More info on the Windows DNS RPC interface vulnerability
Some more information for the community regarding the Windows DNS RPC vulnerability that we have been reporting on http://isc.sans.org/diary.html?storyid=2627. We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack).
So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Wik2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack.
At this point, there seems to be a very small number of known compromises. We are interested if other sites have seen it? Has your IDS been alerting on shellcode for DCOM signatures and the port is above 1024? Have you seen portscans above 1024? Has your DNS.exe service died recently? (Apparently the service does not restart by itself.) If so, then let us know. And as always, if you have any packet captures of this activity please send them in.
Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://msinfluentials.com/blogs/jesper/archive/2007/04/13/turn-off-rpc-management-of-dns-on-all-dcs.aspx
Update 2: We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US. The initial report was from the Information Security Office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 61.63.227.125
Here is the attack details from the Carnegie Mellon folks. First, a TCP port scan to ports 1024-2048. Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
Update 3: There is now a publicly available exploit for this
vulnerability in Metasploit 3
So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Wik2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack.
At this point, there seems to be a very small number of known compromises. We are interested if other sites have seen it? Has your IDS been alerting on shellcode for DCOM signatures and the port is above 1024? Have you seen portscans above 1024? Has your DNS.exe service died recently? (Apparently the service does not restart by itself.) If so, then let us know. And as always, if you have any packet captures of this activity please send them in.
Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://msinfluentials.com/blogs/jesper/archive/2007/04/13/turn-off-rpc-management-of-dns-on-all-dcs.aspx
Update 2: We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US. The initial report was from the Information Security Office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 61.63.227.125
Here is the attack details from the Carnegie Mellon folks. First, a TCP port scan to ports 1024-2048. Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
Update 3: There is now a publicly available exploit for this
vulnerability in Metasploit 3
Keywords:
0 comment(s)
* Microsoft Vulnerability in RPC on Windows DNS Server
As a follow up to our diary earlier this week about a potential new DNS Vulnerability, Microsoft has released an advisory in regard to the vulnerability. Microsoft has investigated and it appears a vulnerability exists that could allow an attacker to run code under the Domain Name System Server service. This service by default runs as the local SYSTEM id.
Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
---
Scott Fendley
ISC Handler
Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
- Disable remote management over RPC for the DNS server via a registry key setting.
- Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
- Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server.
---
Scott Fendley
ISC Handler
Keywords:
0 comment(s)
×
Diary Archives
Comments