NSFOCUS SA2003-06 : Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability
From: NSFOCUS Security Team (security_at_NSFOCUS.COM)
Date: 09/11/03
- Previous message: intel96: "DCOM/RPC Research Paper"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Sep 2003 09:51:00 +0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NSFOCUS Security Advisory(SA2003-06)
Topic: Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability
Release Date: 2003-09-11
CVE CAN ID: CAN-2003-0528
http://www.nsfocus.com/english/homepage/research/0306.htm
Affected system:
===================
- - Microsoft Windows NT
- - Microsoft Windows XP
- - Microsoft Windows 2000
- - Microsoft Windows 2003
Unaffected system:
======================
- - Microsoft Windows 98
Summary:
=========
NSFOCUS Security Team has found a remote exploitable buffer overflow
vulnerability in the RPC DCOM interface of Microsoft Windows system.
By exploiting the vulnerability remote attackers could gain local
system privilege.
Description:
============
Remote Procedure Call (RPC) is a protocol used by the Windows operating
system. RPC provides an inter-process communication mechanism that allows a
program running on one computer to seamlessly execute code on a remote system.
The protocol itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific extensions.
There is a buffer overflow vulnerability in Windows RPC Distributed Component
Object Model (DCOM) interface handling. Windows DCOM implementation doesn't
carry out any length check when handling a filename parameter. By passing an
over-large parameter (several hundred bytes) attackers can cause a heap
overflow and crash the RpcSS service. The carefully crafted data then can run
arbitrary code on the system with Local System privilege. Attackers could take
any action on the system, including installing programs, obtaining or deleting
data, or creating new accounts with total privilege.
This vulnerability can be exploited on 135(TCP/UDP), 139, 445, 593 and
other ports.
Note: This vulnerability is not the same one as described in MS03-026. The
patch provided by MS03-026 (Q823980) can not fix the vulnerability.
Workaround:
=============
* Block at least the following ports at firewall:
135/UDP
137/UDP
138/UDP
445/UDP
135/TCP
139/TCP
445/TCP
593/TCP
Disable COM Internet Services (CIS) and RPC over HTTP.
* If you can not block the above ports for some reasons, you can temporarily
disable DCOM:
Open "Control Panel"-->"Management Tools"-->"Component Services"
Click on the "Component Services"-->"Computers"-->"My Computer" on the
"Console Root", right click "My Computer" to choose the "Properties"
Choose the "Default Properties " tab, clear "Enable Distributed COM on
this Computer" check box.
Click OK and exit "Component Services".
Note: Disabling DCOM might cause some applications to fail and system
abnormality. Some important system services might fail to start.
Therefore NSFOCUS doesn't recommend such a method. You can block ports
at firewall as mentioned above to ensure the system security.
Vendor Status:
==============
2003.07.29 Informed the vendor
2003.07.30 Vendor confirmed the vulnerability
2003.09.10 Microsoft has issued a Security Bulletin(MS03-039) and the
related patch.
Detailed Microsoft Security Bulletin is available at:
http://www.microsoft.com/technet/security/bulletin/ms03-039.asp
Additional Information:
========================
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0528 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.
Acknowledgment
===============
Yuan Renguang of NSFOCUS Security Team found the vulnerability.
DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/X9UE1794d8am9toRAg85AKCHlLlJeNblV1Ql5PZHDE9wMjJfWwCcC8vC
jlMuxCKpk8woaPiioqMVhLI=
=WNJM
-----END PGP SIGNATURE-----
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: intel96: "DCOM/RPC Research Paper"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
