Fixing The MS RPC Vulnerability

[peace_on_earth]

With all of the "new" RPC exploits surfacing, I thought I would share a few simple tips on how to protect yourself.

I will be pointing out how to prevent RPC port 135 from listening, by applying a few simple registry tweaks. I will also explain how to disable SMB port 445 from listening by disabling NetBT.

All of these tweaks are geared towards the average home user running WinXP Home. If you are unsure whether you need these services/ports to be running, then please just download the patch below. Also make sure that you make a backup of your registry before attempting these tweaks!

If you feel more comfortable, you may visit: http://www.microsoft.com/technet/tre...n/MS03-026.asp to download the patch to correct this RPC Buffer Overflow Exploit. Also make sure that all other security patches have been downloaded. You can check which MS patches have been installed by navigating to the Control Panel>Add/Remove Programs and look for any HotFixes along with their HotFix Reference IDs that were installed. You may then do a search on Microsoft's site or on Google, to see which patches these HotFix codes correspond to.

Above all, the first step (if you haven't already) is to install a reliable firewall. Also, make sure that this firewall is properly configured. You can find numerous tutorials explaining how to do this here on AO, just conduct a search.

A properly configured firewall will protect you from a majority of attacks, but if all else fails (and I'm hoping it doesn't) these tweaks will insure that some of the more vulnerable ports are closed.

With all of this in mind, let's continue...

First open up regedit by going to Start>Run>and typing in regedit and clicking OK.

Next, backup your registry by going to File>Export>then type in an appropriate name and make sure the export range option is set to All. Then click on Save.

This first tweak will disable DCOM. Port 135 listens for remote activation requests
of COM objects. A lot of programs have support for Distributed Communication (DCOM), but scarcely ever use it.

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

Look on the right-hand panel for a value named EnableDCOM. By default it should be set at Y, change this to N. This will disable DCOM.

WinXP Pro users may configure DCOM by simply going to Start>Run>and typing in C:\WinNT\System32\Dcomcnfg.exe and clicking OK.

This next tweak will prevent DCOM from using IP based RPC protocol sequences.

Next, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc

Look on the right-hand panel for a value named DCOM Protocols. Do not modify the entire value, but instead only remove ncacn_ip_tcp from the DCOM Protocols value, and leave everything else untouched.

The next tweak will close port 445 by disabling NetBT.

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

Look on the right-hand panel for a value named TransportBindName. By default it should be set at \Device\. Delete the value named \Device\, so that TransportBindName remains empty.

Restart your computer after you have applied these tweaks. If something doesn't function properly, simply open up regedit and go to File>Import and import the backed-up registry file that you made earlier, and your registry will be returned to it's earlier state.

[Algaen]

You can check which MS patches have been installed by navigating to the Control Panel>Add/Remove Programs and look for any HotFixes along with their HotFix Reference IDs that were installed. You may then do a search on Microsoft's site or on Google, to see which patches these HotFix codes correspond to.

I just wanted to add that if you go to Windows Update, under the Other Options menu on the left, you can click on View Installation History to get a list of installed fixes and what they fixed. This is easier than looking in Add/Remove Programs, then checking the MS web-site for fix info.

Good job peace_on_earth!!

[Pecosian]

Yeah, nice and informative.

Just to add for those of you who want to disable RFC a word of warning, I disabled it to see if I could get by without it and PGP could no longer work, as well as ICQLite, and I had to restore the services via editing the registry as the Win2k Services under control panel would not show me any properties.

If you have a microsoft OS that is still supported then you simply need to open windows update and anything not installed should appear when you scan for updates. If you happen to be using Win9x and I think both 98 and 98SE have been discontinued, then you have to manually check which hotfixes you have installed and download them. I've recently done work on a few WinME systems at my work and windows update is still supported for that so anything newer should still work. I forget where I read the actual time frames but they have the amount of time that windows update will continue to work, along with when they stop selling and I'm not sure but I believe they will stop giving customer service as well after a certain number of years.

[Summer]

Thanks peace_on_earth - very informative indeed.

[infosecguru2]

easy fix: Linux.

[warl0ck7]

Hi everyone,

There is also a very simple solution for systems not running as Servers. Disable the server service in controlpanel---->Administrative Tools---->Services.msc.
Note:You won't be able to monitor shares etc,if the server service is disabled.

also see CERT advisory CA-2003-20 and www.cert.org/tech_tips/w32_blaster.html

[mark_boyle2002]

Opinions.

I think fire should be fought with sand. "its irritating to start with but solves the problem."

What about another worm that reaches its detination then seals the exploit by downloading and running the patch/update ??

[warl0ck7]

Heh Heh! mark

I don't think sand is a good option for fire. The fire should not be there in the first place as
it would minimise the damages. Also your proposed worm will not do anything useful than choking bandwidth and hence performing DoS attack, hope you get it

[mark_boyle2002]

Since I'm being scanned every few seconds here by varying IP addresses I take it this is now beyond a joke.

Since most of the people infected will presume that nothing is wrong and keep logging into the internet this will go on for ages.

If Someone who were to remain nameless were to write a non replicating script which checked IPs for the exploit then sealed the whole using another technique which shall remain nameless would this person be a hero or a criminal ?

Opinions please

[warl0ck7]

Mark the point and opinion is that your are just being non practical and trying to push your thougths with sentiments and not reason.