Antidote to RFPoison--followup to RFP9906

[rfp () WIRETRIP NET (.rain.forest.puppy.)]

-------------------------------------------------- rfp.labs -----------

                         Antidote for RFPoison
                         (Followup to RFP9906)

------------------------------ rain forest puppy / rfp () wiretrip net ---

Table of contents:
        - 1. Problem
        - 2. Solutions
        - 3. Conclusion

-----------------------------------------------------------------------
 Archives of all advisories available at http://www.wiretrip.net/rfp/
-----------------------------------------------------------------------

----[ 1. Problem

        Recently I released RFP9906: NT denial of service in services.exe
(RFPoison).  I included a limited sample exploit that would demonstrate
the problem.  Since then, I've worked with a few individuals and confirmed
some configurations what will protect your system.

----[ 2. Solutions

        Solutions vary in grade...from quick fix to ultimate security.

- #1 Enable 'RestrictAnonymous'

        Suggested by David LeBlanc, you can enable 'RestrictAnonymous'
support in Lsa.  To do this, go to (in the registry):

        \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Current\Lsa

If you don't have it, you need to create a DWORD key named
'RestrictAnonymous', with a value of '1'.  This will restrict anonymous
SMB connections (which RFPoison uses).  This still leaves your box usuable
by normal means.

- #2 Unbind NetBIOS from TCP/IP

        Suggested by Scott G. Danahy, you can unbind TCP/IP from NetBIOS,
which means that you can no longer use routed File Sharing (everything
must be local, using NetBEUI).  To do this, go to:

        - Start
        - Settings
        - Control Panel
        - Open the Network applet
        - Click the 'Bindings' tab
        - Expand 'NetBIOS Interface'
        - Highlight 'WINS Client (TCP/IP)'
        - Click 'Disable'
        - Click 'OK'
        - Do you want to restart?  Sure, why not.

Now NetBIOS will not be available for use by TCP/IP.  Note that this may
affect your system, if you remotely use TCP/IP to access file sharing and
remote administration of that system.

- #3 Stop the Server service

        Suggested by Glitch.  Best solution for the ultimately paranoid.
Stopping the Server service *will* prevent remote administration and file
sharing, but will also prevent RFPoison, along with a whole barrage of
other abuses in general.  If you have a standalone web server that uses
HTTP and FTP, with local console administration, you can stop these
services.  To do this, go to:

        - Start
        - Settings
        - Control Panel
        - Open the Services applet
        - Select 'Server' service
        - Click 'Stop' (Note: it may warn you that it needs to
                also stop the Computer Browser service.  Click 'OK')
        - While 'Server' is still highlighted, click 'Startup'
        - Change to 'Manual' startup type.
        - Click 'OK'
        - Highlight the 'Computer Browser' service
        - Click 'Startup'
        - Change to 'Manual' startup type.
        - Click 'OK'
        

----[ 3. Conclusion

        Doing any of the above should protect you from RFPoison.  In the
event that you are not vulnerable, and your system has *not* undergone any
of the above fixes, please email me with full system information and patch
history, so that I may add you to the list of solutions.

- rfp () wiretrip net

--- rain forest puppy / rfp () wiretrip net ----------- ADM / wiretrip ---

           The battle may be lost, but the war is not over....

-------------------------------------------------- rfp.labs -----------