Re: Bad news on RPC DCOM vulnerability

[Terence Runge <terencerunge@sbcglobal.net>]

Looks like it is not limited to XP, as was suspected all along. My 
sensors have detected events from an exploited Win2K box. The detect was 
from the vigilantminds sig.


alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind
initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00
7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00
00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11
9F E8 08 00 2B10 48 60 02 00 00 00|";
flow:to_server,established;classtype:attempted-admin;)

From the logs, the attack looks sequential starting at the current subnet.

Oct 11 17:55:35 snt01 snort: [1:1210110301:1] RPC Vulnerability - bind 
initiation [Classification: Attempted Administrator Privilege Gain]
[Priority: 1]: {TCP} x.x.x.x:3367 -> x.x.x.x1:135
Oct 11 17:55:35 snt01 snort: [1:1210110301:1] RPC Vulnerability - bind
initiation [Classification: Attempted Administrator Privilege Gain]
[Priority: 1]: {TCP} x.x.x.x:3368 -> x.x.x.x2:135
Oct 11 17:55:35 snt01 snort: [1:1210110301:1] RPC Vulnerability - bind
initiation [Classification: Attempted Administrator Privilege Gain]
[Priority: 1]: {TCP} x.x.x.x:3369 -> x.x.x.x3:135
Oct 11 17:55:35 snt01 snort: [1:1210110301:1] RPC Vulnerability - bind
initiation [Classification: Attempted Administrator Privilege Gain]
[Priority: 1]: {TCP} x.x.x.x:3370 -> x.x.x.x4:135
Oct 11 17:55:36 snt01 snort: [1:1210110301:1] RPC Vulnerability - bind
initiation [Classification: Attempted Administrator Privilege Gain]
[Priority: 1]: {TCP} x.x.x.x:3371 -> x.x.x.x5:135
Oct 11 17:55:36 snt01 snort: [1:1210110301:1] RPC Vulnerability - bind
initiation [Classification: Attempted Administrator Privilege Gain]
[Priority: 1]: {TCP} x.x.x.x:3373 -> x.x.x.x6:135

Taking a closer look at this host reveals a version other than XP, which lends some credibility to the thought that hosts other than XP are exploitable.

nmap -sS -O -A x.x.x.x

Starting nmap 3.45 ( http://www.insecure.org/nmap ) at 2003-10-11 16:16
Pacific Daylight Time
Interesting ports on SleepySmurf (x.x.x.x):
(The 1644 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE           VERSION
135/tcp   open  msrpc             Microsoft Windows msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds      Microsoft Windows 2000 microsoft-ds
707/tcp   open  unknown
1025/tcp  open  msrpc             Microsoft Windows msrpc
1027/tcp  open  msrpc             Microsoft Windows msrpc
3372/tcp  open  msdtc?
3389/tcp  open  microsoft-rdp     Microsoft Terminal Service (Windows 2000
Server)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprints at
org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3372-TCP:V=3.45%D=10/11%Time=3F888F46%r(GetRequest,6,"\xa0L\n\0x\x0
SF:1")%r(HTTPOptions,6,"\xa0L\n\0x\x01")%r(RTSPRequest,6,"\xa0L\n\0x\x01")
SF:%r(Help,6,"\xa0L\n\0x\x01")%r(SSLSessionReq,6,"\xa0L\n\0x\x01")%r(LPDSt
SF:ring,6,"\xa0L\n\0x\x01");
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000
Professional or Advanced Server, or Windows XP

Nmap run completed -- 1 IP address (1 host up) scanned in 99.906 seconds


> I have also seen a significant rise in smb login failures with the 
> snort signature:
>
> alert tcp any 445 -> any any (sid:10000216; msg:"SMB Login Failure";
> flow:from_server,established; content:"|FF|SMB|73 6d 00 00 c0|"; offset:4
> ; depth:9;)
>
> The login failures are from systems running XP and would logically 
> fire in the face of this exploit. Running nmap with -A gives us a good 
> look at the service on port 445, even though the OS details are 
> identified as Microsoft Windows Millennium Edition (Me), Windows 2000 
> Professional or Advanced Server, or Windows XP
>
>
> nmap -sS -O -A x.x.x.x
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap ) at 2003-10-11 14:54
> Pacific Daylight Time
> Interesting ports on DEMENTIA (x.x.x.x):
> (The 1652 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE VERSION
> 135/tcp open msrpc Microsoft Windows msrpc
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
> 707/tcp open unknown
> 1030/tcp open iad1?
> 1 service unrecognized despite returning data. If you know the
> service/version, please submit the following fingerprint at http
> g/cgi-bin/servicefp-submit.cgi :
> SF-Port1030-TCP:V=3.45%D=10/11%Time=3F887C52%r(SMBProgNeg,18,"\x05\0\r\x03
> SF:\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\xfa\x9f\x06");
> Device type: general purpose
> Running: Microsoft Windows 95/98/ME|NT/2K/XP
> OS details: Microsoft Windows Millennium Edition (Me), Windows 2000
> Professional or Advanced Server, or Windows XP
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 87.703 seconds
>
> So, in the face of this exploit, and without a vendor provided patch, 
> would it be safe to say that any system returning the nmap scan value
>
> 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
>
> is potentially vulnerable?
>
> > -----Original Message-----
> > From: VigilantMinds Security Operations Center
> > [mailto:soc.rpc@vigilantminds.com]
> > Sent: Friday, October 10, 2003 11:08 PM
> > To: bugtraq@securityfocus.com
> > Subject: RE: Bad news on RPC DCOM vulnerability
> >
> >
> > Security Community,
> >
> > The following information references a serious security threat to you or
> > your organization if the proper measures have not been taken to prevent
> > its destructive intent.
> >
> > Description of Issue
> > --------------------
> > VigilantMinds has successfully validated the claims regarding the latest
> > Microsoft Remote Procedure Call (RPC) vulnerability. Specifically,
> > VigilantMinds has validated that hosts running fully patched versions of
> > the following Microsoft operating systems REMAIN subject to denial of
> > service attacks and possible remote exploitation:
> >
> > * Microsoft Windows XP Professional
> > * Microsoft Windows XP Home
> > * Microsoft Windows 2000 Workstation
> >
> > Although it has not been verified at this time, other versions of
> > Microsoft Windows are also suspected to be subject to this
> > vulnerability.
> >
> > As with the prior RPC vulnerability (MS03-039), these attacks can occur
> > on TCP ports 135, 139, 445 and 593; and UDP ports 135, 137, 138 and 445.
> >
> >
> > Remediation Actions
> > -------------------
> > VigilantMinds has notified CERT/CC and informed the vendor of this
> > issue. As of this posting, no vendor patch is yet available.
> >
> > As a temporary solution, VigilantMinds suggests that firewall rules be
> > placed on all affected ports for any exposed systems. All external
> > connectivity (including VPN) should be firewalled actively for
> > unnecessary incoming RPC activity.
> >
> > A Snort signature that will detect traffic patterns associated with this
> > attack is below. Note that current Snort signatures may also identify
> > this attack.
> >
> >
> > Further References
> > ------------------
> >
> > A Snort signature for this and other versions of the Microsoft RPC
> > vulnerability:
> >
> > alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind
> > initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00
> > 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00
> > 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11
> > 9F E8 08 00 2B10 48 60 02 00 00 00|";
> > flow:to_server,established;classtype:attempted-admin;)
> >
> >
> >
> > ********************************************
> > Security Operations Center
> > VigilantMinds Inc.
> >
> > email: soc.rpc@vigilantminds.com
> > Office 412-661-5700
> > Fax 412-661-5684
> > ********************************************
> >
> > This e-mail and any files transmitted with it may contain confidential
> > and/or proprietary information. Any use, distribution, copying or
> > disclosure by another person is strictly prohibited. It is intended
> > solely for the use of the individual or entity who is the intended
> > recipient. Unauthorized use of this information is prohibited.
> >
> > ********************************************
> >
> >
> > -----Original Message-----
> > From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
> > Posted At: Friday, October 10, 2003 10:49 AM
> > Posted To: Full Disclosure
> > Conversation: [Full-Disclosure] Bad news on RPC DCOM vulnerability
> > Subject: [Full-Disclosure] Bad news on RPC DCOM vulnerability
> >
> >
> > Dear bugtraq@securityfocus.com,
> >
> > There are few bad news on RPC DCOM vulnerability:
> >
> > 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is
> > again actual. 2. It was reported by exploit author (and confirmed),
> > Windows XP SP1 with all security fixes installed still vulnerable to
> > variant of the same bug. Windows 2000/2003 was not tested. For a while
> > only DoS exploit exists, but code execution is probably possible.
> > Technical details are sent to Microsoft, waiting for confirmation.
> >
> > Dear ISPs. Please instruct you customers to use personal fireWALL in
> > Windows XP.