Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

On Fri, 19 Aug 2005, Nick FitzGerald wrote:

> [EMAIL PROTECTED] to Ron DuFresne:
>
> > > Perhaps it does realte considering the above and considering that the unix
> > > world learned many of the evils of RCP services over ten years ago that
> > > seem to hit the M$ realm every few months, repeatedly...
> >
> > We used to call them rsploits when it was common in unix.  Friends and I
> > had a good chuckle when MS started repeating history, having rsploits of
> > its own.  I would love to deny all port 445 with layer-3 switches but this
> > would be like blocking portmap and expecting NFS to still mount.
> >
> > What have we learned from the past that we can apply to our MS networks,
> > since they have become a (un)necessary evil?  How neutered does an MS
> > workstation become if the RPC port is completely blocked from the outside?
> > Perhaps "mostly harmless" ?
> >
> > What would it take to write an RPC filter to only accept RPCs which we
> > actually care about?  In addition, why is PnP even an RPC accessible from
> > the outside (no, upnp is not a good reason)!?  Most importantly, we need
> > to eliminate the entire RPC attack vector in the future for Microsoft
> > systems -- this is not the first MS rsploit and we will certainly see
> > more.
>
> Why don't folk -- well, sys-admins anyway -- actually take the time to
> bother to learn what their systems do and how they work???
>


Ahh, but this is not an admin issue, it's the vendors issue.  Was similar
for sometime with SUNOS, when trying to disable RPC for production systems
one used to have to twist around sideways while tring to bend over
backwards.  Not the same these days now that SUN has learned the lesson
that M$ is re-propogating with thier "we'll do it our way, screw learning
via others lessons or sticking to standards".  Redmond has been bitten by
these issues in the past few years a number of times and will be bitten
again till they finally learn what took other vendors awhile to get the
point on as well.


[REST SNIPPED]


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Barrie Dempster]

On Thu, 2005-08-18 at 14:01 -0700, [EMAIL PROTECTED] wrote:
> What would it take to write an RPC filter to only accept RPCs which we
> actually care about? 

Not a lot, considering this already exists, MS's own product ISA does
this.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://reboot-robot.net
site: http://www.bsrf.org.uk
ca:   https://www.cacert.org/index.php?id=3

"He who hingeth aboot, geteth hee-haw" Victor - Still Game


smime.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[James Tucker]

[EMAIL PROTECTED] wrote:

On Wed, 17 Aug 2005, Ron DuFresne wrote:


Perhaps it does realte considering the above and considering that the unix
world learned many of the evils of RCP services over ten years ago that
seem to hit the M$ realm every few months, repeatedly...




We used to call them rsploits when it was common in unix.  Friends and I
had a good chuckle when MS started repeating history, having rsploits of
its own.  I would love to deny all port 445 with layer-3 switches but this
would be like blocking portmap and expecting NFS to still mount.


Have you considered utilising the IPSec filters, this is a common 
suggestion from the beast themselves.



What have we learned from the past that we can apply to our MS networks,
since they have become a (un)necessary evil?  How neutered does an MS
workstation become if the RPC port is completely blocked from the outside?  
Perhaps "mostly harmless" ? 


Well it looses most of it's active directory integration if that's what 
you mean. Users can still log in though, and in fact can still access 
remote shares. Admins have trouble with remote administration however, 
but often a well configured Kerberos telnet session can be more useful 
that MMC plugins anyway. Just ensure the service is _properly_ configured.



What would it take to write an RPC filter to only accept RPCs which we
actually care about?  In addition, why is PnP even an RPC accessible from
the outside (no, upnp is not a good reason)!?  Most importantly, we need
to eliminate the entire RPC attack vector in the future for Microsoft
systems -- this is not the first MS rsploit and we will certainly see
more.


Er, you're gunna be trawling ALOT of RPC. You can do most anything 
through that port, it's very functional indeed. As above, I'd start with 
IPSec. Er, this is the system through which we provide most application 
and desktop management, to get to pnp is not a strange thing to have 
access to at all, moreover it get's used quite alot in big installations 
where driver deployment by audit is important.



Your thoughts?


The RPC functionality provided has been the biggest flaw in secuirty for 
MS in recent years.
The RPC functionality provided has been the biggest contributor to 
reducing TCO in the enterprise where it's functionality is properly 
utilised.




-Eric



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Nick FitzGerald]

[EMAIL PROTECTED] to Ron DuFresne:

> > Perhaps it does realte considering the above and considering that the unix
> > world learned many of the evils of RCP services over ten years ago that
> > seem to hit the M$ realm every few months, repeatedly...
> 
> We used to call them rsploits when it was common in unix.  Friends and I
> had a good chuckle when MS started repeating history, having rsploits of
> its own.  I would love to deny all port 445 with layer-3 switches but this
> would be like blocking portmap and expecting NFS to still mount.
> 
> What have we learned from the past that we can apply to our MS networks,
> since they have become a (un)necessary evil?  How neutered does an MS
> workstation become if the RPC port is completely blocked from the outside?  
> Perhaps "mostly harmless" ? 
> 
> What would it take to write an RPC filter to only accept RPCs which we
> actually care about?  In addition, why is PnP even an RPC accessible from
> the outside (no, upnp is not a good reason)!?  Most importantly, we need
> to eliminate the entire RPC attack vector in the future for Microsoft
> systems -- this is not the first MS rsploit and we will certainly see
> more.

Why don't folk -- well, sys-admins anyway -- actually take the time to 
bother to learn what their systems do and how they work???

OK, MS does not make this astoundingly easy in many cases, but there 
are some very good (amongst some very, very poor) "hardening guides" 
out there written by folk who do know what they are talking about AND 
that explain why you should use, or at least might consider, each 
option, and why some options are only suitable in certain scenarioes.

Of course, when it comes to OSes like XP Home, the security stance has 
always been "everything that has worked before must keep working" so, 
rather than learning from their long history of mistakes and fixing 
things, MS compounded those mistakes by rolling them all together in a 
nice shiny new box with an even bigger marketing budget...

SP2 shows that, in fact, after too many, too embarrassing, too big to 
hide from the media virus and worm outbreaks due largely to the fact 
that it had been taking this entirely irresponsible approach to 
security (especially for those of its customers who needed the most 
help with such things), even the 800lb Gorilla known as Microsoft _can_ 
change.  We won't debate how much and whether it's enough, though I 
doubt few here would disagree that "there's a fair way to go yet" 
pretty much covers it...

Instead of making an everything on, working out of the box, approach 
even MS may be working its way to the "only enable it if it's needed 
for basic functionality" approach.

Of course, when MS gets to that position, there will then be hell to 
pay when the installation scripts for most third-party apps, drivers, 
etc start undoing all MS' good work and do the "set everything on 
because we know our cr*ppy product works if it is set that way".


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[fd]

On Wed, 17 Aug 2005, Ron DuFresne wrote:
> 
> Perhaps it does realte considering the above and considering that the unix
> world learned many of the evils of RCP services over ten years ago that
> seem to hit the M$ realm every few months, repeatedly...
> 

We used to call them rsploits when it was common in unix.  Friends and I
had a good chuckle when MS started repeating history, having rsploits of
its own.  I would love to deny all port 445 with layer-3 switches but this
would be like blocking portmap and expecting NFS to still mount.

What have we learned from the past that we can apply to our MS networks,
since they have become a (un)necessary evil?  How neutered does an MS
workstation become if the RPC port is completely blocked from the outside?  
Perhaps "mostly harmless" ? 

What would it take to write an RPC filter to only accept RPCs which we
actually care about?  In addition, why is PnP even an RPC accessible from
the outside (no, upnp is not a good reason)!?  Most importantly, we need
to eliminate the entire RPC attack vector in the future for Microsoft
systems -- this is not the first MS rsploit and we will certainly see
more.

Your thoughts?

-Eric



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

On Wed, 17 Aug 2005, Micheal Espinola Jr wrote:

> >From my perspective, developing a patch and applying a patch are two
> different life cycles.  I'm no developer, but I know what it takes to
> properly test and roll-out patches within my (current and previous)
> organization(s).
>
> I don't pretend to believe that all patches are the same, but this PnP
> patch is one of the less difficult to deal with in terms of a
> roll-out.  I truly believe this recent worm could have been avoided if
> MS05-039 was taken more seriously.

Isn't this like the second or third time M$ has been bitten by pnp within
the past say two to three years?  So, is this an example of the M$
tendency to not fully patch the affected system/service, but to only
address a "current" potential which has been a thing that's bitten them in
the past many many times as well?


>
> I cannot say as to why MS hasn't addressed any other outstanding
> issues.  While it's a valid concern of mine as well, it really doesn't
> relate to the discussion regarding the MS05-039 fiasco.
>


Perhaps it does realte considering the above and considering that the unix
world learned many of the evils of RCP services over ten years ago that
seem to hit the M$ realm every few months, repeatedly...


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

[SNIP]

>
> Greg Smith, the county's assessor, recorder and clerk, said "As long
> as we're up (today), we'll be fine"  Greg Smith is a thinking much too
> lightly of the situation.  Their systems just got hit with an exploit
> that allows for remote code execution and elevation of privilege.  If
> I was him, I would be very concerned about data theft, and performing
> network wide audits.
>
> "Yesterday's crash marked the third time in recent weeks that
> significant computer problems have affected county government."  Well,
> enough said about Greg Smith or whoever manages SDC's systems...
>
> Lets take a look at the ISS advisory that makes a respectful analysis
> of the phrase "code execution and elevation of privilege":
>
> "Successful exploitation of this vulnerability could be leveraged to
> gain complete control over target systems, and might lead to malware
> installation, exposure of confidential information, or further network
> compromise. Due to the widespread use of the affected operating
> systems and the critical nature of component affected, it is likely
> that servers and desktops used for a wide variety of purposes are
> vulnerable to this issue."
>
> The initial exploited fault aside, I see no excuse for this.
>
>


Of course you are correct, there is NO excuse for this in any setting,
yet, considering the past ten years of GAO audits and advisories on the
federal side of gvt systems, what makes one think that state and local
county govs would have any better standing?  Part of the problemsis that
govs wish to pay nothing and get everything in return, and are extremely
poor in fetting out raises and tend to pull back emenesly on the benfit
packages, if one can really lable them such.  So, they tend to get "what
they pay for", which in the case of the gov site I work under, is a bunch
of certified idiots that lack the skills to do what they have been tasked
to do.  Their vested interst lies in a "proper pulic presentation,
meaning they don't hire folks that lack a suit and tie, and thus have
missed out in recruiting into their realm persons with the skills to
actually make a difference, if not for the folllowing:  Not to mention
that no one wishes to take responsibility, for that might also task then
to accountability.  I can tell you for a fact that since our unskilled
sec folks where I work won;t go "outside the border"  to discover vulln
info that they did not get a clue about the recent trojan till far after
the fact that many sites had been hit by it.  In fact their announcemnt
came out this AM, from their multi-state vuln/sploit notification council...

There is no excuse for doing below minimum and little excuse for scrapping
along at minimum, with taxpayers footing the bill, but that's life in gov
settings and more so perhaps in state and county govs that lack the
auditing controls like the GAO 


Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Micheal Espinola Jr]

>From my perspective, developing a patch and applying a patch are two
different life cycles.  I'm no developer, but I know what it takes to
properly test and roll-out patches within my (current and previous)
organization(s).

I don't pretend to believe that all patches are the same, but this PnP
patch is one of the less difficult to deal with in terms of a
roll-out.  I truly believe this recent worm could have been avoided if
MS05-039 was taken more seriously.

I cannot say as to why MS hasn't addressed any other outstanding
issues.  While it's a valid concern of mine as well, it really doesn't
relate to the discussion regarding the MS05-039 fiasco.


On 8/17/05, Geo. <[EMAIL PROTECTED]> wrote:
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Micheal
> Espinola Jr
> 
> 
> >>Regardless of "a LOT of Windows 2000 out there...", these companies
> weren't bitten the same day the initial exploit was released.  6 days
> is plenty of time to have tested compatibility and to distribute the
> patch.<<
> 
> How can you allow a vendor to take 6 months to a year to release a patch and
> then say 6 days is plenty of time to test and patch?
> 
> You know, I was sure when MS announced there would be 6 patches for august
> that one of them would be one of these
> http://www.eeye.com/html/research/upcoming/index.html but I guess not... 141
> days and counting, and it will get released when MS hears that someone has
> written and released an exploit for it, then of course all of us have 6 days
> to live..
> 
> Geo.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Geo.]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Micheal
Espinola Jr


>>Regardless of "a LOT of Windows 2000 out there...", these companies
weren't bitten the same day the initial exploit was released.  6 days
is plenty of time to have tested compatibility and to distribute the
patch.<<

How can you allow a vendor to take 6 months to a year to release a patch and
then say 6 days is plenty of time to test and patch?

You know, I was sure when MS announced there would be 6 patches for august
that one of them would be one of these
http://www.eeye.com/html/research/upcoming/index.html but I guess not... 141
days and counting, and it will get released when MS hears that someone has
written and released an exploit for it, then of course all of us have 6 days
to live..

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Peter Besenbruch]

Fergie (Paul Ferguson) wrote:

I'll tell you why -- [snip]


So there you have it -- there's still a LOT of Windows 2000 out 
there...


Having said that, you also have to realize that from the time the 
MS05-039 vulnerability was disclose (and the exploit code was 
released the same day), to the time that very large enterprises had 
to deploy it was very, very short compared to threats of the past.


When reading Seltzer's article, it's easy enough to see the gaping hole
in his logic. He basically argued that XP and 2003 were not going to be
affected (he appears to be changing his mind on this), and that
corporations that used 2000 all used firewalls. Unfortunately, he failed
to see the effect an infected laptop would have, of bringing an infected
machine inside the perimeter.


-- Micheal Espinola Jr <[EMAIL PROTECTED]> wrote:



You [Seltzer] also say, "If it had been International Paper or some
company like that rather than media outlets I suspect it wouldn't be
getting all this attention". While this is likely true, this
exemplifies the need to take security matters more seriously.


I question this a little. First, I haven't heard anything about
International Paper, but have heard about SBC, UPS and quite a few 
others. I also suspect many more companies were severely impacted, but 
won't step forward to admit it. The news agencies, to their credit, DID 
admit it and reported it.


...I'm not trying to badger you, but in light of the Disney, CNN, ABC, 
and The New York Times mishaps (amongst others), I must admit that 
I'm glad I don't follow your column or style of advise.


No kidding. Nor do I like Seltzer's lack of candor after being caught so
far off base. It's a very human reaction, but one which damages his
credibility and sullies the reputation of eWeek.

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Micheal Espinola Jr]

This issue effects XP and W2K3 systems as well.  I don't see the
argument of W2K being "on the back burner" as having any relation to
this thread.

Regardless of "a LOT of Windows 2000 out there...", these companies
weren't bitten the same day the initial exploit was released.  6 days
is plenty of time to have tested compatibility and to distribute the
patch.

PnP is not a show stopper when it comes to patch compatibility testing
- especially considering the fact that the exploit allows for remote
code execution and elevation of privilege.  Perhaps certain people
need to learn or take a refresher course of what that exactly implies.

And I'd say it is just that simple when you consider the fact that San
Diego County waited to install the patch *the night after* they got
hit by the worm.  *That's* why organizations like San Diego County,
with ~12,000 Win2k hosts, were bitten so badly.

Greg Smith, the county's assessor, recorder and clerk, said "As long
as we're up (today), we'll be fine"  Greg Smith is a thinking much too
lightly of the situation.  Their systems just got hit with an exploit
that allows for remote code execution and elevation of privilege.  If
I was him, I would be very concerned about data theft, and performing
network wide audits.

"Yesterday's crash marked the third time in recent weeks that
significant computer problems have affected county government."  Well,
enough said about Greg Smith or whoever manages SDC's systems...

Lets take a look at the ISS advisory that makes a respectful analysis
of the phrase "code execution and elevation of privilege":

"Successful exploitation of this vulnerability could be leveraged to
gain complete control over target systems, and might lead to malware
installation, exposure of confidential information, or further network
compromise. Due to the widespread use of the affected operating
systems and the critical nature of component affected, it is likely
that servers and desktops used for a wide variety of purposes are
vulnerable to this issue."

The initial exploited fault aside, I see no excuse for this.


On 8/17/05, Fergie (Paul Ferguson) <[EMAIL PROTECTED]> wrote:
> It's not that simple.
> 
> Why such success with a worm targeted at specific
> vulnerabilities in Win2k?
> 
> I'll tell you why -- the answer is spelled out (correctly)
> in an article written by Ina Fried in a June 28th, 2005,
> C|Net News article entitled "Windows 2000 moves to the
> back burner", which discussed Microsoft's end-of-life
> support for the OS platform.
> 
> Here are a couple of key excerpts:
> 
> [snip]
> 
> Microsoft on Tuesday issued what is expected to be its last significant 
> revision of Windows 2000.
> 
> The software maker released what it calls an Update Rollup for the 5-year-old 
> operating system, which is due to shift at the end of this month from 
> receiving mainstream support to extended support. Microsoft does not 
> generally add features to a product under extended support, and the Update 
> Rollup is largely a collection of previously released patches as opposed to a 
> batch of new features.
> 
> In addition to already released fixes, the collection "may contain fixes for 
> non-public low- and moderate-level security issues that did not warrant 
> individual security bulletins," a Microsoft representative said.
> 
> [...and:]
> 
> Although Windows 2000 has been followed by several other Windows versions, 
> the software remains extremely popular in corporations and small businesses. 
> It still accounts for nearly half of all Windows-based business desktops, 
> according to a recent survey by AssetMetrix.
> 
> [snip]
> 
> http://news.com.com/Windows+2000+moves+to+the+back+burner/2100-1016_3-5766696.html
> 
> So there you have it -- there's still a LOT of Windows 2000 out there...
> 
> Having said that, you also have to realize that from the time
> the MS05-039 vulnerability was disclose (and the exploit code was
> released the same day), to the time that very large enterprises
> had to deploy it was very, very short compared to threats of the
> past.
> 
> That's why organizations like San Diego County, with ~12,00
> Win2k hosts, were bitten so badly.
> 
> http://www.signonsandiego.com/news/metro/20050817--7m17worm1.html
> 
> It's just not that simple...
> 
> - ferg
> 
> 
> -- Micheal Espinola Jr <[EMAIL PROTECTED]> wrote:
> 
> Thanks for correcting my spelling error.
> 
> You mention that this issue "will have little or no presence on
> consumer systems", but you do realize that you are writing for the
> "Enterprise News & Reviews" magazine, eWeek - right?  You also realize
> that MS05-039 effects the current "consumer" version of Microsoft
> Windows (aka Windows XP) - right?
> 
> You also say, "If it had been International Paper or some company like
> that rather than media outlets I suspect it wouldn't be getting all
> this attention".  While this is likely true, this exemplifies the need
> to take security matters more seriously.  MS05-039 wa