[Dshield] New Microsoft Windows RPC vulnerability

Keith Bergen keith at keithbergen.com
Wed Sep 17 22:18:58 GMT 2003


As I read the web page in question, they suggested completely disabling RPC.
In doing so, you would cripple Task Scheduler. That is what I meant by
"killing".

I agree that blocking the port is the way to go. My NAT router doesn't
forward port 135, thus it is blocked.

I think your system should be patched regardless of your firewall. In my
case, I carry my laptop around. If I plug it into an infected network, then
I run the risk of being infected, and thus bringing it home etc. Or, if I
allow an infected friend onto my network, then they could propagate that
infection to my system.

Anyhow, sorry for the confusing email. I was simply responding to the
DCOMbob web site.

Perhaps I'm mistaken, and they are not suggesting totally disabling RPC.

Keith.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Kenton Smith
Sent: Wednesday, September 17, 2003 3:55 PM
To: General DShield Discussion List
Subject: RE: [Dshield] New Microsoft Windows RPC vulnerability


I'm having a little trouble making sense of this, maybe it's just the
mid-afternoon slowdown of my brain.

What do you mean by killing port 135? You must be doing something in the O/S
itself, yes? 

That really isn't necessary. The idea about blocking (not killing) port 135
to prevent infection by a DCom worm (or other such nasty traffic), is to
stop incoming traffic destined for this port. If you have a firewall, you
would block this port for all incoming traffic. There is no way that this
should have any effect on services running on your local machine.

If you don't have a firewall (network based or host based) you should patch
for the vulnerability and then go get one.

Maybe you have a completely different meaning than what I have assumed.

Kenton

On Wed, 2003-09-17 at 12:43, Keith Bergen wrote:
> A friend of mine tried to make the argument that killing port
> 135 was good. The other problem that I have seen with killing 
> it is that the Task Scheduler relies on port 135. I found 
> that one out the hard way. I killed 135, and killed my 
> DShield submissions! They were scheduled. Also, many 
> antivirus software rely on Task Scheduler to get updates, or 
> to run scans. Those would stop.
> 
> In short, I disagreed with my friend. Port 135 is a necessary
> evil (in my house), and if you install your network behind a 
> NAT router, you should be more safe. Let's just hope that 
> we've seen the last vulnerability of DCOM.
> 
> Now, if you don't use Task Scheduler or Winfax, or anything
> else that relies on RPC, you should be fine, right?
> 
> Keith.
> 
> ---- Original message ----
> >Date: Wed, 17 Sep 2003 13:58:56 -0400
> >From: "Guy Barnum" <GuyBarnum at Armscole.com>
> >Subject: RE: [Dshield] New Microsoft Windows RPC 
> vulnerability
> >To: "General DShield Discussion List" <list at dshield.org>
> >
> >I decided to follow up on one of these DCOMbobulator plugs.
> Has anyone else tested their client server apps against
> DCOMbob.exe?
> >
> >The grc.com web site indicates that basically no one but
> hackers would use DCOM to violate your computer so everyone
> should just shut it off.
> >
> >There is a small company by the name of Symantec which uses
> DCOM and the RPC server for their Winfax client server
> connection.  Arguably installing winfax software could still 
> be considered a system violation...  If I found an 
> application used as widely as Winfax, which won't work with 
> DCOM turned off, in the first 5 minutes of testing 
> DCOMbob.exe surely there are many more out there and it might 
> not be a good practice to tell everyone in the whole web-
> world to start turning off DCOM.
> >
> >I can picture IT support personnel trying to figure out why
> their client server app of choice isn't working on x number
> of systems and how they would figure out the users have read 
> articles like this and turned off their DCOM services.
> >
> >Guy
> >
> >-----Original Message-----
> >From: Rick Leske [mailto:rick at jaray.net]
> >Sent: Tuesday, September 16, 2003 11:24 PM
> >To: General DShield Discussion List
> >Subject: RE: [Dshield] New Microsoft Windows RPC
> vulnerability
> >
> >
> >Well here's a better explanation: http://grc.com/default.htm
> >
> >hth,
> >
> >~Rick
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list