[windows2000] Bad news on RPC DCOM vulnerability

  • From: "Dennis Appelboom" <dennis.appelboom@xxxxxxxxxx>
  • To: <windows2000@xxxxxxxxxxxxx>
  • Date: Mon, 13 Oct 2003 16:18:55 +0200

Today, I received this message from a collegue. I decided to find more
info about it on the internet, but couldn't find anything on
VigilantMinds site and on the securityfocus.com site about this
vulnerability. Also not when searching on Google. Does anyone has more
information???? Maybe it's a HOAX.....


Dennis Appelboom

-----Original Message-----
From:   VigilantMinds Security Operations Center
Sent:   Sat 11-10-2003 8:08
To:     bugtraq@xxxxxxxxxxxxxxxxx
Subject:        RE: Bad news on RPC DCOM vulnerability
Security Community,

The following information references a serious security threat to you or
your organization if the proper measures have not been taken to prevent
its destructive intent.
Description of Issue
VigilantMinds has successfully validated the claims regarding the latest
Microsoft Remote Procedure Call (RPC) vulnerability.  Specifically,
VigilantMinds has validated that hosts running fully patched versions of
the following Microsoft operating systems REMAIN subject to denial of
service attacks and possible remote exploitation:
   * Microsoft Windows XP Professional
   * Microsoft Windows XP Home
   * Microsoft Windows 2000 Workstation

Although it has not been verified at this time, other versions of
Microsoft Windows are also suspected to be subject to this

As with the prior RPC vulnerability (MS03-039), these attacks can occur
on TCP ports 135, 139, 445 and 593; and UDP ports 135, 137, 138 and 445.

Remediation Actions
VigilantMinds has notified CERT/CC and informed the vendor of this
issue.  As of this posting, no vendor patch is yet available.

As a temporary solution, VigilantMinds suggests that firewall rules be
placed on all affected ports for any exposed systems.  All external
connectivity (including VPN) should be firewalled actively for
unnecessary incoming RPC activity.

A Snort signature that will detect traffic patterns associated with this
attack is below.  Note that current Snort signatures may also identify
this attack.

Further References

A Snort signature for this and other versions of the Microsoft RPC

alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind
initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00
7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00
00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11
9F E8 08 00 2B10 48 60 02 00 00 00|";

Security Operations Center
VigilantMinds Inc.

email: soc.rpc@xxxxxxxxxxxxxxxxx
Office 412-661-5700
Fax 412-661-5684

This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you know, 
in most cases, CPU Utilization IS NOT the single biggest constraint to scaling 
up?! Get this free white paper to understand the real constraints & how to 
overcome them. SAVE MONEY by scaling-up rather than buying more servers.
To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts: