Date: 11 September 2003
References: AU-2003.010 AU-2003.011 ESB-2003.0636
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.15 -- AUSCERT ALERT
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
Microsoft Security Bulletin MS03-039
11 September 2003
===========================================================================
AusCERT Alert Summary
---------------------
Product: Remote Procedure Call (RPC) Service
Publisher: Microsoft
Operating System: Windows Server 2003
Windows XP
Windows 2000
Windows NT Server 4.0, Terminal Server Edition
Windows NT Server 4.0
Windows NT Workstation 4.0
Platform: x86
IA-64
Impact: Administrator Compromise
Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
Ref: AL-2003.11
AU-2003.011
AU-2003.010
AusCERT is issuing this external security bulletin as an AusCERT ALERT
to emphasize the significance of three newly discovered vulnerabilities
in the Windows RPC service. The patch referenced in this bulletin
supersedes the patch from the Microsoft bulletin MS03-026.
The potential impact resulting from exploitation of this vulnerability
is considered to be critical. A successful compromise would result in
the attacker executing arbitrary code with full Local System privileges
or causing the RPC service to fail.
AusCERT advises users and sites running Windows NT, 2000, XP, and 2003
to evaluate their exposure to these vulnerabilities and to apply the
vendor patches and/or network filters as deemed necessary.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - - -----------------------------------------------------------------
Title: Buffer Overrun In RPCSS Service Could Allow Code
Execution (824146)
Date: September 10, 2003
Software: Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server(r) 4.0
Microsoft Windows NT Server 4.0, Terminal Server
Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-039
Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp
- - - -----------------------------------------------------------------
Issue:
======
The fix provided by this patch supersedes the one included in
Microsoft Security Bulletin MS03-026.
Remote Procedure Call (RPC) is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to
seamlessly access services on another computer. The protocol
itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific
extensions.
There are three identified vulnerabilities in the part of RPCSS
Service that deals with RPC messages for DCOM activation- two
that could allow arbitrary code execution and one that could
result in a denial of service. The flaws result from incorrect
handling of malformed messages. These particular vulnerabilities
affect the Distributed Component Object Model (DCOM) interface
within the RPCSS Service. This interface handles DCOM object
activation requests that are sent from one machine to another.
An attacker who successfully exploited these vulnerabilities
could be able to run code with Local System privileges on an
affected system, or could cause the RPCSS Service to fail. The
attacker could then be able to take any action on the system,
including installing programs, viewing, changing or deleting
data, or creating new accounts with full privileges.
To exploit these vulnerabilities, an attacker could create a
program to send a malformed RPC message to a vulnerable system
targeting the RPCSS Service.
Microsoft has released a tool that can be used to scan a network
for the presence of systems which have not had the MS03-039 patch
installed. More details on this tool are available in Microsoft
Knowledge Base article 827363. This tool supersedes the one
provided in Microsoft Knowledge Base article 826369. If the tool
provided in Microsoft Knowledge Base Article 826369 is used
against a system which has installed the security patch provided
with this bulletin, the superseded tool will incorrectly report
that the system is missing the patch provided in MS03-026.
Microsoft encourages customers to run the latest version of the
tool available in Microsoft Knowledge Base article 827363 to
determine if their systems are patched.
Mitigating Factors:
====================
- Firewall best practices and standard default firewall
configurations can help protect networks from remote attacks
originating outside of the enterprise perimeter. Best practices
recommend blocking all ports that are not actually being used.
For this reason, most systems attached to the Internet should
have a minimal number of the affected ports exposed.
Risk Rating:
============
- Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
http://www.microsoft.com/security/security_bulletins/MS03-039.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com/html)
- NSFOCUS Security Team (http://www.nsfocus.com)
- Xue Yong Zhi and Renaud Deraison from Tenable Network Security
(http://www.tenablesecurity.com)
for reporting the buffer overrun vulnerabilities and working with
us to protect customers.
- - - -----------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP19PE40ZSRQxA/UrAQFL2ggAk84V2SkEsj8r0xW6JoxE9ojVFp8kQLWS
SMYMXP6iEONzJzUGcoX8OLDWG5ncSoJVOSM+84PUCOAFnIZs8eZV8MiOdjm/j2yO
Fv+0bw6foQbsyvFT9Kcckrj/DJAIEnu5EMwVcU1jlkP1rIj6JXaZdC78jpHson2y
AdxBM8altRg1aKplWYVe5vOV0Ya92KUkbKy0khv9xKgNO/PPbno4AdBzkk5s7hqy
NNnhi+lbdZBubzhQkvG+Wj3bAA/onj7SdTAKXuaLEB61c5gDsznwV+d+tHYbZjdm
3BAhoL+b34yteRa3wJrMxgz6+KJLDpUvEUW9DYU9Mlscl3+d1StbNw==
=2u0i
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation's site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP19zoSh9+71yA2DNAQEeiAQAkp+0HGKw5Yj06SirfGBp2ixbpUD3zlhX
E2/GAPYMA9E0ch/s2pBN2+RAsEhNGg0T+6ElNWDBjnL7uexazfcOyzp0zUlsQZec
m78g49WFCVCciLj37a1Hzm5o+o4+dmHVbUc77K67PlZJrOXtxVYSeIWql0i5VVEW
xzigabeUKVE=
=tzvZ
-----END PGP SIGNATURE-----
|