-------------------------------------------------- rfp.labs -----------

                          Antidote for RFPoison
                          (Followup to RFP9906)

------------------------------ rain forest puppy / rfp@wiretrip.net ---

Table of contents:
        - 1. Problem
        - 2. Solutions
  - 3. Conclusion

-----------------------------------------------------------------------
 Archives of all advisories available at http://www.wiretrip.net/rfp/
-----------------------------------------------------------------------

----[ 1. Problem

  Recently I released RFP9906: NT denial of service in services.exe
(RFPoison).  I included a limited sample exploit that would demonstrate
the problem.  Since then, I've worked with a few individuals and confirmed
some configurations what will protect your system.

----[ 2. Solutions

  Solutions vary in grade...from quick fix to ultimate security.

- #1 Enable 'RestrictAnonymous'

  Suggested by David LeBlanc, you can enable 'RestrictAnonymous'
support in Lsa.  To do this, go to (in the registry):

  \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Current\Lsa

If you don't have it, you need to create a DWORD key named
'RestrictAnonymous', with a value of '1'.  This will restrict anonymous
SMB connections (which RFPoison uses).  This still leaves your box usuable
by normal means.

- #2 Unbind NetBIOS from TCP/IP

  Suggested by Scott G. Danahy, you can unbind TCP/IP from NetBIOS,
which means that you can no longer use routed File Sharing (everything
must be local, using NetBEUI).  To do this, go to:

  - Start
  - Settings
  - Control Panel
  - Open the Network applet
  - Click the 'Bindings' tab
  - Expand 'NetBIOS Interface'
  - Highlight 'WINS Client (TCP/IP)'
  - Click 'Disable'
  - Click 'OK'
  - Do you want to restart?  Sure, why not.

Now NetBIOS will not be available for use by TCP/IP.  Note that this may
affect your system, if you remotely use TCP/IP to access file sharing and
remote administration of that system.

- #3 Stop the Server service

  Suggested by Glitch.  Best solution for the ultimately paranoid.
Stopping the Server service *will* prevent remote administration and file
sharing, but will also prevent RFPoison, along with a whole barrage of
other abuses in general.  If you have a standalone web server that uses
HTTP and FTP, with local console administration, you can stop these
services.  To do this, go to:

  - Start
  - Settings
  - Control Panel
  - Open the Services applet
  - Select 'Server' service
  - Click 'Stop' (Note: it may warn you that it needs to 
    also stop the Computer Browser service.  Click 'OK')
  - While 'Server' is still highlighted, click 'Startup'
  - Change to 'Manual' startup type.
  - Click 'OK'
  - Highlight the 'Computer Browser' service
  - Click 'Startup'
  - Change to 'Manual' startup type.
  - Click 'OK'
  

----[ 3. Conclusion

  Doing any of the above should protect you from RFPoison.  In the
event that you are not vulnerable, and your system has *not* undergone any
of the above fixes, please email me with full system information and patch
history, so that I may add you to the list of solutions.

- rfp@wiretrip.net

--- rain forest puppy / rfp@wiretrip.net ----------- ADM / wiretrip ---

           The battle may be lost, but the war is not over....

-------------------------------------------------- rfp.labs -----------