Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-07-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Buffer Overrun in RPC

Published: 2003-07-16
Last Updated: 2003-07-17 16:06:41 UTC
by Handlers (Version: 1)
0 comment(s)

In July 17th, CERT and Microsoft released an Security Bulletin regarding a
newly discovered buffer overrun in Microsoft Windows Products.
Vulnerable Systems

==================

-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 Terminal Services Edition
-Microsoft Windows 2000
-Microsoft Windows XP
-Microsoft Windows Server 2003
Summary

==================

A buffer overrun was discovered in Microsoft´s RPC Impelemntation. RPC is one
of the protocols used by Windows Systems. RPC (Remote Procedure Call)
protocol is used to execute code on a remote system. Microsoft RPC
implementation added specific extensions to the original Open Source RPC
protocol.

According Microsoft "The vulnerability is present in the part of RPC that
deals with message exchange over TCP/IP.The failure results because of
incorrect handling of malformed messages. This particular vulnerability
affects a Distributed Component Object Model (DCOM) interface with RPC, which
listens on TCP/IP port 135. This interface handles DCOM object activation
requests that are sent by client machines (such as Universal Naming
Convention (UNC) paths) to the server."
Impact

==================

This vulnerability can be explored by sending specially formed request to the
remote computer on port 135.

A remote attacker could exploit this vulnerability to execute arbitrary code
with Local System privileges or to cause a denial of service
Solution

==================

If the machine is connected to the Internet, block the access to port 135.
This will prevent access to this port and any attempt to explore this
vulnerability.

Also is highly recommended to apply the patch release by Microsoft, according
the Microsoft Bulleting MS03-026.
Microsoft Patches

==================

* Windows NT 4.0 Server
http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-
DF77A0B9303F&;;;;;;displaylang=en

* Windows NT 4.0 Terminal Server Edition
http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-
C9FAD2DC65CA&;;;;;;displaylang=en

* Windows 2000
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-
220354449117&;;;;;;displaylang=en

* Windows XP 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-
3DE40F69C074&;;;;;;displaylang=en

* Windows XP 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-
C347ADCC4DF1&;;;;;;displaylang=en

* Windows Server 2003 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-
3A212458E92E&;;;;;;displaylang=en

* Windows Server 2003 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-
017E35692BC7&;;;;;;displaylang=en
References

==================

CERT® Advisory CA-2003-16 Buffer Overflow in Microsoft RPC
http://www.cert.org/advisories/CA-2003-16.html

Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS0
3-026.asp

------------------------------------------------------------

Pedro Bueno - SANS Incident Handler
Keywords:
0 comment(s)
Diary Archives