Re: [Security] RE: Re: Firewalls, blocking RPC traffic, etc.

From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Fri Aug 01 2003 - 14:22:56 PDT

• Next message: Graham A. Patterson: "Re: [Security] Re: Firewalls, blocking RPC traffic, etc."
• Previous message: Ryan L. Means: "Re: blocking ports at campus perimeter"
• Maybe in reply to: Gordon Adams: "Re: [Security] RE: Re: Firewalls, blocking RPC traffic, etc."
• Next in thread: Greg Small: "Re: [Security] RE: Re: Firewalls, blocking RPC traffic, etc."

Greg Small wrote:
>It has been my understanding that most if not all of the SMB attacks are
>based on the old 135/137/139 ports not on the newer microsoft-ds port 445.
>Perhaps someone can update me on this.

  I don't know about SMB attacks historically, but regarding the latest
Windows vulnerability de jour :-(, this one in the DCOM RPC interface,
Microsoft states -- in its current revision to the relevant TechNet document,
below -- that port 445 can also be used to exploit this vulnerability.

  In addition, Microsoft explicitly recommends that, if blocking
of network traffic by port via firewalls (or possibly in our case,
at least temporarily via the campus border router) is used as a partial
response to this vulnerability, that port 445 should also be blocked:

Microsoft Security Bulletin MS03-026
"Buffer Overrun In RPC Interface Could Allow Code Execution (823980)"
Originally posted: July 16, 2003 Revised: July 21, 2003
<http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>

>This particular failure affects an underlying DCOM interface, which
>listens on TCP/IP port 135, and can be reached via ports 139 and 445.
>...
>
>Port 135 is used to initiate an RPC connection with a remote computer.
>In addition, there are other RPC interface ports that could be used by
>an attacker to remotely exploit this vulnerability. Blocking the
>following ports at the firewall will help prevent systems behind that
>firewall from being attacked by attempts to exploit this
>vulnerability:
>
>TCP/UDP Port 135
>TCP/UDP Port 139
>TCP/UDP Port 445

  I don't know specifically whether any of the exploit code to date
uses port 445, but that may not be highly relevant ...

Aron Roberts
Workstation Software Support Group

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.

• Next message: Graham A. Patterson: "Re: [Security] Re: Firewalls, blocking RPC traffic, etc."
• Previous message: Ryan L. Means: "Re: blocking ports at campus perimeter"
• Maybe in reply to: Gordon Adams: "Re: [Security] RE: Re: Firewalls, blocking RPC traffic, etc."
• Next in thread: Greg Small: "Re: [Security] RE: Re: Firewalls, blocking RPC traffic, etc."

This archive was generated by hypermail 2.1.5 : Fri Aug 01 2003 - 14:31:03 PDT