Re: Scanning the PCs for RPC Vulnerability

[<rjemckay () verizon net>]

Mr. Rafi
We experienced the same problem, i.e., win9x, 98SE machines showing up as vulnerable - we later determined that they 
may indeed be vulnerable contray to what MS might have said. 

By way of background, some, but not all, Win 98 systems report  "Vulnerable" on the scan.  This means that they have 
TCP Port 135 open and active, and data exchange with the port has a characteristic  signature. A gentleman at my 
organization found the following:

It's been determined that characteristically the "Vulnerable" Win 98 systems are running the task RPCSS.EXE.  This can 
be determined by running System Information (Start/Programs/Accessories/System Tools), 
and looking under "Software Environment" under "Running Tasks."  Win 98 systems are vulnerable if and only if RPCSS.EXE 
is a running task.

However, in the absence of a patch, we have to prevent RPCSS.EXE from launching (to keep Port 135 from being opened).
The "other" way that RPCSS.EXE is being launched is by the program WIN32SL.EXE. This is the "Service Layer" of the DMI 
interface. This is a common layer maintained by a standards organization, the Distributed Management Task Force 
(http://www.dmtf.org/). DMI is meant to provide a common remote management interface for any manufacture that wants it.

If you prevent WIN32SL.EXE from running, RPCSS.EXE does not run, and the scan reports "Port Closed."

I have discovered two different manufacturers that use DMI, each in a different way. Each requires different treatment.
The first case is DELL, which installs "OpenManage." In this system, a registry entry launches WIN32SL.EXE. Frustrate 
that, and you're home free.

What we did was change the Registry variable:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WIN32SL"="c:\\dmi\\win32\\bin\\win32sl.exe -i -p -r"

Change "2" to "3", resulting in:

"WIN32SL"="c:\\dmi\\win32\\bin\\win33sl.exe -i -p -r"

Of course, there is no such file as WIN33SL.EXE, so nothing happens.

The second case is Quantex, which installs Intel's LanDesk Client Manager. Since this actually does useful things, the 
user didn't want to uninstall it. It also doesn't start up WIN32SL in the same way. (There's yet another level of 
indirection.) We did turn it off, but it wasn't pretty, and I don't want to recommend it here. 

Finally.
The following table lists the version information for DCOM95 and DCOM98:

InstalledVersionDCOM Version or Build NumberRelease Type
4,71,0,3328DCOM95 1.3 and DCOM98 1.3, build 3328.1Released to the Web
4,71,0,2900Build 2900.7Released to Windows 98 Second Edition, Microsoft Internet Explorer 5.0, Microsoft Office 2000
4,71,0,2618DCOM95 1.2Released to the Web
4,71,0,2612DCOM98Shipped with Microsoft Visual Studio 6.0
4,71,0,1719Build 1719Released to Windows 98 Gold, fix for build 1718.
4,71,0,1718DCOM95 1.1Released to the Web in October, 1997; released to Internet Explorer 4.01.
4,71,0,1120Build 1120
4,71,0,426DCOM95 1.0Released to the Web in January 1997


http://support.microsoft.com/default.aspx?scid=kb;en-us;825750


hope this helps



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html