SecurityTracker.com Archives - Microsoft Windows Remote Procedure Call (RPC) DCOM Activation Buffer Overflows Let Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (Microsoft) > Rpc

Vendors: Microsoft

Microsoft Windows Remote Procedure Call (RPC) DCOM Activation Buffer Overflows Let Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1007670

CVE Reference: CAN-2003-0528 , CAN-2003-0605 , CAN-2003-0715 , CAN-2003-0995 (Links to External Site)

Updated: Dec 18 2003

Original Entry Date: Sep 10 2003

Impact: Denial of service via network, Execution of arbitrary code via network, User access via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Description: Several buffer overflow vulnerabilities were reported in several Microsoft operating systems in the RPCSS service related to Distributed Component Object Model (DCOM) messages. A remote user can execute arbitrary code with Local System privileges or cause denial of service conditions.

It is reported that the RPCSS service contains several vulnerabilities in the processing of RPC DCOM object activation requests that can be triggered by a remote user sending malformed messages.

It is reported that a remote user can establish a connection to the target system and then send a specially crafted and malformed RPC message to cause the DCOM activation infrastructure to execute arbitrary, user-supplied code. This is because user-supplied inputs are not properly checked by the software, according to the report. The flaws reportedly occur in the processing of RPC DCOM object activation requests.

Some of the vulnerabilities can be exploited to execute arbitrary code. Another vulnerability results in the RPCSS service crashing and only affects Windows 2000.

Internet Security Systems separately reported that there is a buffer overflow in the Message Queue Manager on Windows 2000 [CVE: CAN-2003-0995]. A remote user can reportedly send a specially-crafted queue registration request to trigger the overflow and execute arbitrary code on the system with Local System privileges.

Microsoft reports that the affected service may initially receive connections via UDP ports 135, 137, 138, and 445 and TCP ports 135, 139, 445, and 593. In addition, the systems can be configured to receive RPC connections via TCP on 80 and 443. Other ports may also be used.

One of these buffer overflow vulnerabilities is related to the exploit code released by XFocus on July 25, 2003 and described in Alert ID 1007302 [the exploit was also reportedly effective against CVE CAN-2003-0352].

Technical details regarding another of the buffer overflow vulnerabilities has been provided by eEye Digital Security [see the Message History for a separate Alert dedicated to the eEye advisory]. In this particular buffer overflow, a remote user can reportedly send a DCERPC "bind" packet followed by a malformed DCERPC DCOM object activation request packet. The activate packet can contain specially crafted length fields to cause heap memory to be overwritten with user-supplied data, the report said. It may require several activation packets (e.g., 4, 5) to cause the memory to be overwritten.

Microsoft credits eEye Digital Security, NSFOCUS Security Team, and Xue Yong Zhi and Renaud Deraison from Tenable Network Security with reporting these flaws.

Impact: A remote user can execute arbitrary code with Local System privileges on the target server. A remote user can cause the target server's RPCSS service to crash.

Vendor URL: www.microsoft.com/technet/security/bulletin/MS03-039.asp (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Reported By: secnotif@microsoft.com

Message History: None.

Source Message Contents

Date: Wed, 10 Sep 2003 11:21:08 -0700
From: secnotif@microsoft.com
Subject: Microsoft Security Bulletin MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)

 

-----BEGIN PGP SIGNED MESSAGE-----

- - -----------------------------------------------------------------
Title:     Buffer Overrun In RPCSS Service Could Allow Code  
           Execution (824146)
Date:      September 10, 2003
Software:  Microsoft Windows NT Workstation 4.0
           Microsoft Windows NT Server(r) 4.0
           Microsoft Windows NT Server 4.0, Terminal Server     
           Edition 
           Microsoft Windows 2000 
           Microsoft Windows XP 
           Microsoft Windows Server 2003  
Impact:    Run code of attacker's choice
Max Risk:  Critical
Bulletin:  MS03-039

Microsoft encourages customers to review the Security Bulletins 
at:
    
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp 
http://www.microsoft.com/security/security_bulletins/MS03-039.asp

- - -----------------------------------------------------------------

Issue:
======

The fix provided by this patch supersedes the one included in 
Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows 
operating system. RPC provides an inter-process communication 
mechanism that allows a program running on one computer to 
seamlessly access services on another computer. The protocol 
itself is derived from the Open Software Foundation (OSF) RPC 
protocol, but with the addition of some Microsoft specific 
extensions. 

There are three identified vulnerabilities in the part of RPCSS 
Service that deals with RPC messages for DCOM activation- two 
that could allow arbitrary code execution and one that could 
result in a denial of service. The flaws result from incorrect 
handling of malformed messages. These particular vulnerabilities 
affect the Distributed Component Object Model (DCOM) interface 
within the RPCSS Service. This interface handles DCOM object 
activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities 
could be able to run code with Local System privileges on an 
affected system, or could cause the RPCSS Service to fail. The 
attacker could then be able to take any action on the system, 
including installing programs, viewing, changing or deleting 
data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a 
program to send a malformed RPC message to a vulnerable system 
targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network 
for the presence of systems which have not had the MS03-039 patch 
installed. More details on this tool are available in Microsoft 
Knowledge Base article 827363. This tool supersedes the one 
provided in Microsoft Knowledge Base article 826369. If the tool 
provided in Microsoft Knowledge Base Article 826369 is used 
against a system which has installed the security patch provided 
with this bulletin, the superseded tool will incorrectly report 
that the system is missing the patch provided in MS03-026. 
Microsoft encourages customers to run the latest version of the 
tool available in Microsoft Knowledge Base article 827363 to 
determine if their systems are patched.


Mitigating Factors:
====================
 - Firewall best practices and standard default firewall 
configurations can help protect networks from remote attacks 
originating outside of the enterprise perimeter. Best practices 
recommend blocking all ports that are not actually being used. 
For this reason, most systems attached to the Internet should 
have a minimal number of the affected ports exposed.

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp 
http://www.microsoft.com/security/security_bulletins/MS03-039.asp

for information on obtaining this patch.

Acknowledgment:
===============
 - eEye Digital Security (http://www.eeye.com/html)
 - NSFOCUS Security Team (http://www.nsfocus.com)
 - Xue Yong Zhi and Renaud Deraison from Tenable Network Security 
   (http://www.tenablesecurity.com)

for reporting the buffer overrun vulnerabilities and working with 
us to protect customers.  
- - -----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP19PE40ZSRQxA/UrAQFL2ggAk84V2SkEsj8r0xW6JoxE9ojVFp8kQLWS
SMYMXP6iEONzJzUGcoX8OLDWG5ncSoJVOSM+84PUCOAFnIZs8eZV8MiOdjm/j2yO
Fv+0bw6foQbsyvFT9Kcckrj/DJAIEnu5EMwVcU1jlkP1rIj6JXaZdC78jpHson2y
AdxBM8altRg1aKplWYVe5vOV0Ya92KUkbKy0khv9xKgNO/PPbno4AdBzkk5s7hqy
NNnhi+lbdZBubzhQkvG+Wj3bAA/onj7SdTAKXuaLEB61c5gDsznwV+d+tHYbZjdm
3BAhoL+b34yteRa3wJrMxgz6+KJLDpUvEUW9DYU9Mlscl3+d1StbNw==
=2u0i
-----END PGP SIGNATURE-----

 
*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security
 Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft
.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile C
enter at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notific
ation Service via email as described
 below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Adviso
r web site at http://www.microsoft.com/security.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2003, SecurityGlobal.net LLC