Apparently frustrated by the gradual hardening of IIS over the years, hackers turned their attention to more fertile...
ground: Microsoft Remote Procedure Call (MSRPC) and the many programmatic interfaces it provides. MSRPC is derived from the Open Software Foundation RPC protocol, which has been implemented on other platforms for years. For those of you who are wondering why we include MSRPC under our discussion of proprietary Microsoft protocol attacks, MSRPC implements Microsoft-specific extensions that have historically separated it from other RPC implementations.
Many of these interfaces have been in Windows since its inception, providing plenty of attack surface for buffer-overflow exploits and the like. The MSRPC port mapper is advertised on TCP and UDP 135 by Windows systems, and cannot be disabled without drastically affecting the core functionality of the operating system. MSRPC interfaces are also available via other ports, including TCP/UDP 139, 445 or 593, and can also be configured to listen over a custom HTTP port via IIS or COM Internet Services.
In July of 2003, The Last Stage of Delirium Research Group published one of the first serious salvos signaling renewed interest in Windows proprietary networking protocols. LSD identified a stack buffer overflow in the RPC interface implementing Distributed Component Object Model services (DCOM). Even Windows Server 2003's buffer overflow protection countermeasures (the /GS flag) failed to protect it from this vulnerability.
Hacking Exposed, Fifth Edition: Network Security Secrets & Solutions
In this excerpt of Hacking Exposed, Fifth Edition: Network Security Secrets & Solutions, authors Stuart McClure, Joel Scambray and George Kurtz introduce MSRPC vulnerabilities.
By Stuart McClure, Joel Scambray, George Kurtz 692 pages; $49.99 McGraw-Hill/Osborne
There were a number of exploits, viruses and worms that were published to take advantage of this vulnerability. One easy-to-use scanner is the Kaht II tool, which can be downloaded from Security Focus. Khat II can scan a range of IP addresses, remotely exploit each system vulnerable to the RPC vulnerability and send back a shell running as SYSTEM. Talk about fire and forget exploitation!
Read the rest of this excerpt for MSRPC countermeasures and more.
Learn how to prevent malware outbreaks in eight steps
Get information on how to Google hack Windows servers
Find out how to Google your Windows security vulnerabilities
SearchSecurity Staff and McGraw-Hill/Osborne asks:
Are there other MRPC vulnerabilities that we haven't covered here that you've encountered?
0 ResponsesJoin the Discussion