[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS ALERT - 19/03 - Microsoft - Buffer Overrun In RPC Interface Could Allow Code Execution (UPDATE 28 July 2003)


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) ALERT - 19/03 dated 28.07.03  Time: 16:40
 UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Microsoft Security Bulletin - MS03-026:
Buffer Overrun In RPC Interface Could Allow Code Execution.

Previous UNIRAS Alerts & Briefings

Threat Update
An exploit of the RPC buffer overflow vulnerability was published on
http://www.metasploit.com, following an exploit on http://www.xfocus.org targeted at
Chinese versions of Microsoft Windows. NISCC can confirm that the Metasploit RPC
exploit does send its exploit code to port 135 and does provide access to a remote
shell bound by default to TCP port 4444 on the victim?s computer. The exploit does
however cause the RPC service on the victim?s computer to crash, which in turn
causes the computer to reboot. Although the exploit does enable a remote SYSTEM level
compromise, it will in general be detectable. The existing exploit is also restricted
to Windows 2000 up to Service Pack 4 and Windows XP up Service Pack 1 (with possible
language and hot fix dependencies), although the Metasploit claim that exploit can be
made to work independently of the service pack by using a different return address.

Note: These exploits focus on only a subset of Windows. Other variants from NT to 2000
are also likely to be vulnerable to the underlying issue.

UNIRAS Incident Response
The Help Desk in conjunction with other world-wide agencies and CERTs is monitoring
the situation for any changes to the threat in relation to this problem. Recipients of
this Alert who observe any anomalous behaviour that may be relevant are requested to
forward the details by Email to uniras@xxxxxxxxxxxx or in an emergency call the Help
Desk using the contact details below.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC
provides an inter-process communication mechanism that allows a program running on
one computer to seamlessly execute code on a remote system. The protocol itself is
derived from the OSF (Open Software Foundation) RPC protocol, but with the addition
of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over
TCP/IP. The failure results because of incorrect handling of malformed messages.
This particular vulnerability affects a Distributed Component Object Model (DCOM)
interface with RPC, which listens on RPC enabled ports. These interfaces handle DCOM
object activation requests sent by client machines (such as Universal Naming
Convention (UNC) paths) to the server. To exploit this vulnerability, an attacker
would need to send a specially formed request to the remote computer on port 135, 139,
445 or any other specially configured RPC port on the remote machine.

Departmental and company security officers are strongly recommended to apply a patch
for the vulnerability discussed in Microsoft security bulletin MS03-026. This
vulnerability, a stack based buffer overflow in Windows RPC services, could enable
an attack to compromise a remote computer with access as the local SYSTEM user. This
vulnerability affects all Microsoft Windows systems. Patches should be applied, as
soon as they have been tested on a non-operational system, to all Microsoft Windows

The patch is available at:


This Microsoft bulletin also contains a number of workthrough suggestions for sites
unable to deploy the patch immediately. As is best practice, organisational firewalls
should be configured to deny all services that are not explicitly allowed. In this
case, block TCP/UDP ports 135, and TCP ports 139, 445 and 593 on your organisational
perimeter firewalls if they are open.

Options for teleworkers
In the scenario that a worm is released to exploit this vulnerability, teleworkers
may experience particular problems.  Machines used by teleworkers are often less
stringently maintained than those under the direct physical control of corporate
IT departments, and arranging for such systems to be updated can be difficult.

Teleworkers may wish to consider any of the following options to protect their
machines.  Note, however, that administrative rights are normally needed to
change software configurations, so it is best to check in advance with your
system administrators to see what the preferred course of action is to ensure
that your system is adequately protected.

* Apply the patch by hand

The patch may be downloaded and installed following the instructions in the
Microsoft security bulletin, or by visiting the Microsoft windowsupdate site
(http://windowsupdate.microsoft.com) and following the prompts.  In either case
the process is straightforward and speedy.  A reboot is normally required following
patch installation to activate the changes.

* Install personal firewall software

Personal firewall software can protect networked systems against a variety of
threats.  Windows XP has a built-in software firewall ("Internet Connection
Firewall") which can be configured to block incoming connections to TCP and
UDP ports 135, 139 and 445 in order to protect against exploitation of this

For other Windows platforms, free or shareware third party software may be
installed. Try searching for "personal firewall" on the Internet.  More
advanced Windows 2000 users may be able to use the ipsecpol tool from Microsoft
to filter the affected ports.

* Disable DCOM

The Microsoft security bulletin contains step-by-step instructions for disabling
the DCOM protocol.  Make sure you don't accidentally re-activate it at a later
time until you have protected your machine.

* Configure a hardware firewall to block RPC interface ports

If you do not have administrative rights to your computer, it may still be
possible to protect it if you have, or are prepared to buy, a hardware firewall to
filter traffic from the Internet to your computer.  Note that many broadband routers
and wireless access points have firewalling functionality built in. Blocking the
ports and protocols listed above will protect all machines connected through the

A combined approach - of keeping up-to-date with security patches, using firewalling
technology to block any traffic not specifically required, and disabling un-needed
services - is recommended best practice.

Caution is required in making any changes to systems, but in the event of a rapidly
spreading worm the risk of NOT protecting machines may outweigh the risk of adverse
consequences arising from a failed patch installation.
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

Version: PGP 8.0