-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NSFOCUS Security Advisory(SA2003-06) Topic: Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability Release Date: 2003-09-11 CVE CAN ID: CAN-2003-0528 http://www.nsfocus.com/english/homepage/research/0306.htm Affected system: =================== - - Microsoft Windows NT - - Microsoft Windows XP - - Microsoft Windows 2000 - - Microsoft Windows 2003 Unaffected system: ====================== - - Microsoft Windows 98 Summary: ========= NSFOCUS Security Team has found a remote exploitable buffer overflow vulnerability in the RPC DCOM interface of Microsoft Windows system. By exploiting the vulnerability remote attackers could gain local system privilege. Description: ============ Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions. There is a buffer overflow vulnerability in Windows RPC Distributed Component Object Model (DCOM) interface handling. Windows DCOM implementation doesn't carry out any length check when handling a filename parameter. By passing an over-large parameter (several hundred bytes) attackers can cause a heap overflow and crash the RpcSS service. The carefully crafted data then can run arbitrary code on the system with Local System privilege. Attackers could take any action on the system, including installing programs, obtaining or deleting data, or creating new accounts with total privilege. This vulnerability can be exploited on 135(TCP/UDP), 139, 445, 593 and other ports. Note: This vulnerability is not the same one as described in MS03-026. The patch provided by MS03-026 (Q823980) can not fix the vulnerability. Workaround: ============= * Block at least the following ports at firewall: 135/UDP 137/UDP 138/UDP 445/UDP 135/TCP 139/TCP 445/TCP 593/TCP Disable COM Internet Services (CIS) and RPC over HTTP. * If you can not block the above ports for some reasons, you can temporarily disable DCOM: Open "Control Panel"-->"Management Tools"-->"Component Services" Click on the "Component Services"-->"Computers"-->"My Computer" on the "Console Root", right click "My Computer" to choose the "Properties" Choose the "Default Properties " tab, clear "Enable Distributed COM on this Computer" check box. Click OK and exit "Component Services". Note: Disabling DCOM might cause some applications to fail and system abnormality. Some important system services might fail to start. Therefore NSFOCUS doesn't recommend such a method. You can block ports at firewall as mentioned above to ensure the system security. Vendor Status: ============== 2003.07.29 Informed the vendor 2003.07.30 Vendor confirmed the vulnerability 2003.09.10 Microsoft has issued a Security Bulletin(MS03-039) and the related patch. Detailed Microsoft Security Bulletin is available at: http://www.microsoft.com/technet/security/bulletin/ms03-039.asp Additional Information: ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0528 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment =============== Yuan Renguang of NSFOCUS Security Team found the vulnerability. DISCLAIMS: ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <securityat_private> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/X9UE1794d8am9toRAg85AKCHlLlJeNblV1Ql5PZHDE9wMjJfWwCcC8vC jlMuxCKpk8woaPiioqMVhLI= =WNJM -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 20:24:15 PDT