HighRealSecure Desktop Protector 3.6, Proventia Network IPS, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature looks for a specially crafted MSRPC Remote Activation Request or System Activation Request that is used to conduct a buffer overflow.
This signature looks for a specially-crafted MSRPC remote activation request or System activation request that is used to conduct a buffer overflow.
High
RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, RealSecure Desktop: baseline, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, BlackICE Agent for Server: 3.6eof, RealSecure Network: XPU 5.18, RealSecure Network: XPU 21.2, RealSecure Server Sensor: XPU 21.1, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: XPU 21.2, Proventia Desktop: 8.0.614.1, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: 1.0, Virtual Server Protection for Vmware: 1.0, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0
Microsoft Windows NT: 4.0 Terminal Server, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT: 4.0 Server, Microsoft Windows NT: 4.0 Workstation, Microsoft Windows 2003 Server
Unauthorized Access Attempt
Microsoft Windows is vulnerable to two buffer overflows, caused by improper handling of Remote Procedure Call (RPC) messages for Distributed Component Object Model (DCOM) activation by the RPCSS service. By default, the RPCSS service is enabled. A remote attacker could establish a connection and send a malformed RPC message to overflow a buffer and execute arbitrary code on the system with Local System privileges.
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
WinRpcssDcomBo
WinMs03039Patch
win-ms03039-patch
Enable the following checks in the ISS Protection Platform:
MSRPC_RemoteActivate_Path_BO
Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 135
For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051 or MS04-029. See References.
For Microsoft Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-051, which were superseded by the patch released with MS06-018.
For Windows XP and Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-012, which was superseded by the patch released with MS05-051.
For Windows NT 4.0:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-029. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS03-039, but it was superseded by the patch released with MS04-012, and then superseded by the patch released with MS04-029.
Microsoft Security Bulletin MS03-039
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
NSFOCUS Security Advisory SA2003-06
Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability
http://www.nsfocus.com/english/homepage/research/0306.htm
CERT Advisory CA-2003-23
Vulnerabilities in Microsoft Windows
http://www.cert.org/advisories/CA-2003-23.html
BugTraq Mailing List, Wed Sep 10 2003 - 12:32:40 CDT
EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II
http://archives.neohapsis.com/archives/bugtraq/2003-09/0183.html
CERT Vulnerability Note VU#254236
Microsoft Windows contains buffer overflow in RPCSS Service DCOM activation routines
http://www.kb.cert.org/vuls/id/254236
CERT Vulnerability Note VU#483492
Microsoft Windows contains buffer overflow in RPCSS Service DCOM activation routines
http://www.kb.cert.org/vuls/id/483492
Packet Storm Web Site
rpcHeap.txt
http://packetstormsecurity.nl/0309-exploits/rpcHeap.txt
Packet Storm Web Site
09.16.ms03-039-exp.c
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=09.16.ms03-039-exp.c&type=archives&%5Bsearch%5D.x=4&%5Bsearch%5D.y=4
Packet Storm Web Site
ms03-039-linux
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=ms03-039-linux&type=archives&%5Bsearch%5D.x=14&%5Bsearch%5D.y=4
Microsoft Security Bulletin MS05-012
Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
Microsoft Security Bulletin MS04-012
Cumulative Update for Microsoft RPC/DCOM (828741)
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
Microsoft Security Bulletin MS04-029
Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx
Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx
ISS X-Force
Microsoft Windows RPCSS DCOM buffer overflows
http://www.iss.net/security_center/static/13129.php
CVE
CVE-2003-0715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0715