Alert: Microsoft Security Bulletin - MS03-026
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 07/16/03
- Previous message: Russ: "Re: SP4 problems with Captaris RightFax - Summary"
- Next in thread: Yaakov Yehudi: "Re: Alert: Microsoft Security Bulletin - MS03-026"
- Reply: Yaakov Yehudi: "Re: Alert: Microsoft Security Bulletin - MS03-026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Jul 2003 13:01:19 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Originally posted: July 16, 2003
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®
Impact of vulnerability: Run code of attacker's choice
Maximum Severity Rating: Critical
Recommendation: Systems administrators should apply the patch immediately
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp.
Affected Software:
- Microsoft Windows NT® 4.0
- Microsoft Windows NT 4.0 Terminal Services Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server(tm) 2003 Not Affected Software:
- Microsoft Windows Millennium Edition</ul
Technical description:
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.
To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135.
Mitigating factors:
- To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135 on the remote machine. For intranet environments, this port would normally be accessible, but for Internet connected machines, the port 135 would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
- Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments.
To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp.
To learn more about the ports used by RPC, please refer to: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp
Vulnerability identifier: CAN-2003-0352
This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Russ: "Re: SP4 problems with Captaris RightFax - Summary"
- Next in thread: Yaakov Yehudi: "Re: Alert: Microsoft Security Bulletin - MS03-026"
- Reply: Yaakov Yehudi: "Re: Alert: Microsoft Security Bulletin - MS03-026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
