the one about MIDI files and DirectX and QUARTZ.DLL)...

Re:Pretty Bad

[drinkypoo]

A so-called home router (some of which are honestly routers, some are bridges, and some are firewalls and little else) will indeed solve this problem. More to the point, simply using NAT will solve this problem, as long as you don't forward the RPC port to something inside your organization. You might consider mangling the packet so that its destination is the originating host and resending, that might be kind of fun.

Personally, I use a linux system with two NICs as my router/gateway. netfilter/iptables provides possibly the most powerful and configurable IP filtering suite available, and even though I use only a small portion of its features, I know that if I want to make it do all kinds of weird things, I just have to pore through volumes of crappy documentation.

Of course with linux you must be careful to stay updated. This is true of any OS but less true with, say, openbsd which is what I used to use. I ended up using linux because it has advantages in terms of using it for other things than just a firewall box, and it's an athlon 700 so I can still get some decent use out of it.

Re:How big a threat is this?

[norite]

What a complete load of tosh!!! I have a pentium 166Mhz machine with 64Mb RAM and it runs windows 2000 just fine. Admittedly, the pentium is overclocked to 200Mhz though....)

Windows 2000 requires a minimum of 32Mb to run. it won't install on a machine with less than 32Mb RAM.

Re:Port/Process utility for Windows?

[gregarican]

Search for a utility called FPort. It will map out all of the active PID's with the TCP/UDP port and associated process. Some processes can hide themselves through rundll32.exe (Win9x) or svchost.exe (WinNT/2K/XP), however.

But you can get an idea about what ports are sitting out there either listening or actively transferring.

Re:How to distribute patch to hundreds of machines

[gregarican]

Personally I still use logon scripting. There's a third-party addon called KixTart that allows more sophisticated scripting. Most of the time I take this route with desktop clients.

If your desktop clients aren't Win2k and higher (therefore not vulnerable to the RPC hit) and don't have publicly exposed IP address (i.e. - inside a Internet firewall or proxy) then you are just talking about servers.

In that case don't have you any remote control software (e.g. - VNC, SMS, PC Anywhere, etc.)? If so just put the patches on a common network share and remote into the boxes to install. If you aren't talking about more than 10-20 boxes it shouldn't take too long. If you are talking about more than that perhaps script out AT jobs to the boxes to execute KixTart scripts or something.

Re:Don't know.

[colenski]

http://www.eeye.com/html/Research/Tools/Download.a sp?file=RetinaRPCDCOM