Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

Fri, 13 Apr 2007 12:04:11 -0700

Sounds then like it should be more specific. It would seem to make sense not to expose services such as DNS, which run as SYSTEM and has full rights, to RPC traffic on variably assigned ports higher than 1024. Maybe that makes more sense.
We're awfully lucky that stateful firewalls evolved and became generally available before worms became prolific. 


Based on what SANS says, they recommend option #1 of the recommendations 
that says "Disable remote management over RPC for the DNS server via a 
registry key setting." at https://isc.sans.org/diary.html?storyid=2627  
It would also seem that if one is not running Windows DNS, then you are 
not at risk from this particular threat.  Note that this bug has the 
potential of becoming another Code Red/Nimda/SQL Slammer if it is 
worm-ified and pushed out before the eventual Windows Update is widely 
implemented.  Seems that spammers are more interested in owning boxes 
rather than wreaking widespread havoc with worms these days though.


Matt


Sanford Whiteman wrote:

It  is  also  odd  and  possibly grossly incompetent of Microsoft to
choose  to  use ports 1024+ for such purposes, but I'm thinking that
they have some weakly justifiable reason to do this as a "feature".

    


RPC  endpoints  always choose dynamic ports in the customary ephemeral
range, not the reserved range. This is by definition and common sense.

RPC  is not a Microsoft invention. It was pioneered by Xerox & Sun and
was implemented using the same basic model across many OSs.

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
  
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




  



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





















					Reply via email to