search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines

Vulnerability Note VU#483492

Original Release Date: 2003-09-10 | Last Revised: 2003-12-11

Overview

There is a remote buffer overflow in many versions of Microsoft Windows that allows attackers to execute arbitrary code with system privileges.

Description

The Microsoft RPCSS Service is responsible for managing Remote Procedure Call (RPC) messages and is enabled by default on many versions of Microsoft Windows. Researchers at eEye Digital Security have discovered a heap-based buffer overflow in this service that allows remote attackers to execute arbitrary code on affected hosts. According to eEye, the vulnerability is triggered with a two-packet sequence consisting of a DCERPC bind packet followed by a crafted DCERPC DCOM object activation request. For more detailed information, please read the eEye advisory entitled "Microsoft RPC Heap Corruption Vulnerability - Part II".

This buffer overflow is one of two reported in Microsoft Security Bulletin MS03-039 and is different than those discussed in previous advisories.

Important Notice Regarding Scanning Tools

There is an important side effect to applying the patch provided by MS03-039. Specifically, application of this patch will cause many scanning tools to incorrectly report that a system patched by MS03-039 is missing the patch provided in MS03-026.

Microsoft has provided a new scanning tool that correctly detects hosts that require either the MS03-026 or MS03-039 patch. To obtain this tool, please read Microsoft Knowledge Base Article 827363.

It is important that all users discontinue the use of scanning tools intended for MS03-026 and obtain an updated tool that detects both MS03-026 and MS03-039. This also applies to sites that use a third-party scanning tool.

Impact

This vulnerability allows remote attackers to execute arbitrary code with Local System privileges.

Solution

Apply a patch from Microsoft

Microsoft has published Microsoft Security Bulletin MS03-039 to address this vulnerability. For more information, please see

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

Please note that this bulletin supersedes both MS03-026 and MS01-048.

Block traffic to and from common Microsoft RPC ports


As an interim measure, users can reduce the chance of successful exploitation by blocking traffic to and from well-known Microsoft RPC ports, including

Port 135 (tcp/udp)
Port 137 (udp)
Port 138 (udp)
Port 139 (tcp)
Port 445 (tcp/udp)
Port 593 (tcp)

To prevent compromised hosts from contacting other vulnerable hosts, the CERT/CC recommends that system administrators filter the ports listed above for both incoming and outgoing traffic.

Disable COM Internet Services and RPC over HTTP

COM Internet Services (CIS) is an optional component that allows RPC messages to be tunneled over HTTP ports 80 and 443. As an interim measure, sites that use CIS may wish to disable it as an alternative to blocking traffic to and from ports 80 and 443.

Disable DCOM

Disable DCOM as described in MS03-039 and Microsoft Knowledge Base Article 825750.

Vendor Information

483492
 

Microsoft Corporation Affected

Notified:  September 10, 2003 Updated: September 12, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

- - -----------------------------------------------------------------
Title:     Buffer Overrun In RPCSS Service Could Allow Code

Execution (824146)
Date:      September 10, 2003
Software:  Microsoft Windows NT Workstation 4.0

Microsoft Windows NT Server(r) 4.0
Microsoft Windows NT Server 4.0, Terminal Server
Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Impact:    Run code of attacker's choice
Max Risk:  Critical
Bulletin:  MS03-039

Microsoft encourages customers to review the Security Bulletins
at:

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp

- - -----------------------------------------------------------------

Issue:
======

The fix provided by this patch supersedes the one included in
Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to
seamlessly access services on another computer. The protocol
itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific
extensions.

There are three identified vulnerabilities in the part of RPCSS
Service that deals with RPC messages for DCOM activation- two
that could allow arbitrary code execution and one that could
result in a denial of service. The flaws result from incorrect
handling of malformed messages. These particular vulnerabilities
affect the Distributed Component Object Model (DCOM) interface
within the RPCSS Service. This interface handles DCOM object
activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities
could be able to run code with Local System privileges on an
affected system, or could cause the RPCSS Service to fail. The
attacker could then be able to take any action on the system,
including installing programs, viewing, changing or deleting
data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a
program to send a malformed RPC message to a vulnerable system
targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network
for the presence of systems which have not had the MS03-039 patch
installed. More details on this tool are available in Microsoft
Knowledge Base article 827363. This tool supersedes the one
provided in Microsoft Knowledge Base article 826369. If the tool
provided in Microsoft Knowledge Base Article 826369 is used
against a system which has installed the security patch provided
with this bulletin, the superseded tool will incorrectly report
that the system is missing the patch provided in MS03-026.
Microsoft encourages customers to run the latest version of the
tool available in Microsoft Knowledge Base article 827363 to
determine if their systems are patched.


Mitigating Factors:
====================

- Firewall best practices and standard default firewall
configurations can help protect networks from remote attacks
originating outside of the enterprise perimeter. Best practices
recommend blocking all ports that are not actually being used.
For this reason, most systems attached to the Internet should
have a minimal number of the affected ports exposed.

Risk Rating:
============

- Critical

Patch Availability:
===================

- A patch is available to fix this vulnerability. Please read
the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp

for information on obtaining this patch.

Acknowledgment:
===============

- eEye Digital Security (http://www.eeye.com/html)
- NSFOCUS Security Team (http://www.nsfocus.com)
- Xue Yong Zhi and Renaud Deraison from Tenable Network Security

(http://www.tenablesecurity.com)

for reporting the buffer overrun vulnerabilities and working with
us to protect customers.
- - -----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP19PE40ZSRQxA/UrAQFL2ggAk84V2SkEsj8r0xW6JoxE9ojVFp8kQLWS
SMYMXP6iEONzJzUGcoX8OLDWG5ncSoJVOSM+84PUCOAFnIZs8eZV8MiOdjm/j2yO
Fv+0bw6foQbsyvFT9Kcckrj/DJAIEnu5EMwVcU1jlkP1rIj6JXaZdC78jpHson2y
AdxBM8altRg1aKplWYVe5vOV0Ya92KUkbKy0khv9xKgNO/PPbno4AdBzkk5s7hqy
NNnhi+lbdZBubzhQkvG+Wj3bAA/onj7SdTAKXuaLEB61c5gDsznwV+d+tHYbZjdm
3BAhoL+b34yteRa3wJrMxgz6+KJLDpUvEUW9DYU9Mlscl3+d1StbNw==
=2u0i
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Barnaby Jack of eEye Digital Security.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2003-0715
CERT Advisory: CA-2003-23
Severity Metric: 94.50
Date Public: 2003-09-10
Date First Published: 2003-09-10
Date Last Updated: 2003-12-11 21:41 UTC
Document Revision: 47

Sponsored by CISA.