MS03-026: Buffer Overrun In RPC Interface..

By Steven
in Back Page News

 Share

Recommended Posts

Grand Master

Steven

Posted
Posted

-----BEGIN PGP SIGNED MESSAGE-----

- - ---------------------------------------------------------------

Title: Buffer Overrun In RPC Interface Could Allow Code

Execution (823980)

Date: 16 July 2003

Software: Microsoft® Windows ® NT 4.0

Microsoft Windows NT 4.0 Terminal Services Edition

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003

Impact: Run code of attacker's choice

Max Risk: Critical

Bulletin: MS03-026

Microsoft encourages customers to review the Security Bulletins

at:

http://www.microsoft.com/technet/security/...in/MS03-026.asp

http://www.microsoft.com/security/security...ns/MS03-026.asp

- - ---------------------------------------------------------------

Issue:

======

Remote Procedure Call (RPC) is a protocol used by the Windows

operating system. RPC provides an inter-process communication

mechanism that allows a program running on one computer to

seamlessly execute code on a remote system. The protocol itself

is derived from the OSF (Open Software Foundation) RPC protocol,

but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with

message exchange over TCP/IP. The failure results because of

incorrect handling of malformed messages. This particular

vulnerability affects a Distributed Component Object Model (DCOM)

interface with RPC, which listens on TCP/IP port 135. This

interface handles DCOM object activation requests sent by client

machines (such as Universal Naming Convention (UNC) paths) to the

server.

To exploit this vulnerability, an attacker would need to send a

specially formed request to the remote computer on port 135.

Mitigating factors:

====================

- To exploit this vulnerability, the attacker would require the

ability to send a specially crafted request to port 135 on the

remote machine. For intranet environments, this port would

normally be accessible, but for Internet connected machines, the

port 135 would normally be blocked by a firewall. In the case

where this port is not blocked, or in an intranet configuration,

the attacker would not require any additional privileges.

- Best practices recommend blocking all TCP/IP ports that are

not actually being used. For this reason, most machines attached

to the Internet should have port 135 blocked. RPC over TCP is not

intended to be used in hostile environments such as the internet.

More robust protocols such as RPC over HTTP are provided for

hostile environments.

Risk Rating:

============

Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read

the Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-026.asp

http://www.microsoft.com/security/security...ns/ms03-026.asp

for information on obtaining this patch.

- - ---------------------------------------------------------------

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.