CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 07/17/03

  • Next message: CERT Advisory: "New information regarding CERT Advisory CA-2003-15"
    Date: Thu, 17 Jul 2003 01:14:07 -0400
    To: cert-advisory@cert.org


    CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC

       Original release date: July 17, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history is at the end of this file.

    Systems Affected

         * Microsoft Windows NT 4.0
         * Microsoft Windows NT 4.0 Terminal Services Edition
         * Microsoft Windows 2000
         * Microsoft Windows XP
         * Microsoft Windows Server 2003


       A buffer overflow vulnerability exists in Microsoft's Remote Procedure
       Call (RPC) implementation. A remote attacker could exploit this
       vulnerability to execute arbitrary code or cause a denial of service.

    I. Description

       There is a buffer overflow in Microsoft's RPC implementation.
       According to Microsoft Security Bulletin MS03-026, "There is a
       vulnerability in the part of RPC that deals with message exchange over
       TCP/IP. The failure results because of incorrect handling of malformed
       messages. This particular vulnerability affects a Distributed
       Component Object Model (DCOM) interface with RPC, which listens on
       TCP/IP port 135. This interface handles DCOM object activation
       requests that are sent by client machines (such as Universal Naming
       Convention (UNC) paths) to the server."

       The CERT/CC is tracking this issue as VU#568148. This reference number
       corresponds to CVE candidate CAN-2003-0352.

    II. Impact

       A remote attacker could exploit this vulnerability to execute
       arbitrary code with Local System privileges or to cause a denial of

    III. Solution

    Apply a patch

       Apply the appropriate patch as specified by Microsoft Security
       Bulletin MS03-026.

    Restrict access

       You may wish to block access from outside your network perimeter,
       specifically by blocking access to port 135/TCP. This will limit your
       exposure to attacks. However, blocking at the network perimeter would
       still allow attackers within the perimeter of your network to exploit
       the vulnerability. It is important to understand your network's
       configuration and service requirements before deciding what changes
       are appropriate.

       This vulnerability was discovered by The Last Stage of Delirium
       Research Group. Microsoft has published Microsoft Security Bulletin
       MS03-026, upon which this document is largely based.

       Author: Ian A. Finlay

       This document is available from:

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

    Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

       Revision History
    July 17, 2003: Initial release

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----

  • Next message: CERT Advisory: "New information regarding CERT Advisory CA-2003-15"

    Relevant Pages