Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: Command Line RPC vulnerability scanner?
.

  • To: <[EMAIL PROTECTED]>
  • Subject: RE: Command Line RPC vulnerability scanner?
  • From: "Jay Woody" <[EMAIL PROTECTED]>
  • Date: Mon, 04 Aug 2003 11:08:42 -0500
.
 
Just as an interesting FYI, we are blocking these at the perimeter
(obviously as well as patching all boxes we find also) and a HUGE
majority (maybe 80-90%) of the attempts are hitting on port 445, not
135.  So if you are one of the lucky few that can block at the
perimeter, be sure you are blocking them ALL.

I have seen 135, 137, 139, 445, 80/443 (any IIS box with COM Internet
Services installed is what [EMAIL PROTECTED] reported) and also according
to [EMAIL PROTECTED] any machine that has RPC over HTTP is exploitable on
593 tcp/udp as well.  I could swear that I even remember seeing 4444 in
one person's e-mail now, but I can't find it to attribute it.  Sorry.

That is a lot of ports.  Obviously the best answer is to get patched,
but if blocking can buy you a little time, try it.  Just be sure you
block all of them that you can.  If what I am seeing on scans is any
indication, the first big worm will hit using 445, assuming that
everyone has been focusing on 135.  My 2 cents.

JayW

>>> "Bojan Zdrnja" <[EMAIL PROTECTED]> 08/01/03 07:30PM >>>


> -----Original Message-----
> From: Stong, Ian C. (Contractor) [mailto:[EMAIL PROTECTED] 
> Sent: Friday, 1 August 2003 11:33 p.m.
> To: 'Russell Fulton'; Schmehl, Paul L
> Cc: [EMAIL PROTECTED] 
> Subject: RE: Command Line RPC vulnerability scanner?
> 
> 
> Hi Russell,
> 
> A possible workaround (depending on your WAN requirements for port
135)
for
> the systems that can't be patched is to simply block port 135 into
your
> network.  If you need port 135 to be accessible from certain remote
sites
> then allow those specific source/destination address and port pairs
through
> your router or firewall.

This will work well to stop attacks originating from the Internet, but
as it
was discussed on another mailing list (Full-disclosure), this is
definetly
not sufficient.

I'd like to warn people that port blocking on their perimeter firewalls
is
*not* enough (and only a small number of companies can afford *good&
firewalling in internal networks). It is probably just a question of
time
when one of the following two will happen:

1) An employee inside your network or with VPN access runs exploit on
your
internal network.
2) Worm is written which exploits this vulnerability and enters your
network
via employees computer and VPN.
3) Same worm spreads with mass e-mail.

Therefore, I'd consider patching as the only solution against this
(nasty)
vulnerability. 


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.