Date: 17 July 2003
References: ESB-2003.0525 ESB-2003.0561 ESB-2003.0579 ESB-2003.0590 ESB-2003.0636 AA-2006.0095
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.11 -- AUSCERT ALERT
Buffer Overrun In RPC Interface Could Allow Code Execution (Q823980)
Microsoft Security Bulletin MS03-026
17 July 2003
===========================================================================
AusCERT Alert Summary
---------------------
Product: Remote Procedure Call (RPC) Interface
Publisher: Microsoft
Operating System: Windows NT 4.0
Windows NT 4.0 Terminal Services Edition
Windows 2000
Windows XP
Windows Server™ 2003
Impact: Administrator Compromise
Access Required: Remote
CVE Names: CAN-2003-0352
AusCERT is issuing this external security bulletin as an AUSCERT ALERT
to emphasize the significance of these vulnerabilities.
The potential impact resulting from an attack involving successful
exploitation of this vulnerability is considered to be critical. A
successful compromise would result in the attacker having full Local
System privileges.
AusCERT advises users and sites running Windows NT 4.0, 2000, XP, 2003
to confirm, from information contained in this advisory, their exposure
to these vulnerabilities and to apply the vendor patches.
Microsoft Windows Millennium Edition is not affected.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - - ---------------------------------------------------------------
Title: Buffer Overrun In RPC Interface Could Allow Code
Execution (823980)
Date: 16 July 2003
Software: Microsoft(r) Windows (r) NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-026
Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
- - - ---------------------------------------------------------------
Issue:
======
Remote Procedure Call (RPC) is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to
seamlessly execute code on a remote system. The protocol itself
is derived from the OSF (Open Software Foundation) RPC protocol,
but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with
message exchange over TCP/IP. The failure results because of
incorrect handling of malformed messages. This particular
vulnerability affects a Distributed Component Object Model (DCOM)
interface with RPC, which listens on TCP/IP port 135. This
interface handles DCOM object activation requests sent by client
machines (such as Universal Naming Convention (UNC) paths) to the
server.
To exploit this vulnerability, an attacker would need to send a
specially formed request to the remote computer on port 135.
Mitigating factors:
====================
- To exploit this vulnerability, the attacker would require the
ability to send a specially crafted request to port 135 on the
remote machine. For intranet environments, this port would
normally be accessible, but for Internet connected machines, the
port 135 would normally be blocked by a firewall. In the case
where this port is not blocked, or in an intranet configuration,
the attacker would not require any additional privileges.
- Best practices recommend blocking all TCP/IP ports that are
not actually being used. For this reason, most machines attached
to the Internet should have port 135 blocked. RPC over TCP is not
intended to be used in hostile environments such as the internet.
More robust protocols such as RPC over HTTP are provided for
hostile environments.
Risk Rating:
============
Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
for information on obtaining this patch.
- - - ---------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPxSXX40ZSRQxA/UrAQE6PwgAp5nlZkLDJPNc8QNb5AajGy3R2SpaRhw2
WxonBgaiNU2sJscIQwObdjH1NHHq5Jw3ptFja/LbI/LOUZkQi6dOqPQjsyfthQzC
vUvGw5Fr0x3Pe1OJcsSmH6pl5XBOSSCVXRb4grHUZaMABymZkTzvz0rKonhpWDjv
OGnP9CisSxEBXMTnCIsqP6T1eoENxriICB3pR5ZuKqSgd+Q/J7DV1aTLwYCIaxwR
4a+d/xufAQyDW5WEdKvHlfoyw/ZKDIqIsUsueX5HX+PTBa5VRcaLYKk7GbDnStyB
3+aktUF1z5C9LqG5zDcFGXWOPEmERTWKUZ06YBIieNbZwV75pjxEmQ==
=KrV/
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation's site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPxXvaSh9+71yA2DNAQG4PAP/Z0IMGcROwxl2tGW5lgB8pREVN7J9UaGs
Zqx/79x8vGu/okAUEst5tW+yZp8Jwg1JFDE5n5ZK1ItjZhQaT0zlDAjUb08sXWMg
sNVYkQaB4BWIsoqNT9oymyxT4X57hxL6ZbqJrQ7YBFXU0lo0dquRAX0/k8Atyowe
uo9vVKIcZso=
=uRjR
-----END PGP SIGNATURE-----
|