From: "VigilantMinds Security Operations Center" Security Community, The following information references a serious security threat to you or your organization if the proper measures have not been taken to prevent its destructive intent. Description of Issue -------------------- VigilantMinds has successfully validated the claims regarding the latest Microsoft Remote Procedure Call (RPC) vulnerability. Specifically, VigilantMinds has validated that hosts running fully patched versions of the following Microsoft operating systems REMAIN subject to denial of service attacks and possible remote exploitation: * Microsoft Windows XP Professional * Microsoft Windows XP Home * Microsoft Windows 2000 Workstation Although it has not been verified at this time, other versions of Microsoft Windows are also suspected to be subject to this vulnerability. As with the prior RPC vulnerability (MS03-039), these attacks can occur on TCP ports 135, 139, 445 and 593; and UDP ports 135, 137, 138 and 445. Remediation Actions ------------------- VigilantMinds has notified CERT/CC and informed the vendor of this issue. As of this posting, no vendor patch is yet available. As a temporary solution, VigilantMinds suggests that firewall rules be placed on all affected ports for any exposed systems. All external connectivity (including VPN) should be firewalled actively for unnecessary incoming RPC activity. A Snort signature that will detect traffic patterns associated with this attack is below. Note that current Snort signatures may also identify this attack. Further References ------------------ A Snort signature for this and other versions of the Microsoft RPC vulnerability: alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B10 48 60 02 00 00 00|"; flow:to_server,established;classtype:attempted-admin;) ******************************************** Security Operations Center VigilantMinds Inc. email: soc.rpc@vigilantminds.com Office 412-661-5700 Fax 412-661-5684 ******************************************** This e-mail and any files transmitted with it may contain confidential and/or proprietary information. Any use, distribution, copying or disclosure by another person is strictly prohibited. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. ******************************************** -----Original Message----- From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU] Posted At: Friday, October 10, 2003 10:49 AM Posted To: Full Disclosure Conversation: [Full-Disclosure] Bad news on RPC DCOM vulnerability Subject: [Full-Disclosure] Bad news on RPC DCOM vulnerability Dear bugtraq@securityfocus.com, There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html