Microsoft Buffer Overrun in RPC

Published: 2003-07-16
Last Updated: 2003-07-17 16:06:41 UTC
by Handlers (Version: 1)
0 comment(s)

In July 17th, CERT and Microsoft released an Security Bulletin regarding a
newly discovered buffer overrun in Microsoft Windows Products.
Vulnerable Systems


-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 Terminal Services Edition
-Microsoft Windows 2000
-Microsoft Windows XP
-Microsoft Windows Server 2003


A buffer overrun was discovered in Microsoft´s RPC Impelemntation. RPC is one
of the protocols used by Windows Systems. RPC (Remote Procedure Call)
protocol is used to execute code on a remote system. Microsoft RPC
implementation added specific extensions to the original Open Source RPC

According Microsoft "The vulnerability is present in the part of RPC that
deals with message exchange over TCP/IP.The failure results because of
incorrect handling of malformed messages. This particular vulnerability
affects a Distributed Component Object Model (DCOM) interface with RPC, which
listens on TCP/IP port 135. This interface handles DCOM object activation
requests that are sent by client machines (such as Universal Naming
Convention (UNC) paths) to the server."


This vulnerability can be explored by sending specially formed request to the
remote computer on port 135.

A remote attacker could exploit this vulnerability to execute arbitrary code
with Local System privileges or to cause a denial of service


If the machine is connected to the Internet, block the access to port 135.
This will prevent access to this port and any attempt to explore this

Also is highly recommended to apply the patch release by Microsoft, according
the Microsoft Bulleting MS03-026.
Microsoft Patches


* Windows NT 4.0 Server

* Windows NT 4.0 Terminal Server Edition

* Windows 2000

* Windows XP 32 bit Edition

* Windows XP 64 bit Edition

* Windows Server 2003 32 bit Edition

* Windows Server 2003 64 bit Edition


CERT® Advisory CA-2003-16 Buffer Overflow in Microsoft RPC

Microsoft Security Bulletin MS03-026


Pedro Bueno - SANS Incident Handler
0 comment(s)
Diary Archives