Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Serius windows bug. All NT versions affected (2k, 2k3)

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779

    Serius windows bug. All NT versions affected (2k, 2k3)

    This was initaly mentioned by r8devil here
    http://www.antionline.com/showthread...hreadid=246183
    but I felt his title din't convay the seriousness of this issue.

    Ok it looks like RPC is broken badly, I have had reports this week that we have had a spike of scans on port 135 and this is why.

    Basicly a remot exploit of RPC will allow an attacker t oexecute any code with systems access. Now this is mitagated a littel by safe computeing (turn off RPC if not needed) or proper fire wall setup (block port 135) unless like my office you use RPC in some of your remote administration...we havent been exploited yet as the attacks have hit our web system with RPC turned off.

    Here is a reg artical that explains the exploit.
    http://www.theregister.com/content/55/31797.html

    and here is a link to the fix
    http://www.microsoft.com/technet/tre...n/MS03-026.asp
    Who is more trustworthy then all of the gurus or Buddha’s?

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    bugtraq ->

    Hello,

    We have discovered a critical security vulnerability in all recent versions of
    Microsoft operating systems. The vulnerability affects default installations
    of Windows NT 4.0, Windows 2000, Windows XP as well as Windows 2003 Server.

    This is a buffer overflow vulnerability that exists in an integral component of
    any Windows operating system, the RPC interface implementing Distributed Component
    Object Model services (DCOM). In a result of implementation error in a function
    responsible for instantiation of DCOM objects, remote attackers can obtain
    unauthorized access to vulnerable systems.

    The existence of the vulnerability has been confirmed by Microsoft Corporation.
    The appropriate security bulletin as well as fixes for all affected platforms
    are available for download from http://www.microsoft.com/security/ (MS03-026).

    It should be emphasized that this vulnerability poses an enormous threat and
    appropriate patches provided by Microsoft should be immediately applied.

    We have decided not to publish codes or any technical details with regard to
    this vulnerability at the moment.

    With best regards,
    Members of
    The Last Stage of Delirium
    Research Group

    http://lsd-pl.net
    yeah, I\'m gonna need that by friday...

  3. #3
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    They announced in MS03-010 that RPC was fundamentally flawed in NT and that all they could really recommend is that you block the port from external access.

    Here is a quote from MS03-010:

    Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.
    They in effect signed the death certificate for NT. It is only a matter of time before they simply admit they won't support it anymore. For more on the MS03-010 thing you can see my About.com article- Windows NT R.I.P. and the links next to it for further information.

    As for this new flaw- if admins and users had blocked external access on the RPC port as directed by MS03-010 wouldn't this one be a moot point?

  4. #4
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    hey, here is what the kiddies are upto...

    RpcScan enumerates the RPC endpoint-map elements for port 135. You may differentiate between, for example, Windows NT 4.0 SP3 or before and Windows NT 4.0 SP4 or later, Windows 2000 SP2 or before and Windows 2000 SP3, default Windows XP and Windows XP SP1, Windows XP Home Edition and Windows XP Professional.
    Taken from the packetstorm archives, top 20 recent tools section...
    http://packetstorm.linuxsecurity.com...RpcScan101.zip
    yeah, I\'m gonna need that by friday...

  5. #5
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Tony,
    MS already admitted they wont support NT as of DEC 2003, NT server will follow after their contracts expire.

    http://www.computerweekly.com/Article123115.htm

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  6. #6
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by Maestr0
    Tony,
    MS already admitted they wont support NT as of DEC 2003, NT server will follow after their contracts expire.

    http://www.computerweekly.com/Article123115.htm

    -Maestr0
    Iv said it before. They should just release the source for it and let hackers on the net fix this damn OS. Alot of companies still use NT. So I know when they stop supporting this they are pretty much going to force companies to upgrade the computers they use. How nice for Microsoft, forcing people to spend more.

    Also I read about this on yahoo news last night. I didnt post because i figurd by the time i hit "create new thread" there would already be like 20. But anyway. It was fun how Microsoft just signed a 90 (million or billion?) dollar deal with the people for home land security. TO me this reminds me of another thread. People asking if UNIX would ever go away. Well when **** like this happens I think it just shows, NO it wont.

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Don't worry about there new homland security deal, my source at dell tells me that they and MS is lose money on it. Every thing in the deal the goverment use to buy indavidualy, now they are finaly takeing advantage of volume licensing.
    Who is more trustworthy then all of the gurus or Buddha’s?

  8. #8
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    It would be difficult to overestimate the potential dangers of the Remote Procedure Call (RPC) vulnerability. First, it's found in most versions of Windows, including the new Windows Server 2003. Second, when exploited, the flaw could allow attackers to gain control of systems. Finally, a common misconfiguration could leave many systems susceptible without users being aware of it.
    continued...http://searchsecurity.techtarget.com...Exclusive=True
    yeah, I\'m gonna need that by friday...

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Release NT source code? That would be fantastic. But that would mean releasing the core of 2000 as well "Built on NT" A lot of companies still use NT because it works! Why upgrade? I only did it out of forcefulness from MS. They did stipulate many years ago that NT will not longer be supported. They have place their feet in their mouths several times by realeasing fixes when they said they would not. Looks like this time they are sticking to their guns. I can't afford to have a core networking OS that cannot be supported so I dug into my budget and upgraded to 2000 and XP. I must say though, from an admin point of view Active Directory is sweet. I did do this though; thanks to MS pissing me off with the entire deal. ALL my file servers that just deliver data shares are NOW Linux versus NT.

    On another note, Dell is a great company but they were trying to ram MS Licensing v6 down my corporate through.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    It should also be noted that simply blocking RPC ports at your firewall will not prevent a worm from spreading. Here is how worms normally get into my corporate network.

    A home user, using dialup does not have a personnal firewall and there system is not patched. The worm infects them.

    They then VPN into the corporate network behind the firewall. The worm is now running rampant inside of your firewall. Blocking RPC is not a good way to prevent this by itself. Security in layers, security in layers.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •