[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Scanning the PCs for RPC Vulnerability
- To: Nadeem Rafi <nrafi@xxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Scanning the PCs for RPC Vulnerability
- From: <rjemckay@xxxxxxxxxxx>
- Date: Wed, 3 Sep 2003 12:54:56 -0400
Mr. Rafi
We experienced the same problem, i.e., win9x, 98SE machines showing up as
vulnerable - we later determined that they may indeed be vulnerable contray to
what MS might have said.
By way of background, some, but not all, Win 98 systems report "Vulnerable" on
the scan. This means that they have TCP Port 135 open and active, and data
exchange with the port has a characteristic signature. A gentleman at my
organization found the following:
It's been determined that characteristically the "Vulnerable" Win 98 systems
are running the task RPCSS.EXE. This can be determined by running System
Information (Start/Programs/Accessories/System Tools),
and looking under "Software Environment" under "Running Tasks." Win 98 systems
are vulnerable if and only if RPCSS.EXE is a running task.
However, in the absence of a patch, we have to prevent RPCSS.EXE from launching
(to keep Port 135 from being opened).
The "other" way that RPCSS.EXE is being launched is by the program WIN32SL.EXE.
This is the "Service Layer" of the DMI interface. This is a common layer
maintained by a standards organization, the Distributed Management Task Force
(http://www.dmtf.org/). DMI is meant to provide a common remote management
interface for any manufacture that wants it.
If you prevent WIN32SL.EXE from running, RPCSS.EXE does not run, and the scan
reports "Port Closed."
I have discovered two different manufacturers that use DMI, each in a different
way. Each requires different treatment.
The first case is DELL, which installs "OpenManage." In this system, a registry
entry launches WIN32SL.EXE. Frustrate that, and you're home free.
What we did was change the Registry variable:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WIN32SL"="c:\\dmi\\win32\\bin\\win32sl.exe -i -p -r"
Change "2" to "3", resulting in:
"WIN32SL"="c:\\dmi\\win32\\bin\\win33sl.exe -i -p -r"
Of course, there is no such file as WIN33SL.EXE, so nothing happens.
The second case is Quantex, which installs Intel's LanDesk Client Manager.
Since this actually does useful things, the user didn't want to uninstall it.
It also doesn't start up WIN32SL in the same way. (There's yet another level of
indirection.) We did turn it off, but it wasn't pretty, and I don't want to
recommend it here.
Finally.
The following table lists the version information for DCOM95 and DCOM98:
InstalledVersionDCOM Version or Build NumberRelease Type
4,71,0,3328DCOM95 1.3 and DCOM98 1.3, build 3328.1Released to the Web
4,71,0,2900Build 2900.7Released to Windows 98 Second Edition, Microsoft
Internet Explorer 5.0, Microsoft Office 2000
4,71,0,2618DCOM95 1.2Released to the Web
4,71,0,2612DCOM98Shipped with Microsoft Visual Studio 6.0
4,71,0,1719Build 1719Released to Windows 98 Gold, fix for build 1718.
4,71,0,1718DCOM95 1.1Released to the Web in October, 1997; released to Internet
Explorer 4.01.
4,71,0,1120Build 1120
4,71,0,426DCOM95 1.0Released to the Web in January 1997
http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
hope this helps
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html