Vulnerability Note VU#254236

Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling

Original Release date: 10 Sep 2003 | Last revised: 11 Dec 2003

Overview

There is a remote buffer overflow in many versions of Microsoft Windows that allows attackers to execute arbitrary code with system privileges.

Description

The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages and is enabled by default on many versions of Microsoft Windows. Researchers at NSFOCUS Security have discovered a heap-based buffer overflow in this service that allows attackers to execute arbitrary code on affected hosts. According to NSFOCUS, this vulnerability is triggered when an affected host recieves a DCOM request with a filename parameter in excess of "several hundred bytes". For further details, please read NSFOCUS Security Advisory (SA2003-06).

This buffer overflow is one of two reported in Microsoft Security Bulletin MS03-039 and is different than those discussed in previous advisories.

Important Notice Regarding Scanning Tools

There is an important side effect to applying the patch provided by MS03-039. Specifically, application of this patch will cause many scanning tools to incorrectly report that a system patched by MS03-039 is missing the patch provided in MS03-026.

Microsoft has provided a new scanning tool that correctly detects hosts that require either the MS03-026 or MS03-039 patch. To obtain this tool, please read Microsoft Knowledge Base Article 827363.

It is important that all users discontinue the use of scanning tools intended for MS03-026 and obtain an updated tool that detects both MS03-026 and MS03-039. This also applies to sites that use a third-party scanning tool.

Impact

This vulnerability allows remote attackers to execute arbitrary code with Local System privileges.

Solution

Apply a patch from Microsoft

Microsoft has published Microsoft Security Bulletin MS03-039 to address this vulnerability. For more information, please see


Please note that this bulletin supersedes both MS03-026 and MS01-048.

Block traffic to and from common Microsoft RPC ports


As an interim measure, users can reduce the chance of successful exploitation by blocking traffic to and from well-known Microsoft RPC ports, including

    Port 135 (tcp/udp)
    Port 137 (udp)
    Port 138 (udp)
    Port 139 (tcp)
    Port 445 (tcp/udp)
    Port 593 (tcp)

To prevent compromised hosts from contacting other vulnerable hosts, the CERT/CC recommends that system administrators filter the ports listed above for both incoming and outgoing traffic.

Disable COM Internet Services and RPC over HTTP

COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443.

Disable DCOM

Disable DCOM as described in MS03-039 and Microsoft Knowledge Base Article 825750.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected10 Sep 200312 Sep 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by Yuan Renguang of the NSFOCUS Security Team.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2003-0528
  • CERT Advisory: CA-2003-23
  • Date Public: 10 Sep 2003
  • Date First Published: 10 Sep 2003
  • Date Last Updated: 11 Dec 2003
  • Severity Metric: 94.50
  • Document Revision: 38

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.