Security Alert

Ą@

Microsoft RPC Interface Buffer Overrun Could Allow Code Execution

Description

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135.

Note: There is a report indicate that intruders are actively scanning for and exploiting a vulnerability. Multiple exploits for this vulnerability have been publicly released, and there is active development of improved and automated exploit tools for this vulnerability. Known exploits target TCP port 135 and create a privileged backdoor command shell on successfully compromised hosts. Some versions of the exploit use TCP port 4444 for the backdoor, and other versions use a TCP port number specified by the intruder at run-time. Some reports also indicate that the scanning activity for common backdoor ports such as 4444/TCP. In some cases, due to the RPC service terminating, a compromised system may reboot after the backdoor is accessed by an intruder. (Updated on August 1, 2003)

Impact

Allow an attacker to execute code of their choice

Vulnerable System

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Download locations for this patch

Installation platforms:
This patch can be installed on systems running:

The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
The Windows NT 4.0, Terminal Server Edition patch can be installed on systems running Windows NT 4.0, Terminal Server Edition Service Pack 6.
The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 3, or Service Pack 4.
The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.
The patch for Windows Server 2003 can be installed on systems running Windows Server 2003 Gold.

In addition, if DCOM RPC service is available via network, we advise to use the packet filtering tips below to help mitigate the attack from exploiting this vulnerability.

Filter network traffic
Sites are encouraged to block network access to the RPC service at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be blocked include
69/UDP
135/TCP
135/UDP
139/TCP
139/UDP
445/TCP
445/UDP
4444/TCP

If access cannot be blocked for all external hosts, we recommend limiting access to only those hosts that require it for normal operation. As a general rule, we recommend filtering all types of network traffic that are not required for normal operation.

Because the exploition will create a backdoor, which is in some cases 4444/TCP, blocking inbound TCP sessions to ports on which no legitimate services are provided may limit intruder access to compromised hosts. (Updated on August 1, 2003)

Related Link

Source

Vulnerability identifier

CAN-2003-0352

Back

Written on 17 July 2003
Last updated on 1 August 2003