Home
Multiple Vulnerabilities in Microsoft RPC Service

	Internet Security Systems Security Alert
September 10, 2003

Multiple Vulnerabilities in Microsoft RPC Service

Synopsis:

Microsoft has released a security bulletin (MS03-039) detailing three
distinct vulnerabilities in the Windows RPC (Remote Procedure Call)
functionality. One of the vulnerabilities disclosed is a denial of
service condition, or DoS. The additional two vulnerabilities are buffer
overflow vulnerabilities, and are significantly more serious in nature.

Impact:

The flaws described in this advisory are similar in nature and scope as
the flaw described in Microsoft Security Bulletin MS03-026, and the ISS
Security Alert titled, "Flaw in Microsoft Windows RPC Implementation".
The new DoS vulnerability was disclosed by a hacking group in China on
July 25, 2003, and functional exploit code is already in use on the
Internet. The additional two new issues may allow remote attackers to
compromise and gain complete control of vulnerable systems. 

The MS Blast and Nachi worms propagated via the vulnerabilities disclosed
in MS03-026, and X-Force believes that there is significant potential for
the creation and propagation of a serious Internet worm that exploits one
or both of the newly disclosed RPC vulnerabilities.

Affected Versions:

Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Description:

Microsoft has identified three serious vulnerabilities in the RPC DCOM
(Distributed Compoent Object Model) activation functionality. These
routines are designed to enable DCOM messages to traverse the network
using RPC. Many Microsoft applications and services rely on communicating
in a distributed fashion using DCOM and RPC. It is important to note that
the issues described in this advisory are not the same as the issues
described in MS03-026 that related to the RPC Endpoint Mapper.

The RPC DCOM service may be accessible via several different ports over
TCP or UDP. The most logical attack vector to exploit is TCP port 135.
However, Microsoft has reported that the vulnerabilities may be exploited
via UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593.
Microsoft has also reported that COM Internet Service (CIS) may be
vulnerable over port 80 and port 443 if CIS is enabled. More information
about CIS is available in the corresponding Microsoft Security Bulletin
MS03-039.

Recommendations:

For identification of potentially vulnerable systems, Internet Security Systems
has provided the following assessment checks: 

Internet Scanner XPU 7.7/6.36 WinRpcssDcomBo - 
 (http://xforce.iss.net/xforce/xfdb/13129) 

Internet Scanner XPU 7.7/6.36 WinMs03039Patch - 
(http://xforce.iss.net/xforce/xfdb/13134) 

System Scanner SR 3.20 win-ms03039-patch - 
(http://xforce.iss.net/xforce/xfdb/13134) 

For Dynamic Threat Protection, Internet Security Systems recommends applying a
Virtual Patch for the Microsoft RPC vulnerability. Employ the following protection
techniques through ISS¿ Dynamic Threat Protection platform. The following updates 
have already been made available. 

RealSecure Network 5.16 MSRPC_RemoteActivate_Bo - 
(http://xforce.iss.net/xforce/xfdb/12629) - released 8/12/03

RealSecure Network/Proventia A Series XPU 21.2 MSRPC_RemoteActivate_Bo - 
(http://xforce.iss.net/xforce/xfdb/12629) 

RealSecure Network/Proventia A Series XPU 21.2 and RealSecure Network 5.18 
MSRPC_RemoteActivate_Path_BO - (http://xforce.iss.net/xforce/xfdb/13129) 

RealSecure Network/Proventia A Series XPU 20.19  DCOM_RemoteGetClassObject_DoS
- (http://xforce.iss.net/xforce/xfdb/12679) - released 08/12/03

RealSecure Server XPU 20.16 MSRPC_RemoteActivate_Bo - 
(http://xforce.iss.net/xforce/xfdb/12629) - released 07/18/03

RealSecure Server XPU 21.1 MSRPC_RemoteActivate_Path_BO - 
(http://xforce.iss.net/xforce/xfdb/13129) 

RealSecure Server XPU 20.19  DCOM_RemoteGetClassObject_DoS
- (http://xforce.iss.net/xforce/xfdb/12679) - released 08/22/03

RealSecure Server XPU 21.3 contains an updated blocking driver
to provide additional protection.

RealSecure Guard, Sentry and Desktop 3.6 ebu
MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)
MSRPC_RemoteActivate_Path_BO - (http://xforce.iss.net/xforce/xfdb/13129) 
DCOM_RemoteGetClassObject_DoS
- (http://xforce.iss.net/xforce/xfdb/12679) 

RealSecure Desktop 7.0 ebc
MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)
MSRPC_RemoteActivate_Path_BO - (http://xforce.iss.net/xforce/xfdb/13129) 
DCOM_RemoteGetClassObject_DoS
- (http://xforce.iss.net/xforce/xfdb/12679) 


All updates listed above are available from the ISS Download center
(http://www.iss.net/download) 

For Manual Protection, ISS and Microsoft have offered the following recommendations: 

Microsoft has released patches to address the vulnerabilities described
in this bulletin. The new patches supercede the patches associated with
Microsoft Security Bulletin MS03-026. Please refer to Microsoft Security
Bulletin MS03-039 for more information.

X-Force recommends that network administrators assess external exposure
to vulnerabilities associated with Microsoft services running on ports
135, 137, 138, 139, 445, 593 on both the network perimeter and VPN
connections. Modern Internet worms have demonstrated that strong filtering
policies at the perimeter have not stopped worms if weaker policies were
employed to protect VPN networks.

Additional Information:

ISS has produced a command-line tool that scans for systems that 
might be vulnerable to the MS03-039 RPC DCOM Vulnerability.  That tool 
is available on our website at: 


The Common Vulnerabilities and Exposures (CVE) project has assigned the 
following names to these issues. These are candidates for inclusion in the 
CVE list (http://cve.mitre.org), which standardizes names for security problems.

CAN-2003-0528 RPCSS DCOM long filename buffer overflow 
CAN-2003-0605 RPC DCOM Endpoint Mapper denial of service
CAN-2003-0715 DCERPC DCOM buffer overflow

Microsoft Security Bulletin MS03-039
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

ISS Security Advisory, Flaw in Microsoft Windows RPC Implementation
http://xforce.iss.net/xforce/alerts/id/147

Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

ISS X-Force Database
http://xforce.iss.net/xforce/xfdb/12629
http://xforce.iss.net/xforce/xfdb/12679
http://xforce.iss.net/xforce/xfdb/13129
http://xforce.iss.net/xforce/xfdb/13134
______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email
xforce@iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws. 

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.