[4047] in WWW Security List Archive
Status on NT4 bug, and how I found it.....
daemon@ATHENA.MIT.EDU (Jason T. Luttgens)
Thu Jan 23 10:40:55 1997
From: "Jason T. Luttgens" <luttgenj@kic.or.jp>
To: "firewalls@greatcircle.com" <firewalls@GreatCircle.COM>,
"'BUGTRAQ@NETSPACE.ORG'" <BUGTRAQ@NETSPACE.ORG>,
"'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Cc: "firewalls@greatcircle.com" <firewalls@GreatCircle.COM>,
"'BUGTRAQ@NETSPACE.ORG'" <BUGTRAQ@NETSPACE.ORG>,
"'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Thu, 23 Jan 1997 22:53:44 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
I have submitted a bug report to MS hours ago and am waiting to hear back from them.
I have no MS contacts, so I can't expedite the process. CERT has been notified by myself.
The temporary fix, as you all may or may not have seen, is to block port 135, either on the
router, or in NT itself. As soon as I hear from Microsoft or CERT, I will post a more detailed
message.
I am not an NT guru, I was just starting a security eval last week on NT. I ran a portscanner
and wrote down all open ports. I then proceeded to telnet to each of them and ... experiment.
I did not notice any problem immediately after telneting into port 135, typing the characters,
and disconnecting. It was only after the phone was ringing off the hook because our class B
network's DHCP server (the only NT box we have) was no longer leasing IP addresses.
Another individual in my shop proceeded to find out what was up, and upon running the perf
monitor, found the CPU pegged at 100%. Well, we saw the process rpcss.exe taking up all the
processor time, and we didn't know what it was. We tried to kill it, but couldn't. We let it sit for
an hour, thinking maybe it will clear out. Nope. Rebooting was all we could do to fix it. (I did not
know about the debug function that you can use to kill it, and also someone reports that the
unix port of kill for NT will kill it). Now, we have no other NT machines, and nobody I know
does. That's what led me to posting it on Bugtraq and WWWsecurity....
I have gotten LOADS of responses about this. I want to thank everyone for their inputs
and views. Even though I really don't like NT, I still don't want the security of sites on the
Net to be jeopardized. You never know what might happen......
Jason
