<<< Date Index >>>     <<< Thread Index >>>

Re: Bad news on RPC DCOM vulnerability



I have also seen a significant rise in smb login failures with the snort signature:

alert tcp any 445 -> any any (sid:10000216; msg:"SMB Login Failure";
flow:from_server,established; content:"|FF|SMB|73 6d 00 00 c0|"; offset:4
; depth:9;)

The login failures are from systems running XP and would logically fire in the face of this exploit. Running nmap with -A gives us a good look at the service on port 445, even though the OS details are identified as Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP


nmap -sS -O -A x.x.x.x

Starting nmap 3.45 ( http://www.insecure.org/nmap ) at 2003-10-11 14:54
Pacific Daylight Time
Interesting ports on DEMENTIA (x.x.x.x):
(The 1652 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
707/tcp  open  unknown
1030/tcp open  iad1?
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at http
g/cgi-bin/servicefp-submit.cgi :
SF-Port1030-TCP:V=3.45%D=10/11%Time=3F887C52%r(SMBProgNeg,18,"\x05\0\r\x03
SF:\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\xfa\x9f\x06");
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000
Professional or Advanced Server, or Windows XP

Nmap run completed -- 1 IP address (1 host up) scanned in 87.703 seconds

So, in the face of this exploit, and without a vendor provided patch, would it be safe to say that any system returning the nmap scan value

445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds

is potentially vulnerable?
-----Original Message-----
From: VigilantMinds Security Operations Center
[mailto:soc.rpc@xxxxxxxxxxxxxxxxx]
Sent: Friday, October 10, 2003 11:08 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Bad news on RPC DCOM vulnerability


Security Community,

The following information references a serious security threat to you or
your organization if the proper measures have not been taken to prevent
its destructive intent.
Description of Issue
--------------------
VigilantMinds has successfully validated the claims regarding the latest
Microsoft Remote Procedure Call (RPC) vulnerability.  Specifically,
VigilantMinds has validated that hosts running fully patched versions of
the following Microsoft operating systems REMAIN subject to denial of
service attacks and possible remote exploitation:
* Microsoft Windows XP Professional
  * Microsoft Windows XP Home
  * Microsoft Windows 2000 Workstation

Although it has not been verified at this time, other versions of
Microsoft Windows are also suspected to be subject to this
vulnerability.

As with the prior RPC vulnerability (MS03-039), these attacks can occur
on TCP ports 135, 139, 445 and 593; and UDP ports 135, 137, 138 and 445.


Remediation Actions
-------------------
VigilantMinds has notified CERT/CC and informed the vendor of this
issue.  As of this posting, no vendor patch is yet available.

As a temporary solution, VigilantMinds suggests that firewall rules be
placed on all affected ports for any exposed systems.  All external
connectivity (including VPN) should be firewalled actively for
unnecessary incoming RPC activity.

A Snort signature that will detect traffic patterns associated with this
attack is below.  Note that current Snort signatures may also identify
this attack.


Further References
------------------

A Snort signature for this and other versions of the Microsoft RPC
vulnerability:

alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind
initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00
7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00
00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11
9F E8 08 00 2B10 48 60 02 00 00 00|";
flow:to_server,established;classtype:attempted-admin;)



********************************************
Security Operations Center
VigilantMinds Inc.

email: soc.rpc@xxxxxxxxxxxxxxxxx
Office 412-661-5700
Fax 412-661-5684
********************************************

This e-mail and any files transmitted with it may contain confidential
and/or proprietary information. Any use, distribution, copying or
disclosure by another person is strictly prohibited. It is intended
solely for the use of the individual or entity who is the intended
recipient. Unauthorized use of this information is prohibited.

********************************************


-----Original Message-----
From: 3APA3A [mailto:3APA3A@xxxxxxxxxxxxxxxx]
Posted At: Friday, October 10, 2003 10:49 AM
Posted To: Full Disclosure
Conversation: [Full-Disclosure] Bad news on RPC DCOM vulnerability
Subject: [Full-Disclosure] Bad news on RPC DCOM vulnerability


Dear bugtraq@xxxxxxxxxxxxxxxxx,

There are few bad news on RPC DCOM vulnerability:

1.  Universal  exploit  for  MS03-039  exists in-the-wild, PINK FLOYD is
again actual. 2.  It  was  reported  by exploit author (and confirmed),
Windows XP SP1 with  all  security  fixes  installed still vulnerable to
variant of the same bug. Windows 2000/2003 was not tested. For a while
only DoS exploit exists,  but  code execution is probably possible.
Technical details are sent to Microsoft, waiting for confirmation.

Dear  ISPs.  Please  instruct  you customers to use personal fireWALL in
Windows XP.