Go Back   The Scream! > COMPUTER RELATED > PC Security

Reply
 
Thread Tools Display Modes
  #1  
Old 18-July-2003, 10:06
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Dcom critical exploit NT/XP/w2k/w2k3

http://www.microsoft.com/technet/tre...n/MS03-026.asp

Technical description:


Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135.
m$ suggest firewalling it but really you may as well turn it off?!

Edit - the manual method works but in the time since I made this post an easier and perhaps safer method is now available, goto http://grc.com/dcom/

from <thread>:harden win2k (works for XP and should work for w2k3 as well)

run C:\WinNT\System32\Dcomcnfg.exe

To disable DCOM, go to the Default Properties tab and uncheck the box

If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them and that should stop the OS from listening on Port 135 (unless you have other programs that are forcing it open
then reboot.

I have had no problems with dcom disabled / not listening on port 135

You can check what ports are listening on your PC (and shouldn't be) check <thread>:Advice please - netstat

Sil

Last edited by silver; 01-February-2004 at 18:56.
Reply With Quote
  #2  
Old 11-August-2003, 23:58
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

someone has sent some kind of worm out that exploits the problem that is spreading quite quickly

Now my comp reboots every 2 minutes and I get this warning:
"windows must now restart because the remote procedure call service terminated unexpectadely."
more details <thread>:$%$% I've got a hacker (DCOM RPC exploit worm)

Sil

Last edited by silver; 13-August-2003 at 15:52.
Reply With Quote
  #3  
Old 12-August-2003, 01:10
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

just to expand a little on the glib instructions for running

Code:
C:\WinNT\System32\Dcomcnfg.exe
you can probably run this just by typing

Code:
Dcomcnfg
into the 'Run...' box on the start menu.

you might get a load of messages - come up first - like



jus click 'No' to those they can be ignored really I think.

then press the 'Default Properties' tab and unselect the first box - like



then goto the last tab ('Default Protocols') and remove all the entries



then reboot and you should see you aren't running DCOM any more (see <thread>:Advice please - netstat for how to check)

of course I think this is reasonably safe to do but if it screws up then you can always add it back in ,,. right? :)

Sil
Reply With Quote
  #4  
Old 12-August-2003, 01:33
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

another way to do the same thing (it's more or less the same window - but here's another way to get there) both methods work on XP and win2k for disabling DCOM

On Windows XP to turn off DCOM it is:

Control panel
Administrative tools
Component services
Expand component services until you get to my computer
Right click on it, select properties
Default properties, uncheck “enable distributed COM on this computer”
Default protocols, remove what’s there
Reboot
right click on 'My Computer', the following windows are pretty much the same as in the previous post.



thanks to john for the info + screenshot

Sil
Reply With Quote
  #5  
Old 19-August-2003, 19:55
gadgett
Guest
 
Posts: n/a
Default

sil what are the last two lines before reboot:



Right click on it, select properties
Default properties, uncheck “enable distributed COM on this computer”
Default protocols, remove what’s there
Reboot

gadgeeeeeeee
Reply With Quote
  #6  
Old 19-August-2003, 19:58
gadgett
Guest
 
Posts: n/a
Default

oh yes remove all entrees

gadgeeeeeeee
Reply With Quote
  #7  
Old 19-August-2003, 20:08
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

yep

Sil

PS,. to totally stop port 135 listening you should turn off the 'messanger' service and also the 'task scheduler' service, right click on 'my computer' and pick 'manage' then look at the services list, find those 2 entries - set to manual and 'stop'
Reply With Quote
  #8  
Old 21-August-2003, 18:43
Worldlife's Avatar
Worldlife Worldlife is offline
Safe Sane Consensual
 
Join Date: Apr 2001
Location: West Sussex, UK
Posts: 14,835
Default

Found these instructions rather difficult to follow on an OEM version of XP Home on the new laptop. The options before me didn't seem to correspond to what was given in previous posts here....

Tried various searches to locate the files mentioned and was able to proceed after finding "Component Services"

The route to this for me was:-

CDocuments and Settings\All users\Start Menu\Programs\Administrative Tools\Component Services\My Computer\Default com security

Maybe until this storm blows over I'll keep my internet activity concentrated on the desktop with W98SE installed!!!!!

Good advice though....now I can understand and implement it!
Reply With Quote
  #9  
Old 06-September-2003, 19:57
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

ok - this makes things easier - check your dcom settings and turn them off - even easier,. there is no excuse now!

see http://grc.com/dcom/

Sil
Reply With Quote
  #10  
Old 07-September-2003, 06:19
Worldlife's Avatar
Worldlife Worldlife is offline
Safe Sane Consensual
 
Join Date: Apr 2001
Location: West Sussex, UK
Posts: 14,835
Default

Thanks Silv.... a neat program

Maybe worth a warning to only download and install programs of this type from a company you know and trust or on the personal recommendation of a person you can trust
Reply With Quote
  #11  
Old 07-September-2003, 09:18
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

yes beware of people offering gifts, in a lot of cases

utils on grc site are generally to be trusted (IMO!)

Sil
Reply With Quote
  #12  
Old 07-September-2003, 12:36
gem's Avatar
gem gem is offline
 
Join Date: May 2001
Location: Currently in Brittany, France
Posts: 5,597
Default

Thanks for that Sil, confirms I'm now ok.
__________________
GEM
Reply With Quote
  #13  
Old 02-October-2003, 15:13
crankykick's Avatar
crankykick crankykick is offline
Screamager
 
Join Date: Mar 2003
Location: here
Posts: 824
Default

updated version of dcom now avalible http://grc.com/dcom/
Reply With Quote
  #14  
Old 04-November-2003, 02:20
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

Thanks crankykick,

I think the link you give above is a more straight-forward way of turning the dam dcom thing off!

Sil
Reply With Quote
  #15  
Old 02-April-2004, 18:01
DirtyRed
Guest
 
Posts: n/a
Default

Ah! That was my problem, Port 135 was still listening on my PC even though i had run the Dcom program of GRC, but now that I've turned of Task Schedular (Messenger was already off) its disappeared!

Any advice on my updated netstat readings, does Port 445 need turning off?

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3004 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3006 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3015 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3017 0.0.0.0:0 LISTENING
TCP 0.0.0.0:19997 0.0.0.0:0 LISTENING
TCP 0.0.0.0:19998 0.0.0.0:0 LISTENING
TCP 81.100.242.145:139 0.0.0.0:0 LISTENING
TCP 81.100.242.145:3015 66.193.112.84:8500 ESTABLISHED
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3004 127.0.0.1:3006 ESTABLISHED
TCP 127.0.0.1:3006 127.0.0.1:3004 ESTABLISHED
TCP 127.0.0.1:3016 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3016 127.0.0.1:3017 ESTABLISHED
TCP 127.0.0.1:3017 127.0.0.1:3016 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1025 *:*
UDP 81.100.242.145:123 *:*
UDP 81.100.242.145:137 *:*
UDP 81.100.242.145:138 *:*
UDP 81.100.242.145:2234 *:*
UDP 81.100.242.145:5353 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:2234 *:*

Cheers

P.S. The established connections are Firefox and Correct Connect, I'm on NTL!
Reply With Quote
  #16  
Old 05-May-2004, 22:36
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

I bet you wouldn't guess but there's yet another dcom exploit !

go on - you know you want to turn it off!

Vulnerabilities in Windows RPC/DCOM
eEye Digital Security, Qualsys, and Todd Sabin discovered several
new vulnerabilities in Microsoft remote procedure call/Distributed COM
(RPC/DCOM), the most serious of which could cause execution of
arbitrary code on the vulnerable system. Microsoft has released
Microsoft Security Bulletin MS04-012, "Cumulative Update for Microsoft
RPC/DCOM (828741)," to address these vulnerabilities and recommends
that affected users immediately apply the appropriate patch listed in
the bulletin.
http://secadministrator.com/articles...rticleid=42423
Sil
Reply With Quote
  #17  
Old 06-May-2004, 09:20
The-Geek
Guest
 
Posts: n/a
Default

Originally posted by Worldlife
Maybe until this storm blows over I'll keep my internet activity concentrated on the desktop with W98SE installed!!!!!

Hmm, you would think this was a good idea but I've read that even though Windows 9x / ME aren't affected by these viruses (as they don't run the required services) they can still act as a host service allowing the virus to infect other machines from yours!!

Regarding disabling the RPC services, in a networked environment I have a feeling that this might not be a good thing. How do workstations communicate with servers without RPC?

IMHO I think a modem or modem router with a hardware firewall between your PC / Network and the internet is the best idea. How many ports do you need to open on the firewall? That's easy NONE!! Use stateful packet inspection (SPI).

Another thing to consider, all of the security hacks are patched by Microsoft within days (sometimes hours) of their discovery. These patches are freely available on the Windows Update site, so if you keep your machine(s) up to date these worms and viruses won't affect you. They're not called "Critical Updates" for nothing.

Using the methods above (firewall + critical updates) is far better than disabling services which Windows may rely upon to function correctly - particularly if you don't know what your doing!!

Regarding my firewalls - I can't even run the Symantec Security Checker because it can't find a way into our networks!!

Symantec Security Checker:

http://security2.norton.com/sscv6/de...d=ie&venid=sym

Regards
Reply With Quote
  #18  
Old 06-May-2004, 10:48
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

Using the methods above (firewall + critical updates) is far better than disabling services which Windows may rely upon to function correctly - particularly if you don't know what your doing!
disagree

the reason win98 is is safer to connect to the i'net directly is 'cos it doesn't run services,. if you go to the trouble of turning them off in win2k / XP then you can be as safe,.

I guess I start from a different perspective as I have a *nix background,. a non-running service that isn't installed can't be exploited,. unfortunatly uninstalling most of the m$ stuff isn't possible but it is possible to turn it off (with difficulty), which is a step in the right direction,.. in fact m$ are slowly going down this route,. they used to ship some OS's with IIS turned on - now it's turned off by default.,.,(can't remember where I saw that)

I agree people would be safer using a NAT type firewall on the edge of their networks and they are becoming more common but still I would turn off services which aren't required.

I'm not sure how useful RPC is to the average user,. I've not had anything not work because of it so I figure I don't need it

Sil
Reply With Quote
  #19  
Old 06-May-2004, 21:31
The-Geek
Guest
 
Posts: n/a
Default

Originally posted by silver
the reason win98 is is safer to connect to the i'net directly is 'cos it doesn't run services,. if you go to the trouble of turning them off in win2k / XP then you can be as safe,.
Silver,

Whilst I agree with your statement above regarding Windows 98 not being affected because it doesn't run the necessary services this is not a completely true statement.

Windows 98 does not exhibit the symptoms of Windows 2000 / XP if it becomes infected (ie. Error reported in lssas.exe - Shutting down in 59s) HOWEVER it can become a host for the virus which, when connected to the internet, will scan IP Address ranges in the Class A, Class B and Class C address ranges to find other unpatched machines which it can infect!!

So, Window 98 might not be as "safe" as it first seems - in fact, it might just be contributing to the problem!!

I agree with you that turning off unused services is a good idea - this is something I do regularly on my Linux Web Server (yes, I use a *nix product as well). Microsoft also recommend this (telnet for example) however, when this affects the functionality of your machine then other methods of securing it should be used (such as a firewall or Demilitarized Zone (DMZ)).

Regarding firewalls, I'm glad you agree with me. Any IT Pro worth his weight in gold will tell you that you need a firewall to keep out "unwanted visitors" whether they are viruses, hackers or crackers.

I'm not sure how useful RPC is to the average user,. I've not had anything not work because of it so I figure I don't need it
That depends on your definition of "average user".

Going back 5 or 10 years my definition of an average user would be someone who had one PC connected to the internet through a dial-up who surfed the web a little and sent/received the odd email.

Today I'm more of the opinion that the average user has evolved somewhat and would be more likely to have 1 or 2 PC's, probably sharing files, printers and an internet connection over a network and not too aware of all the nasty's that can happen to their PC when they dial-up (let alone are permanently connected).

I think the main problem today is that people are unaware of what's out there on the internet and how it could affect them.

Like I always say to my clients:

"My job is to protect you from yourself"

Regards


PS - Sasser.d uses Port 445 to propogate across the internet

Last edited by The-Geek; 06-May-2004 at 21:38.
Reply With Quote
  #20  
Old 06-May-2004, 21:53
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

well, I still am not even slightly convinced I need RPC / DCOM running,. an so to me it's safer off (as is lsass.exe not listening in the case of the sasser worm)

both the DCOM-RPC and sasser things work against services that are running by default on win2k/XP boxes,. I agree people should have a firewall and keep upto date on patches but even with those in place why not just turn them off if you don't need them?

I think the problem is one of m$'s creation, in an effort to make the OS simple for 'anyone to use' they decide to turn everything on - an what's worse make it non-simple to turn stuff off..

I see in the new service pack for XP they've added a default firewall thingy - ok it's better than nothing but surely it's better to not have the services running then you don't need to protect them from the i'net?!?

Sil
Reply With Quote
  #21  
Old 06-May-2004, 22:13
The-Geek
Guest
 
Posts: n/a
Default

Silver,

OK... we have a difference of opinion

I'd go for a firewall over turning services off everytime

You'd go for turning things off over a firewall everytime

Each to their own

One question?

How to you turn of DCOM in Windows 98 to prevent it becoming a host and propergating sasser around the World Wide Web?



Regards
Reply With Quote
  #22  
Old 06-May-2004, 22:54
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

I didn't say I don't use a firewall, I do, I am saying sure have a firewall but turn stuff off as well!

I'm not sure what you mean, since win98 doesn't have dcom (well not as a service anyway) so I guess you are saying it can be used to launch attacks - but so can any OS if it's running something it shouldn't be - including *nix boxes..

the question is how not to be vunerible.. an running m$'s services seems to be a potential point of ingres for many worms - so don't run them

Sil
Reply With Quote
  #23  
Old 06-May-2004, 23:03
Zer02004
Guest
 
Posts: n/a
Default

Surely a firewall should be used and these unnecessary services stopped. I just don't see it as an either/or situation.

The problem with the firewall approach as far as shall we say less technical users - The vast majority of computer users I would think, is that they wouldn't know what to block or allow anyway.

I blame the whole situation on the Microsoft/Intel advertising campaign of a few years ago where the home computer was projected as this wonderful device that only had to be switched on and it would carry out your every wish.

I believe that a "driving test" should have to be passed before people are allowed to connect to a public network.
Reply With Quote
  #24  
Old 06-May-2004, 23:04
shred
Guest
 
Posts: n/a
Default

Been following the thread with great interest and think both points of views are equally valid.

silvers, because he is looking more at the home/inexperienced user (most of the-screams visitors/members) and The Geek because he is looking at the business/profesional user.

Great thread.

BTW Windows 95/98 ME DCOM off @ http://www.montana.edu/cgi-bin/texis...com&pr=default
Reply With Quote
  #25  
Old 07-May-2004, 13:05
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

I have forgotten a lot abt win98 since I don't use it - I think this also outlines a way to turn off DCOM on 98 boxes > http://accs-net.com/smallfish/dcom.htm

Just to go on abt this a bit more,..,

many large companies have decent firewalls on the edges of their networks,. but some want to allow people to bring laptops in and out of the office (so they can work from home etc)..

we know everything should be updated with the latest patches,. and in theory every computer on the work network could have a 'personal firewall' but turning off stuff adds another useful layer of security ?

I think probably the only area where The-Geek and I disagree is what services should be turned off,. since we both accept that telnet and IIS shouldn't run unless you need them?

my view is anything which isn't needed should be turned off, this is especially the case for 'listening' services which sit listening on TCP/UDP ports

Sil
Reply With Quote
Reply

Tags
123, company, computer, deals, digital, failure, files, forward, gifts, hacker, hacks, home, intel, internet, laptop, make, messenger, network, port, public, security, settings, sharing, software, tools, windows

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 00:43.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!