Vulnerability Note VU#555920
Microsoft Windows DNS RPC buffer overflow
The Microsoft DNS service Remote Procedure Call (RPC) implementation contains a stack buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code with SYSTEM privileges.
The Microsoft Windows DNS service uses RPC to facilitate remote management. The Microsoft Windows DNS service RPC management interface contains a stack-based buffer overflow. This vulnerability can be triggered by sending a specially crafted RPC packet to the RPC management interface. The management interface typically operates on a dynamically-assigned port between 1024/tcp and 5000/tcp.
This vulnerability can also be exploited via the ports used by SMB services (139/tcp, 139/udp, 445/tcp, and 445/udp). However, this attack vector requires valid authentication credentials.
A remote attacker may be able to execute arbitrary code with SYSTEM privileges.
Apply an update
Additional information regarding how to disable remote administration of the DNS Server service in Windows Server 2003 and in Windows 2000 Server can be found in Microsoft Knowledge Base Article 936263.
Block or Restrict access to RPC at the network perimeter
This workaround will restrict TCP/IP access to all RPC interfaces, including the vulnerable DNS management RPC interface. This workaround will not prevent exploitation of the vulnerability, but will limit the possible sources of attacks. This workaround will allow remote management using the RPC interface (MMC DNS Snap-in) from selected networks.
Access to the RPC Endpoint Mapper service (135/tcp), the ports assigned by the RPC Endpoint Mapper (by default 1024/tcp to 5000/tcp), and SMB services (139/tcp, 139/udp, 445/tcp, and 445/udp) should be blocked at your network perimeter. This will limit your exposure to attacks. Note that blocking RPC and SMB at the network perimeter will still allow attackers within the perimeter of your network to exploit this vulnerability.
All unsolicited traffic on the ports listed above should be blocked.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||08 May 2007|
CVSS Metrics (Learn More)
This vulnerability was reported in Microsoft Security Advisory (935964).
This document was written by Jeff Gennari.
- CVE IDs: CVE-2007-1748
- Date Public: 13 Apr 2007
- Date First Published: 13 Apr 2007
- Date Last Updated: 08 May 2007
- Severity Metric: 49.14
- Document Revision: 141
If you have feedback, comments, or additional information about this vulnerability, please send us email.