CERT warns for exploitation of RPC
Results 1 to 7 of 7

Thread: CERT warns for exploitation of RPC

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    CERT warns for exploitation of RPC

    Systems Affected
    Microsoft Windows NT 4.0
    Microsoft Windows NT 4.0 Terminal Services Edition
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Server 2003

    Overview
    The CERT/CC is receiving reports of widespread scanning and exploitation of two recently discovered vulnerabilities in Microsoft Remote Procedure Call (RPC) Interface.

    I. Description
    Reports to the CERT/CC indicate that intruders are actively scanning for
    and exploiting a vulnerability in Microsoft's DCOM RPC interface as
    described in VU#568148 and CA-2003-16. Multiple exploits for this
    vulnerability have been publicly released, and there is active development of improved and automated exploit tools for this vulnerability. Known
    exploits target TCP port 135 and create a privileged backdoor command shell on successfully compromised hosts. Some versions of the exploit use TCP
    port 4444 for the backdoor, and other versions use a TCP port number
    specified by the intruder at run-time. We have also received reports of
    scanning activity for common backdoor ports such as 4444/TCP. In some
    cases, due to the RPC service terminating, a compromised system may reboot after the backdoor is accessed by an intruder.
    There appears to be a separate denial-of-service vulnerability in
    Microsoft's RPC interface that is also being targeted. Based on current
    information, we believe this vulnerability is separate and independent from the RPC vulnerability addressed in MS03-026. The CERT/CC is tracking this additional vulnerability as VU#326746 and is continuing to work to
    understand the issue and mitigation strategies. Exploit code for this
    vulnerability has been publicly released and also targets TCP port 135.
    In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.


    II. Impact

    A remote attacker could exploit these vulnerabilities to execute arbitrary code with Local System privileges or to cause a denial of service condition.

    III. Solutions
    Apply patches
    All users are encouraged to apply the patches referred to in Microsoft
    Security Bulletin MS03-026 as soon as possible in order to mitigate the
    vulnerability described in VU#568148. These patches are also available via Microsoft's Windows Update service.
    Systems running Windows 2000 may still be vulnerable to at least a denial of service attack via VU#326746 if their DCOM RPC service is available via the network. Therefore, sites are encouraged to use the packet filtering tips below in addition to applying the patches supplied in MS03-026.
    Share on Google+

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
    Share on Google+

  3. #3
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    *Yawn*
    Share on Google+

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    *Yawn*
    Why must you continue to be a piss ant? If you have nothing else to do besides waste space, do it someplace else. We have enough turds to flush from this site.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
    Share on Google+

  5. #5
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    oh Boo hoo, sum1 posted something which was discussed more than once. Maybe he had some update. Dude do u have anything better to do other than flame others?
    Share on Google+

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    oh Boo hoo, sum1 posted something which was discussed more than once. Maybe he had some update. Dude do u have anything better to do other than flame others?
    Once again your ignorance is shining through. Neg happens to be a friend of mine. Again, *before* you open your mouth and prove to the world that you have no idea what your talking about, exercise good judgement and get the facts first.

    *sigh*

    Is anyone else tired of this punk yet?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
    Share on Google+

  7. #7
    Banned
    Join Date
    Mar 2002
    Posts
    594
    I'll take the role of a moderator for a couple of seconds....

    Ladies, ladies... take this to a personal conference room or to PMs... we have enough flame wars going on already...

    Cheers, jag291
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •