Microsoft Buffer Overrun in RPC - SANS Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Didier Stevens

Threat Level: green

Microsoft Buffer Overrun in RPC
In July 17th, CERT and Microsoft released an Security Bulletin regarding a newly discovered buffer overrun in Microsoft Windows Products. Vulnerable Systems ================== -Microsoft Windows NT 4.0 -Microsoft Windows NT 4.0 Terminal Services Edition -Microsoft Windows 2000 -Microsoft Windows XP -Microsoft Windows Server 2003 Summary ================== A buffer overrun was discovered in Microsoft�s RPC Impelemntation. RPC is one of the protocols used by Windows Systems. RPC (Remote Procedure Call) protocol is used to execute code on a remote system. Microsoft RPC implementation added specific extensions to the original Open Source RPC protocol. According Microsoft "The vulnerability is present in the part of RPC that deals with message exchange over TCP/IP.The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server." Impact ================== This vulnerability can be explored by sending specially formed request to the remote computer on port 135. A remote attacker could exploit this vulnerability to execute arbitrary code with Local System privileges or to cause a denial of service Solution ================== If the machine is connected to the Internet, block the access to port 135. This will prevent access to this port and any attempt to explore this vulnerability. Also is highly recommended to apply the patch release by Microsoft, according the Microsoft Bulleting MS03-026. Microsoft Patches ================== * Windows NT 4.0 Server http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF- DF77A0B9303F&;;;;;;displaylang=en * Windows NT 4.0 Terminal Server Edition http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1- C9FAD2DC65CA&;;;;;;displaylang=en * Windows 2000 http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F- 220354449117&;;;;;;displaylang=en * Windows XP 32 bit Edition http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532- 3DE40F69C074&;;;;;;displaylang=en * Windows XP 64 bit Edition http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3- C347ADCC4DF1&;;;;;;displaylang=en * Windows Server 2003 32 bit Edition http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009- 3A212458E92E&;;;;;;displaylang=en * Windows Server 2003 64 bit Edition http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F- 017E35692BC7&;;;;;;displaylang=en References ================== CERT� Advisory CA-2003-16 Buffer Overflow in Microsoft RPC http://www.cert.org/advisories/CA-2003-16.html Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS0 3-026.asp ------------------------------------------------------------ Pedro Bueno - SANS Incident Handler	Handlers 76 Posts Jul 17th 2003
Thread locked Subscribe	Jul 17th 2003 1 decade ago