Title: Buffer Overrun In RPCSS Service Could Allow Code
Execution (824146)
Date: September 10, 2003
Software: Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server(r) 4.0
Microsoft Windows NT Server 4.0, Terminal Server
Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-039
Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp
- - -----------------------------------------------------------------
Issue:
======
The fix provided by this patch supersedes the one included in Microsoft
Security Bulletin MS03-026.
Remote Procedure Call (RPC) is a protocol used by the Windows operating
system. RPC provides an inter-process communication mechanism that allows
a program running on one computer to seamlessly access services on another
computer. The protocol itself is derived from the Open Software Foundation
(OSF) RPC protocol, but with the addition of some Microsoft specific
extensions.
There are three identified vulnerabilities in the part of RPCSS Service
that deals with RPC messages for DCOM activation- two that could allow
arbitrary code execution and one that could result in a denial of service.
The flaws result from incorrect handling of malformed messages. These
particular vulnerabilities affect the Distributed Component Object Model
(DCOM) interface within the RPCSS Service. This interface handles DCOM
object activation requests that are sent from one machine to another.
An attacker who successfully exploited these vulnerabilities could be able
to run code with Local System privileges on an affected system, or could
cause the RPCSS Service to fail. The attacker could then be able to take
any action on the system, including installing programs, viewing, changing
or deleting data, or creating new accounts with full privileges.
To exploit these vulnerabilities, an attacker could create a program to
send a malformed RPC message to a vulnerable system targeting the RPCSS
Service.
Microsoft has released a tool that can be used to scan a network for the
presence of systems which have not had the MS03-039 patch installed. More
details on this tool are available in Microsoft Knowledge Base article
827363. This tool supersedes the one provided in Microsoft Knowledge Base
article 826369. If the tool provided in Microsoft Knowledge Base Article
826369 is used against a system which has installed the security patch
provided with this bulletin, the superseded tool will incorrectly report
that the system is missing the patch provided in MS03-026.
Microsoft encourages customers to run the latest version of the tool
available in Microsoft Knowledge Base article 827363 to determine if their
systems are patched.
Mitigating Factors:
====================
- Firewall best practices and standard default firewall configurations
can help protect networks from remote attacks originating outside of the
enterprise perimeter. Best practices recommend blocking all ports that are
not actually being used.
For this reason, most systems attached to the Internet should have a
minimal number of the affected ports exposed.
Risk Rating:
============
- Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com/html)
- NSFOCUS Security Team (http://www.nsfocus.com)
- Xue Yong Zhi and Renaud Deraison from Tenable Network Security
(http://www.tenablesecurity.com)
for reporting the buffer overrun vulnerabilities and working with us to
protect customers.
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Web Interface:
http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
