Windows DCom RPC Exploit

I am surprised by the amount of press this vulnerability while EXTREMELY bad has received. One of our company’s NT administrator called me on Saturday regarding this hole after a MSNBC news story (BTW where was the MS in MSNBC spin control on this one) sufficiently freaked him out. The day before our head IT auditor sent the Homeland Security warning about this vulnerability to my team lead, as well as the CIO and VP of infomation services. Just for those that have been living under a rock or at Gnomedex, posted on Friday their analysis of the vulnerability including source code to exploit it.

The exploit (dcom.c) for this DCOM RPC vulnerability has been posted in a number of different places on the web, so it should be safe to say that port 135 should be probed about as often as port 8080 is next week. Smart firewall ACLs should block all port 135 traffic, and all enterprises always follow best practices documents. Unfortunately, there are always some administrators working outside the system and best practices, and sometimes establish unintended back doors to your network. And once an infected behind the firewall device exists, patching is the only recourse since you can’t exactly have internal acls on port 135. The server build document that I helped create specifically required DCOM to be shutdown 3 months ago and had that been implemented retroactively our exposure to this issue would have been close to 0 without Microsoft lifting a finger.

Perhaps as all the Windows server administrators are going through their boxes this next week and patching them, one might hope they would take proactive steps at the same time. Disable unneeded services. Create and apply a baseline security template for your organization. Look for inactive accounts and incorrect file and account permissions. Securing needed services by following best practice documents. Finally, scanning for unauthorized or rogue boxes into your network. Constantly being reactive to prevent someone running Dcom32.exe against your machines will make you a tired and overworked network administrator.

Updated: If you would like to see if you are vulnerable to this exploit, hand over your contact info to eEye Digital Security and download the Retina RPC DCOM Vulnerability Scanner. Click here for more details.


No comments yet to Windows DCom RPC Exploit