HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2003-09
Buffer Overrun In RPC Interface Could Allow Code Execution and Denial of Service

Original issue date: August 01, 2003

Severity: High

Systems Affected

. Microsoft Windows NT® 4.0
. Microsoft Windows NT 4.0 Terminal Services Edition
. Microsoft Windows 2000
. Microsoft Windows XP
. Microsoft Windows ServerT 2003


Overview

Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message.

Description

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server.

There are quite a number of reports that intruders are exploiting a vulnerability in Microsoft's DCOM RPC interface as described in www.cert.org/advisories/CA-2003-19.html, CERT-In Advisory CIAD-2003-06 Quite a number of exploits for this vulnerability have been released on internet , and there is active development of automated exploit tools targeting this vulnerability. Known exploits target TCP port 135 and create a privileged backdoor command shell on compromised hosts. Some versions of the exploit use TCP port 4444 for the backdoor, and other versions use a TCP port, number chosen by the intruder at run-time. In some cases, due to the RPC service terminating, a compromised system may reboot after the backdoor is accessed by an intruder. There appears to be a separate denial-of-service vulnerability in Microsoft's RPC interface that is also being targeted. As per www.cert.org , this vulnerability is separate and independent from the RPC vulnerability addressed in MS03-026. Exploit code for this vulnerability has been publicly released and also targets TCP port 135. In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.

Impact

Run code of attacker's choice

Workarounds

No workaround is suggested by Microsoft

Solution

Essential:
Apply patches
All users are encouraged to apply the patches referred to in Microsoft Security Bulletin MS03-026. These patches are also available via Microsoft's Windows Update service.
Systems running Windows 2000 may still be vulnerable to at least a denial of service attack via VU#326746 if their DCOM RPC service is available via the network.

Optional:
The System Administrator may wish to block access from outside his/her network perimeter, specifically by blocking access to TCP & UDP ports 135, 139, 445 , 4444 , preferably permitting only essential TCP and UDP ports and barring unnecessary all other ports at network border machines. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of network to exploit the vulnerability. It is important to understand his/her network's configuration and service requirements before deciding what changes are appropriate. Therefore, sites are encouraged to use the packet filtering tips (Start/Networks and Dial-up connections/Local Area Connection/Properties/Internet Protocol (TCP/IP Properties /Advanced../Options/TCP-IP filtering/Properties The System Administrator may recheck the TCP and UDP ports now opened condition ) below in addition to applying the patches supplied in MS03-026.

The System Administrator Check the TCP and UDP ports which are open by giving netstat -a -n command from going to command mode.

Vendor Information

Microsoft
Please see Microsoft Security Bulletin MS03-026.

References

CERT® Advisory no: CA-2003-19
http://www.cert.org/advisories/CA-2003-19.html

CERT/CC Vulnerability Note VU#561284
http://www.kb.cert.org/vuls/id/561284

CERT/CC Vulnerability Note VU#326746
http://www.kb.cert.org/vuls/id/326746

Microsoft Security Bulletin MS03-026
http://microsoft.com/technet/security/bulletin/MS03-026.asp

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003