|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#568148
Microsoft Windows RPC vulnerable to buffer overflow
OverviewA buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. An exploit for this vulnerability is publicly available.
I. DescriptionMicrosoft describes their implementation of the RPC protocol as, "a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions."
A buffer overflow has been discovered in Microsoft's RPC implementation. Quoting from Microsoft Security Bulletin MS03-026:
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server.
For further technical information about this vulnerability, please see Microsoft Security Bulletin MS03-026.
II. ImpactA remote attacker could exploit this vulnerability to execute arbitrary code with System Privileges or cause a denial of service.
III. SolutionApply Patch
Apply a patch as described in Microsoft Security Bulletin MS03-026. Please also note that Microsoft is actively deploying the patches for this vulnerability via Windows Update.
Restrict Access
You may wish to block access to from outside your network perimeter, specifically by blocking access to TCP ports 135, 139, 445, 593 and UDP ports 135, 137, 138, and 445. You maye also wish to disable Com Internet Services and RPC over HTTP. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
Disable DCOM
Depending on site requirements, you may wish to disable DCOM as described in MS03-026. Disabling DCOM will help protect against this vulnerability, but may also cause undesirable side effects. Additional details on disabling DCOM and possible side effects are available in Microsoft Knowledge Base Article 825750.
Systems Affected
References
http://www.cert.org/advisories/CA-2003-19.html
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/how_rpc_works.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/htm/comext_3aw3.asp
http://marc.theaimsgroup.com/?l=bugtraq&m=105838687731618&w=2
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
https://www.securecoding.cert.org/confluence/x/aoCM
Credit
This vulnerability was discovered by The Last Stage of Delirium Research Group. Microsoft has published Microsoft Security Bulletin MS03-026 to address this vulnerability.
This document was written by Ian A Finlay and Damon G. Morda.
Other Information
| Date Public | 07/16/2003 |
| Date First Published | 07/16/2003 10:44:31 PM |
| Date Last Updated | 12/19/2007 |
| CERT Advisory | CA-2003-16 |
| CVE Name | CVE-2003-0352 |
| US-CERT Technical Alerts | |
| Metric | 78.75 |
| Document Revision | 27 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader