SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#483492

Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines

Overview

There is a remote buffer overflow in many versions of Microsoft Windows that allows attackers to execute arbitrary code with system privileges.

I. Description

The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages and is enabled by default on many versions of Microsoft Windows. Researchers at eEye Digital Security have discovered a heap-based buffer overflow in this service that allows remote attackers to execute arbitrary code on affected hosts. According to eEye, the vulnerability is triggered with a two-packet sequence consisting of a DCERPC bind packet followed by a crafted DCERPC DCOM object activation request. For more detailed information, please read the eEye advisory entitled "Microsoft RPC Heap Corruption Vulnerability - Part II".

This buffer overflow is one of two reported in Microsoft Security Bulletin MS03-039 and is different than those discussed in previous advisories.

Important Notice Regarding Scanning Tools

There is an important side effect to applying the patch provided by MS03-039. Specifically, application of this patch will cause many scanning tools to incorrectly report that a system patched by MS03-039 is missing the patch provided in MS03-026.

Microsoft has provided a new scanning tool that correctly detects hosts that require either the MS03-026 or MS03-039 patch. To obtain this tool, please read Microsoft Knowledge Base Article 827363.

It is important that all users discontinue the use of scanning tools intended for MS03-026 and obtain an updated tool that detects both MS03-026 and MS03-039. This also applies to sites that use a third-party scanning tool.

II. Impact

This vulnerability allows remote attackers to execute arbitrary code with Local System privileges.

III. Solution

Apply a patch from Microsoft


Microsoft has published Microsoft Security Bulletin MS03-039 to address this vulnerability. For more information, please see


Please note that this bulletin supersedes both MS03-026 and MS01-048.

Block traffic to and from common Microsoft RPC ports

As an interim measure, users can reduce the chance of successful exploitation by blocking traffic to and from well-known Microsoft RPC ports, including
    Port 135 (tcp/udp)
    Port 137 (udp)
    Port 138 (udp)
    Port 139 (tcp)
    Port 445 (tcp/udp)
    Port 593 (tcp)

To prevent compromised hosts from contacting other vulnerable hosts, the CERT/CC recommends that system administrators filter the ports listed above for both incoming and outgoing traffic.

Disable COM Internet Services and RPC over HTTP

COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443.

Disable DCOM

Disable DCOM as described in MS03-039 and Microsoft Knowledge Base Article 825750.

Systems Affected
VendorStatusDate Updated
Microsoft CorporationVulnerable12-Sep-2003

References


http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://support.microsoft.com/?kbid=825750
http://support.microsoft.com/?kbid=827363
http://www.eeye.com/html/Research/Advisories/AD20030910.html
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
http://www.cert.org/advisories/CA-2003-19.html
http://www.kb.cert.org/vuls/id/254236
http://www.kb.cert.org/vuls/id/326746
http://cgi.nessus.org/plugins/dump.php3?id=11835
http://www.iss.net/support/product_utilities/Xfrpcss.php
http://www.ntbugtraq.com/dcomrpc.asp
http://securecomputing.stanford.edu/alerts/win-rpc-10sept2003.html
http://www.coresecurity.com/common/showdoc.php?idx=393&idxseccion=10

Credit

This vulnerability was discovered by Barnaby Jack of eEye Digital Security.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public09/10/2003
Date First Published09/10/2003 05:20:38 PM
Date Last Updated12/11/2003
CERT AdvisoryCA-2003-23
CVE NameCAN-2003-0715
US-CERT Technical Alerts 
Metric94.50
Document Revision47

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader