CERT-In Advisory
CIAD-2003-0009
Buffer Overrun In RPC Interface Could Allow Code Execution and Denial of Service
Original Issue Date: August 01, 2003
Severity Rating: High
Systems Affected
- Microsoft Windows NTŪ 4.0
- Microsoft Windows NT 4.0 Terminal Services Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows ServerT 2003
Overview
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message.
Impact
Run code of attacker's choice
Description
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model DCOM interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines such as Universal Naming Convention UNC paths to the server.
There are quite a number of reports that intruders are exploiting a vulnerability in Microsoft's DCOM RPC interface as described in www.cert.org/advisories/CA-2003-19.html, CERT-In Advisory CIAD-2003-06 Quite a number of exploits for this vulnerability have been released on internet , and there is active development of automated exploit tools targeting this vulnerability. Known exploits target TCP port 135 and create a privileged backdoor command shell on compromised hosts. Some versions of the exploit use TCP port 4444 for the backdoor, and other versions use a TCP port, number chosen by the intruder at run-time. In some cases, due to the RPC service terminating, a compromised system may reboot after the backdoor is accessed by an intruder. There appears to be a separate denial-of-service vulnerability in Microsoft's RPC interface that is also being targeted. As per www.cert.org , this vulnerability is separate and independent from the RPC vulnerability addressed in MS03-026. Exploit code for this vulnerability has been publicly released and also targets TCP port 135. In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.
Solution
- Essential:
Apply patches
All users are encouraged to apply the patches referred to in Microsoft Security Bulletin MS03-026. These patches are also available via Microsoft's Windows Update service.
Systems running Windows 2000 may still be vulnerable to at least a denial of service attack via VU#326746 if their DCOM RPC service is available via the network. - Optional:
The System Administrator may wish to block access from outside his/her network perimeter, specifically by blocking access to TCP & UDP ports 135, 139, 445 , 4444 , preferably permitting only essential TCP and UDP ports and barring unnecessary all other ports at network border machines. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of network to exploit the vulnerability. It is important to understand his/her network's configuration and service requirements before deciding what changes are appropriate. Therefore, sites are encouraged to use the packet filtering tips Start/Networks and Dial-up connections/Local Area Connection/Properties/Internet Protocol TCP/IP Properties /Advanced../Options/TCP-IP filtering/Properties The System Administrator may recheck the TCP and UDP ports now opened condition below in addition to applying the patches supplied in MS03-026.
The System Administrator Check the TCP and UDP ports which are open by giving netstat -a -n command from going to command mode.
Workaround
No workaround is suggested by Microsoft
Vendor Information
Microsoft
Please see Microsoft Security Bulletin MS03-026.
References
CERTŪ Advisory no: CA-2003-19
http://www.cert.org/advisories/CA-2003-19.html
CERT/CC Vulnerability Note VU#561284
http://www.kb.cert.org/vuls/id/561284
CERT/CC Vulnerability Note VU#326746
http://www.kb.cert.org/vuls/id/326746
Microsoft Security Bulletin MS03-026
http://microsoft.com/technet/security/bulletin/MS03-026.asp
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|