[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030903165456.OKKQ4763.pop015.verizon.net@localhost>
From: rjemckay at verizon.net (rjemckay@...izon.net)
Subject: Scanning the PCs for RPC Vulnerability
Mr. Rafi
We experienced the same problem, i.e., win9x, 98SE machines showing up as vulnerable - we later determined that they may indeed be vulnerable contray to what MS might have said.
By way of background, some, but not all, Win 98 systems report "Vulnerable" on the scan. This means that they have TCP Port 135 open and active, and data exchange with the port has a characteristic signature. A gentleman at my organization found the following:
It's been determined that characteristically the "Vulnerable" Win 98 systems are running the task RPCSS.EXE. This can be determined by running System Information (Start/Programs/Accessories/System Tools),
and looking under "Software Environment" under "Running Tasks." Win 98 systems are vulnerable if and only if RPCSS.EXE is a running task.
However, in the absence of a patch, we have to prevent RPCSS.EXE from launching (to keep Port 135 from being opened).
The "other" way that RPCSS.EXE is being launched is by the program WIN32SL.EXE. This is the "Service Layer" of the DMI interface. This is a common layer maintained by a standards organization, the Distributed Management Task Force (http://www.dmtf.org/). DMI is meant to provide a common remote management interface for any manufacture that wants it.
If you prevent WIN32SL.EXE from running, RPCSS.EXE does not run, and the scan reports "Port Closed."
I have discovered two different manufacturers that use DMI, each in a different way. Each requires different treatment.
The first case is DELL, which installs "OpenManage." In this system, a registry entry launches WIN32SL.EXE. Frustrate that, and you're home free.
What we did was change the Registry variable:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WIN32SL"="c:\\dmi\\win32\\bin\\win32sl.exe -i -p -r"
Change "2" to "3", resulting in:
"WIN32SL"="c:\\dmi\\win32\\bin\\win33sl.exe -i -p -r"
Of course, there is no such file as WIN33SL.EXE, so nothing happens.
The second case is Quantex, which installs Intel's LanDesk Client Manager. Since this actually does useful things, the user didn't want to uninstall it. It also doesn't start up WIN32SL in the same way. (There's yet another level of indirection.) We did turn it off, but it wasn't pretty, and I don't want to recommend it here.
Finally.
The following table lists the version information for DCOM95 and DCOM98:
InstalledVersionDCOM Version or Build NumberRelease Type
4,71,0,3328DCOM95 1.3 and DCOM98 1.3, build 3328.1Released to the Web
4,71,0,2900Build 2900.7Released to Windows 98 Second Edition, Microsoft Internet Explorer 5.0, Microsoft Office 2000
4,71,0,2618DCOM95 1.2Released to the Web
4,71,0,2612DCOM98Shipped with Microsoft Visual Studio 6.0
4,71,0,1719Build 1719Released to Windows 98 Gold, fix for build 1718.
4,71,0,1718DCOM95 1.1Released to the Web in October, 1997; released to Internet Explorer 4.01.
4,71,0,1120Build 1120
4,71,0,426DCOM95 1.0Released to the Web in January 1997
http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
hope this helps
Powered by blists - more mailing lists