Slashdot Mirror
HomeSec Warns Again About Microsoft's Insecurity
cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."
Port 135.
they just suck. Windows 98/98SE doesn't enter non support phase until Jan 16 next year.
The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).
Check out CERT, a good site for this stuff. Here's their warning (more info than DHS). A list of what they have to block:C P
135/TCP
135/UDP
139/TCP
139/UDP
445/T
445/UDP
Also, it appears 4444 is being used,
Security Focus's incidentmailing list is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch (as of 29 Jul).
installed and enabled.
it's in my head
maybe you were going for +1 phunny, but i'll swing anyway.
Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.
The newest RPC vulnerability does NOT have a patch from MS and is still exploitable with all windows patches applied if RPC ports are open. The patch that is available from MS is for a previous RPC vulnerability(yes two RPC vulnerabilities in one month).
Dont believe me? Then try the dcom.c exploit that was spread in the past few days on bugtraq after updating your system. Guess what... its still vulnerable!
I believe this only effects the NT based computers, since it is a RPC hack and 98 and below aren't NT based computers, thus don't run an RPC server!
"Time is long and life is short, so begin to live while you still can." -EV
Actually, 135, 139, and 445.
NetBEUI = Port 135 netBEUI is only required when you have non-Windows 2000 clients to support. However, NetBIOS over TCP/IP prevents any need for NetBEUI. These days NetBEUI is the usual answer for connection problems that turn out to be name resolution or NetBIOS configuration problems. The other ports listed, 139 and 445, are used for Server Message Block (which with Win2000 can run directly over TCP/IP rather than needing to run on top of NetBIOS) respectively. SMB is a file sharing protocol used in Windows. The attempt hits 445, and if it's succesful, it sends an RST to 139 (if NetBIOS is installed, otherwise 139 is never used). If there's no response from 445, it continues the SMB session over 139.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Someone did their reporting wrong. The huge gaping flaw that was announced recently pertained only to computers with the NT kernel (WinNT, Win2000, WinServ2003, WinXP). This vulnerability does NOT affect 98/98SE/ME/95/3.1/whathaveyou.
I'm a tech on a Windows network for the local government here and we immediately disable Automatic updates on machines now. Lord knows it's not because we're Linux users (I'm the only one) but because the updates all too often BREAK things that were already working.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
>ncadg_ip_udp : UDP port 135
>ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
Etc. Etc. Etc.
The ironic part is that a Win9x box doesn't run these services. Or any other services - to use a technical term, in comparison to XP and 2K, an out-of-the-box 9x install doesn't listen to jack shit. If you do the 30-second tweak to disable/unbind the NetBIOS crap, you can safely (!) run 9x without a firewall because such a box doesn't listen to 80, 135, 137, 139, 445 etc. Unpatched. (Well, as long as you don't use Outleak Excess or Internet Exploiter, but that's just plain sanity :)
XP? 2K? Nuh-uh. You can disable UPnP hole (SSDP/1900) from the Services panel, but I have yet to find a way (well, short of a firewall :) of stopping an XP box from listening to 135 and 445. After all, Joe Sixpack who owns just one computer obviously, always wants to be able to network it with NT 4.0 boxen over a LAN. But there's just no way of saying "Look, XP, I don't do that kind of kink. Ever. So stop listening to those ports".
Thanks, Bill. No, really. Thanks a bunch. Other than a noble desire to take one for the team by jumping on the proverbial grenade, why the hell did HomeSec chose these twits as their vendor of choice?
Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?
Actually that is not correct. A "router" in a nutshell is just used to "route" traffic from point A to point B.
What what people need is a hardware based NAT switch with firewall firmware. It places that nice "buffer" zone between your machines and the web.
If if the NAT switch/firewall is compromised somehow, it will not get the hacker very far without the presence of an OS. Your boxes behind should still be safe (but left without networking).
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
Pretty sure they don't. I believe this is something only on the NT side of the house.
If I understand right, 4444 is the port the exploit for the DCOM bug connects to.
/* port 4444 bindshell */
I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
You can get the fix from here for windows 2000, and here for windows xp.
The exploit has it in the code:
target_ip.sin_port = htons(4444);
Also, notice the comment about the shell code:
Dan
Security consultant
ClickNews
Is there a utility/app/shareware thing that will tell you what process on WinNT/2K/XP is associated with whatever ports are active? Thanks. Really, I mean that.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.
No, 98 isn't in the list for this vulnerability (MS03-026). But it is in the list for a different one: MS03-030 (the one about MIDI files and DirectX and QUARTZ.DLL)...
Personally, I use a linux system with two NICs as my router/gateway. netfilter/iptables provides possibly the most powerful and configurable IP filtering suite available, and even though I use only a small portion of its features, I know that if I want to make it do all kinds of weird things, I just have to pore through volumes of crappy documentation.
Of course with linux you must be careful to stay updated. This is true of any OS but less true with, say, openbsd which is what I used to use. I ended up using linux because it has advantages in terms of using it for other things than just a firewall box, and it's an athlon 700 so I can still get some decent use out of it.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Windows 2000 requires a minimum of 32Mb to run. it won't install on a machine with less than 32Mb RAM.
-- Fuck Beta
If your desktop clients aren't Win2k and higher (therefore not vulnerable to the RPC hit) and don't have publicly exposed IP address (i.e. - inside a Internet firewall or proxy) then you are just talking about servers.
In that case don't have you any remote control software (e.g. - VNC, SMS, PC Anywhere, etc.)? If so just put the patches on a common network share and remote into the boxes to install. If you aren't talking about more than 10-20 boxes it shouldn't take too long. If you are talking about more than that perhaps script out AT jobs to the boxes to execute KixTart scripts or something.
http://www.eeye.com/html/Research/Tools/Download.a sp?file=RetinaRPCDCOM