Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SMB overflow attacks

From: full-disclosure () lists netsys com (Jason Coombs)
Date: Mon, 26 Aug 2002 13:33:02 -1000
On a related subject, I've been struggling for weeks to turn off port 445
completely. It's not happening. The port is bound by the System process on
both TCP and UDP, and System also binds to and listens on a port above 1024
for some unknown reason.

Turning off port 139 by disabling file and printer sharing and NetBIOS over
TCP/IP (NetBT) (remove Client for Microsoft Networks, turn off Lanman server
and RPC services or bind them to the loopback adapter) gets rid of port 139
bindings or forces the binding to a harmless interface -- and it appears
possible to disable SMB-based services, but so far I've found no way to stop
port 445 binding ... System binds to port 445 on all interfaces (0.0.0.0) no
matter what.

TCP/IP port filtering can be turned on to force TCP SYN ACK RESET in
response to any TCP SYN which should prevent any packets from reaching the
SMB service that the System process refuses to unbind from port 445.

Does anyone have any information about why System binds to a port above
1024, and what can be done, if anything, to force Windows 2000/XP/.NET
Server to stop binding to port 445 TCP and UDP?

Thanks.

Jason Coombs
jasonc () science org

-----Original Message-----
From: KF [mailto:dotslash () snosoft com]
Sent: Monday, August 26, 2002 10:03 AM
To: vuln-dev () security-focus com; incidents () security-focus com;
full-disclosure () lists netsys com
Subject: SMB overflow attacks


Does anyone have log entries from a confirmed attack based on the recent
SMB overflows?

http://online.securityfocus.com/bid/5556 and
http://online.securityfocus.com/advisories/4416

I have a client with some unusual log entries related to lanman and SMB
headers.... the log issues are similar to the following article:

http://support.microsoft.com/default.aspx?scid=kb;[LN];Q321733

After applying the fix mentioned in the security-focus bid the server
seemed to be happy... this makes me think the reason the server
was arrgivated is related to a DoS attack on SMB.

I just need something solid to either trace back to an attacker or a
confirmation that I was even attacked.

-KF




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: