lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4305D1F0.9080107@gmail.com>
Date: Fri Aug 19 13:34:54 2005
From: jftucker at gmail.com (James Tucker)
Subject: It's not that simple... [Was: Re: Disney Down?]



fd@...nsci.us wrote:
> On Wed, 17 Aug 2005, Ron DuFresne wrote:
> 
>>Perhaps it does realte considering the above and considering that the unix
>>world learned many of the evils of RCP services over ten years ago that
>>seem to hit the M$ realm every few months, repeatedly...
>>
> 
> 
> We used to call them rsploits when it was common in unix.  Friends and I
> had a good chuckle when MS started repeating history, having rsploits of
> its own.  I would love to deny all port 445 with layer-3 switches but this
> would be like blocking portmap and expecting NFS to still mount.

Have you considered utilising the IPSec filters, this is a common 
suggestion from the beast themselves.

> What have we learned from the past that we can apply to our MS networks,
> since they have become a (un)necessary evil?  How neutered does an MS
> workstation become if the RPC port is completely blocked from the outside?  
> Perhaps "mostly harmless" ? 

Well it looses most of it's active directory integration if that's what 
you mean. Users can still log in though, and in fact can still access 
remote shares. Admins have trouble with remote administration however, 
but often a well configured Kerberos telnet session can be more useful 
that MMC plugins anyway. Just ensure the service is _properly_ configured.

> What would it take to write an RPC filter to only accept RPCs which we
> actually care about?  In addition, why is PnP even an RPC accessible from
> the outside (no, upnp is not a good reason)!?  Most importantly, we need
> to eliminate the entire RPC attack vector in the future for Microsoft
> systems -- this is not the first MS rsploit and we will certainly see
> more.

Er, you're gunna be trawling ALOT of RPC. You can do most anything 
through that port, it's very functional indeed. As above, I'd start with 
IPSec. Er, this is the system through which we provide most application 
and desktop management, to get to pnp is not a strange thing to have 
access to at all, moreover it get's used quite alot in big installations 
where driver deployment by audit is important.

> Your thoughts?

The RPC functionality provided has been the biggest flaw in secuirty for 
MS in recent years.
The RPC functionality provided has been the biggest contributor to 
reducing TCO in the enterprise where it's functionality is properly 
utilised.

> 
> -Eric
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ