Vulnerability Note VU#254236

Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling

Overview

There is a remote buffer overflow in many versions of Microsoft Windows that allows attackers to execute arbitrary code with system privileges.

I. Description

The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages and is enabled by default on many versions of Microsoft Windows. Researchers at NSFOCUS Security have discovered a heap-based buffer overflow in this service that allows attackers to execute arbitrary code on affected hosts. According to NSFOCUS, this vulnerability is triggered when an affected host recieves a DCOM request with a filename parameter in excess of "several hundred bytes". For further details, please read NSFOCUS Security Advisory (SA2003-06).

This buffer overflow is one of two reported in Microsoft Security Bulletin MS03-039 and is different than those discussed in previous advisories.

Important Notice Regarding Scanning Tools

There is an important side effect to applying the patch provided by MS03-039. Specifically, application of this patch will cause many scanning tools to incorrectly report that a system patched by MS03-039 is missing the patch provided in MS03-026.

Microsoft has provided a new scanning tool that correctly detects hosts that require either the MS03-026 or MS03-039 patch. To obtain this tool, please read Microsoft Knowledge Base Article 827363.

It is important that all users discontinue the use of scanning tools intended for MS03-026 and obtain an updated tool that detects both MS03-026 and MS03-039. This also applies to sites that use a third-party scanning tool.

II. Impact

This vulnerability allows remote attackers to execute arbitrary code with Local System privileges.

III. Solution

Apply a patch from Microsoft

Microsoft has published Microsoft Security Bulletin MS03-039 to address this vulnerability. For more information, please see

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

Please note that this bulletin supersedes both MS03-026 and MS01-048.

Block traffic to and from common Microsoft RPC ports

As an interim measure, users can reduce the chance of successful exploitation by blocking traffic to and from well-known Microsoft RPC ports, including

To prevent compromised hosts from contacting other vulnerable hosts, the CERT/CC recommends that system administrators filter the ports listed above for both incoming and outgoing traffic.

Disable COM Internet Services and RPC over HTTP

COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443.

Disable DCOM

Disable DCOM as described in MS03-039 and Microsoft Knowledge Base Article 825750.

Systems Affected

Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	12-Sep-2003

References

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://support.microsoft.com/?kbid=825750
http://support.microsoft.com/?kbid=827363
http://www.nsfocus.com/english/homepage/research/0306.htm
http://www.cert.org/advisories/CA-2003-19.html
http://www.kb.cert.org/vuls/id/483492
http://www.kb.cert.org/vuls/id/326746
http://cgi.nessus.org/plugins/dump.php3?id=11835
http://www.iss.net/support/product_utilities/Xfrpcss.php
http://www.ntbugtraq.com/dcomrpc.asp
http://securecomputing.stanford.edu/alerts/win-rpc-10sept2003.html
http://www.coresecurity.com/common/showdoc.php?idx=393&idxseccion=10

Credit

This vulnerability was discovered by Yuan Renguang of the NSFOCUS Security Team.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public	09/10/2003
Date First Published	09/10/2003 05:20:20 PM
Date Last Updated	12/11/2003
CERT Advisory	CA-2003-23
CVE Name	CAN-2003-0528
Metric	94.50
Document Revision	38

If you have feedback, comments, or additional information about this vulnerability, please send us email.