More info on the Windows DNS RPC interface vulnerability

Published: 2007-04-13
Last Updated: 2007-04-14 14:30:08 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
Some more information for the community regarding the Windows DNS RPC vulnerability that we have been reporting on http://isc.sans.org/diary.html?storyid=2627. We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack).

So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Wik2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack.

At this point, there seems to be a very small number of known compromises. We are interested if other sites have seen it? Has your IDS been alerting on shellcode for DCOM signatures and the port is above 1024? Have you seen portscans above 1024? Has your DNS.exe service died recently? (Apparently the service does not restart by itself.) If so, then let us know. And as always, if you have any packet captures of this activity please send them in.

Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://msinfluentials.com/blogs/jesper/archive/2007/04/13/turn-off-rpc-management-of-dns-on-all-dcs.aspx

Update 2:  We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US. The initial report was from the Information Security Office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 61.63.227.125

Here is the attack details from the Carnegie Mellon folks. First, a TCP port scan to ports 1024-2048. Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.

Update 3: There is now a publicly available exploit for this
vulnerability in Metasploit 3
Keywords:
0 comment(s)

Comments


Diary Archives