Removing IPC$ Share (Remote Netbios Attack Vulnerability) and MS08-067

[Virus Guy]

Here's a really technical question.

A change can be made to remove or disable the default IPC$ share as
follows:

---------
Remove IPC$ Share Remote Netbios Attack Vulnerability

1. Open Regedit
2. HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Control ->
Lsa -> restrictanonymous
3. Change "Value Data" from 0 to 1
4. This will disable remote logon to a null IPC$ share

 

[FromTheRafters]

Here's a really technical question.

A change can be made to remove or disable the default IPC$ share as
follows:

---------
Remove IPC$ Share Remote Netbios Attack Vulnerability

1. Open Regedit
2. HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Control ->
Lsa -> restrictanonymous
3. Change "Value Data" from 0 to 1
4. This will disable remote logon to a null IPC$ share
---------

My question is: On an XP system that had the above setting performed
on
it, would that prevent the system from being vulnerable to the exploit
that is described in MS08-067 ?

I didn't see an exploit described in there. Could you point it out?

 

[Virus Guy]

I didn't see an exploit described in there. Could you point it
out?

Perhaps I used slightly incorrect terminology. MS08-067 describes a
vulnerability which can be leveraged by an appropriately-crafted
exploit. For ease of conversation, such an exploit could simply be
refered to as an "MS08-067 exploit".

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

----------------
The vulnerability could allow remote code execution if an affected
system received a specially crafted RPC request. On Microsoft Windows
2000, Windows XP, and Windows Server 2003 systems, an attacker could
exploit this vulnerability without authentication to run arbitrary code.
It is possible that this vulnerability could be used in the crafting of
a wormable exploit.
----------------

http://www.sophos.com/blogs/gc/g/2008/11/27/confick-worm-exploits-microsoft-ms08-067-vulnerability/

----------------
Nov 27, 2008

Known as as MS08-067, Sophos published information about this serious
vulnerability and warned of the potential for worms to be written which
would exploit the security hole.

Yesterday, we began to receive reports of a new piece of malware
(W32/Confick-A, also known as Conficker) that attempts to spread by
exploiting this vulnerability.

 

[FromTheRafters]

Perhaps I used slightly incorrect terminology. MS08-067 describes a
vulnerability which can be leveraged by an appropriately-crafted
exploit. For ease of conversation, such an exploit could simply be
refered to as an "MS08-067 exploit".

Calling a vulnerability an exploit may ease conversation, but it makes
for misunderstanding of the topic of said conversation.

A description of a vulnerability by itself may not indicate which of
many vectors are available to get the exploit code to the vulnerable
software. A work-around that addresses a certain ingress vector used by
an exploit can thwart that exploit, but does not address the
vulnerability. Other ingress vectors may be possible.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

----------------
The vulnerability could allow remote code execution if an affected
system received a specially crafted RPC request. On Microsoft Windows
2000, Windows XP, and Windows Server 2003 systems, an attacker could
exploit this vulnerability without authentication to run arbitrary
code.
It is possible that this vulnerability could be used in the crafting
of
a wormable exploit.
----------------

http://www.sophos.com/blogs/gc/g/2008/11/27/confick-worm-exploits-microsoft-ms08-067-vulnerability/

----------------
Nov 27, 2008

Known as as MS08-067, Sophos published information about this serious
vulnerability and warned of the potential for worms to be written
which
would exploit the security hole.

Yesterday, we began to receive reports of a new piece of malware
(W32/Confick-A, also known as Conficker) that attempts to spread by
exploiting this vulnerability.

No, not the vulnerability, but it might remove one ingress vector that
this blended threat uses to infest a system.

 

[Virus Guy]

Calling a vulnerability an exploit may ease conversation, but it
makes for misunderstanding of the topic of said conversation.

I see no conceptual problem with calling an exploit for the MS08-067
vulnerability as an "MS08-067 exploit".

A work-around that addresses a certain ingress vector used by
an exploit can thwart that exploit, but does not address the
vulnerability. Other ingress vectors may be possible.

If the front door to my house is discovered to have a vulnerability, one
proposed solution is to replace it with a better door. Why wouldn't
another solution be to remove the door (and brick it in) if I don't
really use it? Then it doesn't matter if other vulnerabilities are
found in better doors in the future, because I no longer have a door.

No, not the vulnerability, but it might remove one ingress
vector

What you just said is contradictory.

Mitigation means I have prevented the vulnerability from being exposed.

I am asking if disabling the IPC$ share would have mitigated the
MS08-067 vulnerability.

 

[FromTheRafters]

I see no conceptual problem with calling an exploit for the MS08-067
vulnerability as an "MS08-067 exploit".

Neither do I, except that the article doesn't describe an exploit.
Having an exploit implies a vector to get to the vulnerability. Once a
vector is determined, the attack can be thwarted by closing off that
vector. The vulnerability still exists. If you have a particular exploit
for the vulnerability in mind that has anything at all to do with shares
feel free to post a link or copy and paste it here.

If the front door to my house is discovered to have a vulnerability,
one
proposed solution is to replace it with a better door. Why wouldn't
another solution be to remove the door (and brick it in) if I don't
really use it? Then it doesn't matter if other vulnerabilities are
found in better doors in the future, because I no longer have a door.

It seems more analogous to your wall safe having a vulnerability and
your front door is one ingress vector that allows outsider access to the
safe. A safecracker is the exploit and the front door is your way to
block his ingress for *that* front door attack. The walled up front door
does nothing to thwart the side window safecracker (different exploit of
the same vulnerability).

What you just said is contradictory.

No, it isn't.

Mitigation means I have prevented the vulnerability from being
exposed.

Mitigation can mean to lessen the effects as well. If you mean "prevent"
say "prevent".

....and no, it wouldn't "prevent" the vulnerability from being exposed
either.

I am asking if disabling the IPC$ share would have mitigated the
MS08-067 vulnerability.

Maybe you should publish your personal glossary here so that
communication would at least be possible.