search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Windows RPC vulnerable to buffer overflow

Vulnerability Note VU#568148

Original Release Date: 2003-07-17 | Last Revised: 2007-12-19

Overview

A buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. An exploit for this vulnerability is publicly available.

Description

Microsoft describes their implementation of the RPC protocol as, "a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions."

A buffer overflow has been discovered in Microsoft's RPC implementation. Quoting from Microsoft Security Bulletin MS03-026:
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server.
For further technical information about this vulnerability, please see Microsoft Security Bulletin MS03-026.

Impact

A remote attacker could exploit this vulnerability to execute arbitrary code with System Privileges or cause a denial of service.

Solution

Apply Patch
Apply a patch as described in Microsoft Security Bulletin MS03-026. Please also note that Microsoft is actively deploying the patches for this vulnerability via Windows Update.


Restrict Access

You may wish to block access to from outside your network perimeter, specifically by blocking access to TCP ports 135, 139, 445, 593 and UDP ports 135, 137, 138, and 445. You maye also wish to disable Com Internet Services and RPC over HTTP. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

Disable DCOM

Depending on site requirements, you may wish to disable DCOM as described in MS03-026. Disabling DCOM will help protect against this vulnerability, but may also cause undesirable side effects. Additional details on disabling DCOM and possible side effects are available in Microsoft Knowledge Base Article 825750.

Vendor Information

568148
Expand all

Microsoft Corporation

Updated:  July 16, 2003

Status

  Vulnerable

Vendor Statement

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks, Inc.

Notified:  July 17, 2003 Updated:  August 02, 2003

Status

  Vulnerable

Vendor Statement

Nortel Networks Response to CERT AdvisoryCA-2003-16 - Buffer Overflow in Microsoft RPC

Nortel Networks supplies and supports both integrated andnon-integrated solutions to its customers. We are taking thisopportunity to complement CERT and Microsoft information withinformation specific to the potential impact of this vulnerability onNortel Networks products and solutions. As well we indicate howNortel Networks products can be used to help effect the mitigationprocedures recommended both by CERT and Microsoft.

A limited number of Nortel Networks products and solutions arepotentially affected by this issue, and the nature of these productsand solutions tends to place them within a private network.Accordingly, if network perimeter protection is employed asrecommended by both CERT and Microsoft (i.e. blocking access to TCP &UDP ports 135, 139, and 445) these products and solutions should notbe vulnerable to attacks from the public Internet.

Nortel Networks would like to inform its customers and partners ofefforts currently under way to respond to this issue:

  1. Embedded Operating Systems
  2. Some Nortel Networks products employ embedded Windows OperatingSystems identified by Microsoft as vulnerable; Product TechnicalBulletins and patches are being developed.

  3. Applications on Windows Operating Systems
  4. Some Nortel Networks applications reside on Windows Operating Systemsidentified by Microsoft as vulnerable; the corresponding Microsoftpatches are being tested against the Nortel Networks applications toconfirm that their functionality will not be impacted.

  5. Clients on Windows Operating Systems
  6. Some Nortel Networks clients reside on workstations supplied byothers, with Windows Operating Systems identified by Microsoft asvulnerable; Nortel Networks recommends that customers follow therecommendations of CERT and Microsoft and apply the appropriatepatches.

  7. Nortel Networks Routing Products to be used for Port Blocking
  8. Nortel Networks routing products are not vulnerable to this issue,but may be configured to protect customer networks by blocking accessto TCP & UDP ports 135, 139, and 445 at the network edge, asrecommended by CERT and Microsoft. Product-specific instructions forport blocking configuration are available for the following Nortelproducts:

  • Passport 6000
  • Shasta
  • Contivity
  • Alteon Switched Firewall
  • Passport 8600
  • BayRS

Nortel Networks Product Status

The following products, which in some way rely on a Microsoftoperating system, have been reviewed or are under review. Otherproducts may be added.

Not Vulnerable
  • Succession Multi-service Gateway 4000
  • Interactive Multimedia Server
  • Communication Server for Enterprise -- Multimedia Exchange
  • Multimedia PC Client
  • Optivity Telephony Manager
  • Optivity NetID
  • Optivity Policy Services
  • Optivity Switch Manager
  • Contivity Configuration Manager
Vulnerable
  • Symposium including TAPI ICM
  • CallPilot
  • Business Communications Manager
  • International Centrex-IP
  • Periphonics with OSCAR Speech Server
Under Review
  • Alteon Security Manager
  • Network Configuration Manager for BCM
  • Preside Site Manager
  • Preside System Manager Interface

If you have a Nortel Networks product which is not noted on the listabove, we are currently reviewing our extended product families toidentify if they use components of the Microsoft Operating System andwill issue an updated list as soon as new information is available.

For more information please contact

North America: 1-800-4NORTEL or 1-800-466-7835Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 9079009

Contacts for other regions are available at

<http://www.nortelnetworks.com/help/contact/global/>

Or visit the eService portal at <

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was discovered by The Last Stage of Delirium Research Group. Microsoft has published Microsoft Security Bulletin MS03-026 to address this vulnerability.

This document was written by Ian A Finlay and Damon G. Morda.

Other Information

CVE IDs: CVE-2003-0352
CERT Advisory: CA-2003-16
Severity Metric: 78.75
Date Public: 2003-07-16
Date First Published: 2003-07-17
Date Last Updated: 2007-12-19 15:59 UTC
Document Revision: 27

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.