[SECURITY-L] Flaw in Microsoft Windows RPC Implementation

[Daniela Regina Barbetti Silva]

----- Forwarded message from Klaus Steding-Jessen <jessen em nic.br> -----

From: Klaus Steding-Jessen <jessen em nic.br>
Subject: [S] Flaw in Microsoft Windows RPC Implementation
To: seguranca em pangeia.com.br
Date: Wed, 16 Jul 2003 18:21:16 -0300

[http://xforce.iss.net/xforce/alerts/id/147]

Internet Security Systems Security Alert
July 16, 2003

Flaw in Microsoft Windows RPC Implementation

Synopsis:

Microsoft has published a security bulletin describing a buffer overflow
vulnerability in the Windows RPC (Remote Procedure Call) interface. The
RPC protocol is integral to the normal operation of many networking
technologies within the Windows operating system. The buffer overflow
affects the DCOM (Distributed Component Object Model) interface on port
TCP/135.

Impact:

Attackers may exploit this vulnerability by sending a specially-crafted
RPC packet to port TCP/135 on a vulnerable target. Successful exploitation
of this vulnerability will result in complete control of the target
system. Many security-conscious administrators know to block this service
at the perimeter, but open networks and personal computers used by
individuals may be vulnerable to attack.

Affected Versions:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Note: All major releases and Service Pack levels of the platforms above
are vulnerable.

Description:

The vulnerability occurs in the RPC interface to DCOM. The RPC protocol is
used by the Windows operating systems and its applications to communicate
over the network. The DCOM interface to RPC is accessible via port
TCP/135. RPC was originally developed by the OSF (Open Software
Foundation) to build a system in which computers could request network
services or resources from another computer without specific knowledge of
the network or computing environment answering the request.

Microsoft has added several extensions to their implementation of the RPC
protocol, including the integration of DCOM.  DCOM is built upon RPC to
provide better interoperability between Microsoft applications and newer
technologies such as ActiveX, HTTP, and Java. The DCE RPC and DCOM
interfaces are widely used and enabled by default on Windows
installations.

The DCOM object activation functionality is vulnerable to a remote stack
overflow attack and arbitrary code execution when dealing with
instantiation of DCOM objects. The vulnerable code executes under the
SYSTEM security context and any successful attacks will grant SYSTEM
privileges. Integrated buffer overflow protection in Windows Server 2003
is reportedly ineffective at preventing this attack.

Recommendations:

Detailed information or exploit code is not currently available to
demonstrate the flaw. X-Force is researching the vulnerability and will
provide updates to this section.

X-Force recommends that port 135 is blocked on all perimeter networks.
Individuals and network administrators should also configure personal
firewalls, desktop and network protection systems to block port 135 as
well.

Microsoft has released updates to address the vulnerability on all
affected platforms. Refer to the Microsoft Security Bulletin MS03-026.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0352 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for security
problems.

Last Stage of Delirium
http://www.lsd-pl.net

Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email
xforce em iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce em iss.net of Internet Security Systems, Inc.

----- End forwarded message -----