> Excuse my ignorance if this has already been covered.
>
> I just read a message from another user on the mailing list in regards to
> attacks on NT servers via port 135. What are the vulnerabilities of Port
> 135, and how can I minimize the threats? Where can I obtain more
> information on this vulnerability?
Summary of recent attacks that have become more well known.
These attacks have been discussed on NT Security mailing list but the
knowledge about them has not spread widely outside of the security
mailing list circle.
NT CPU Port Attacks
NT DNS Denial Attack
NT Trojan Password DLL
NT CPU Port Attacks
On NT 3.51 and NT 4.0, there are TCP ports that are open that when an
attacker connects to them, types in some random characters, and drops
the connection, the CPU on the machine goes to 100% usage.
For example, connect to TCP port 135 (RPC server), type in
"thiswilldoacpuattack" and disconnect. Then check the CPU usage. The
CPU will be at 100% usage and the machine will be noticeably slower. It
is possible to kill and restart the rpcss process to stop the CPU usage.
DNS (TCP port 53 & 65589) is susceptible to this attack as well. In
16-bits, port 65589 is port 53. 65589 = 0x10035. 53 = 0x35
Solution:
On NT 4.0, there is filter capability to block all TCP ports except
needed critical ones. You may want to enable that.
There is a hotfix available on
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/RPC-fix
There is a DNS beta that fixed the random character on the port attack.
It is available via ftp from rhino.microsoft.com, log on as DNSBeta with
a password of DNSBeta. In the /service_pack3/x86 directory there is a
file called DNS.EXE dated 1/26/97.
NT DNS Denial Attack
If an attacker spoofs a response that the DNS never requested, DNS will terminate.
There is an advisory on this available at http://www.iss.net/lists/general/0118.html
Solution:
Currently, Microsoft is working on a solution.
NT Trojan Password DLL
On NT 4.0 and 3.51, there is some entries in the registry that point to
a DLL that does not exist, that lets an attacker to put their own DLL in
place. There is one DLL that will capture all password changes into a
file, so an attacker can obtain any passwords that get changed pertaining to
passwords residing on that machine. Ideally for an attacker, placing the DLL
on a domain controller machine where most password changes can take place may
produce the greatest amount of password information.
More information is available with source code for the password changer
DLL at: ftp://ftp.iss.net/pub/lists/ntsecurity-digest.archive/v02.n114
or Knowledge Base article http://www.microsoft.com/kb/articles/q151/0/82.htm
Solution:
To defend against this type of Trojan attack is to protect
access to your registry fiercely. A routine part of your security
maintenance checks should be to take a close look at this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Notification Packages
Make sure that it does not contain any strange entries. NT 4.0 ships
with a single entry to this registry key:
FPNWCLN
If anything else in this registry entry, find out what it is and whether
or not it's needed. If not sure, remove the errant entry immediately.
Netware requires the DLL, so if you already have installed the Netware
DLL, then it should have be installed admin-writable only. If you do
not have the Netware DLL installed, make sure the register entry is
blank.
Acknowledgments
Thanks to the posters of the NT Security Mailing list where almost all
of this information was derived. To subscribe, send email to
majordomo @
iss .
net and within the body of the message, type: "subscribe
ntsecurity".
--
Christopher William Klaus Voice: (770)395-0150. Fax: (770)395-1972
Internet Security Systems, Inc. "Internet Scanner SAFEsuite finds
Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes
Web: http://www.iss.net/ Email: cklaus @
iss .
net before the hackers do."
|
|
