Vulnerability Note VU#254236
Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling
There is a remote buffer overflow in many versions of Microsoft Windows that allows attackers to execute arbitrary code with system privileges.
The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages and is enabled by default on many versions of Microsoft Windows. Researchers at NSFOCUS Security have discovered a heap-based buffer overflow in this service that allows attackers to execute arbitrary code on affected hosts. According to NSFOCUS, this vulnerability is triggered when an affected host recieves a DCOM request with a filename parameter in excess of "several hundred bytes". For further details, please read NSFOCUS Security Advisory (SA2003-06).
This buffer overflow is one of two reported in Microsoft Security Bulletin MS03-039 and is different than those discussed in previous advisories.
This vulnerability allows remote attackers to execute arbitrary code with Local System privileges.
Apply a patch from Microsoft
Please note that this bulletin supersedes both MS03-026 and MS01-048.
Block traffic to and from common Microsoft RPC ports
Port 137 (udp)
Port 138 (udp)
Port 139 (tcp)
Port 445 (tcp/udp)
Port 593 (tcp)
To prevent compromised hosts from contacting other vulnerable hosts, the CERT/CC recommends that system administrators filter the ports listed above for both incoming and outgoing traffic.
Disable COM Internet Services and RPC over HTTP
COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443.
Disable DCOM as described in MS03-039 and Microsoft Knowledge Base Article 825750.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||10 Sep 2003||12 Sep 2003|
CVSS Metrics (Learn More)
This vulnerability was discovered by Yuan Renguang of the NSFOCUS Security Team.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2003-0528
- CERT Advisory: CA-2003-23
- Date Public: 10 Sep 2003
- Date First Published: 10 Sep 2003
- Date Last Updated: 11 Dec 2003
- Severity Metric: 94.50
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.