Vulnerability Note VU#483492
Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines
There is a remote buffer overflow in many versions of Microsoft Windows that allows attackers to execute arbitrary code with system privileges.
The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages and is enabled by default on many versions of Microsoft Windows. Researchers at eEye Digital Security have discovered a heap-based buffer overflow in this service that allows remote attackers to execute arbitrary code on affected hosts. According to eEye, the vulnerability is triggered with a two-packet sequence consisting of a DCERPC bind packet followed by a crafted DCERPC DCOM object activation request. For more detailed information, please read the eEye advisory entitled "Microsoft RPC Heap Corruption Vulnerability - Part II".
This buffer overflow is one of two reported in Microsoft Security Bulletin MS03-039 and is different than those discussed in previous advisories.
This vulnerability allows remote attackers to execute arbitrary code with Local System privileges.
Apply a patch from Microsoft
Please note that this bulletin supersedes both MS03-026 and MS01-048.
Block traffic to and from common Microsoft RPC ports
Port 137 (udp)
Port 138 (udp)
Port 139 (tcp)
Port 445 (tcp/udp)
Port 593 (tcp)
To prevent compromised hosts from contacting other vulnerable hosts, the CERT/CC recommends that system administrators filter the ports listed above for both incoming and outgoing traffic.
Disable COM Internet Services and RPC over HTTP
COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443.
Disable DCOM as described in MS03-039 and Microsoft Knowledge Base Article 825750.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||10 Sep 2003||12 Sep 2003|
CVSS Metrics (Learn More)
This vulnerability was discovered by Barnaby Jack of eEye Digital Security.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2003-0715
- CERT Advisory: CA-2003-23
- Date Public: 10 Sep 2003
- Date First Published: 10 Sep 2003
- Date Last Updated: 11 Dec 2003
- Severity Metric: 94.50
- Document Revision: 47
If you have feedback, comments, or additional information about this vulnerability, please send us email.