[NEWS] Buffer Overrun In RPCSS Service Could Allow Code Execution

• Previous message: SecuriTeam: "[UNIX] Denial of Service in Leafnode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 11 Sep 2003 17:03:26 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Buffer Overrun In RPCSS Service Could Allow Code Execution
------------------------------------------------------------------------

SUMMARY

Remote Procedure Call (RPC) is a protocol used by the Windows operating
system.
RPC provides an inter-process communication mechanism that allows a
program running on one computer to seamlessly access services on another
computer.
The protocol itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific extensions.

There are three newly identified vulnerabilities in the part of RPCSS
Service that deals with RPC messages for DCOM activation-
two that could allow arbitrary code execution and one that could result in
a denial of service.
The flaws result from incorrect handling of malformed messages. These
particular vulnerabilities affect the Distributed Component Object Model
(DCOM) interface within the RPCSS Service.
This interface handles DCOM object activation requests that are sent from
one machine to another.

DETAILS

Vulnerable Systems:
 * Microsoft Windows NT Workstation 4.0
 * Microsoft Windows NT Server® 4.0
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows 2000
 * Microsoft Windows XP
 * Microsoft Windows Server 2003

Immune Systems:
 * Microsoft Windows Millennium Edition

An attacker who successfully exploited these vulnerabilities could be able
to run code with Local System privileges on an affected system, or could
cause the RPCSS Service to fail. The attacker could then be able to take
any action on the system, including installing programs, viewing, changing
or deleting data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a program to
send a malformed RPC message to a vulnerable system targeting the RPCSS
Service.

Mitigating factors:
Firewall best practices and standard default firewall configurations can
help protect networks from remote attacks originating outside of the
enterprise perimeter.
Best practices recommend blocking all ports that are not actually being
used. For this reason, most systems attached to the Internet should have a
minimal number of the affected ports exposed.
For more information about the ports used by RPC, visit the following
Microsoft Web site:
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp> http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp

CVE Information:
Buffer Overrun: CAN-2003-0715
Buffer Overrun: CAN-2003-0528
Denial of Service: CAN-2003-0605

Frequently asked questions
Security Bulletin MS03-026 also involved RPC. Does this patch supersede
the one provided with that bulletin?
Yes. The security patch provided with this bulletin fully supersedes the
patch provided in MS03-026, as well as the one provided in MS01-048.

What's the scope of the vulnerability?
There are three different vulnerabilities discussed in this bulletin. The
first two are buffer overrun vulnerabilities, while the third is a denial
of service vulnerability. An attacker who successfully exploited either of
the buffer overrun vulnerabilities could gain complete control over a
remote computer. This would give the attacker the ability to take any
action that they wanted on the system, including changing Web pages,
reformatting the hard disk or adding new users to the local administrators
group.
An attacker who successfully exploited the denial of service vulnerability
could cause the RPC Service to hang and become unresponsive.
To carry out such an attack, an attacker would need to be able to send a
malformed message to the RPCSS service and thereby cause the target system
to fail in such a way that arbitrary code could be executed.

What causes these vulnerabilities?
The vulnerabilities result because the Windows RPCSS service does not
properly check message inputs under certain circumstances.
After establishing a connection, an attacker could send a specially
crafted malformed RPC message to cause the underlying Distributed
Component Object Model (DCOM) activation infrastructure in the RPCSS
Service on the remote system to fail in such a way that arbitrary code
could be executed.

What is DCOM?
The Distributed Component Object Model (DCOM) is a protocol that enables
software components to communicate directly over a network.
Previously called "Network OLE," DCOM is designed for use across multiple
network transports, including Internet protocols such as HTTP.
For more information about DCOM visit the following Web site:
<http://www.microsoft.com/com/tech/dcom.asp >
http://www.microsoft.com/com/tech/dcom.asp
What is Remote Procedure Call (RPC)?
Remote Procedure Call (RPC) is a protocol that a program can use to
request a service from a program located on another computer in a network.
RPC helps with interoperability because the program using RPC does not
have to understand the network protocols that are supporting
communication. In RPC, the requesting program is the client and the
service-providing program is the server.

What is COM Internet Services (CIS) and RPC over HTTP?
RPC over HTTP - v1 (Windows NT 4.0, Windows 2000) and v2 (Windows XP,
Windows Server 2003) introduce support for a new RPC transport protocol
that allows RPC to operate over TCP ports 80 and 443 (v2 only).
This allows a client and a server to communicate in the presence of most
proxy servers and firewalls.
COM Internet Services (CIS) allows DCOM to use RPC over HTTP to
communicate between DCOM clients and DCOM servers.
More information on "RPC over HTTP " for Windows Server 2003 can be found
at the following URL:
 
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp
More information on COM Internet Services (sometimes referred to as CIS)
can be found at the following URL:
 
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/cis.asp > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/cis.asp

How do I know if I have COM Internet Services (CIS) or RPC over HTTP
installed?
To determine whether a server has COM Internet Services or RPC over HTTP
installed follow the steps below:

    * On Windows NT 4.0 systems with the Windows NT Option Pack
installed: Search on all partitions for "rpcproxy.dll". If "rpcproxy.dll"
is found on the server, COM Internet Services is installed.
    * On Windows 2000 and Windows Server 2003 servers:

      In Control Panel, double-click Add/Remove Programs, and then
double-click Add/Remove Windows Components.
      The Windows Components Wizard starts.

      Click Networking Services, and then click Details.

If the COM Internet Services Proxy (for Windows 2000 Server) or the RPC
over HTTP Proxy (for Windows Server 2003) check box is selected, CIS or
RPC over HTTP support is enabled on the server.

Note: You can also search for "rpcproxy.dll" on Windows 2000 and Windows
Server 2003 installations if you want to remotely or programmatically
determine if CIS or RPC over HTTP is installed.

To search for a specific file on your computer: click Start, click Search,
click For Files or Folders, and then type the name of the file that you
want to search for.
The search may take several minutes, depending on the size of your hard
disk.

What's wrong with the RPCSS Service?
There is a flaw in the RPCSS Service that deals with DCOM activation. A
failure results because of incorrect handling of malformed messages. This
particular failure affects the underlying RPCSS Service used for DCOM
activation, which listens on UDP ports 135, 137, 138, 445 and TCP ports
135, 139, 445, 593. Additionally, it can listen on ports 80 and 443 if CIS
or RPC over HTTP is enabled.

By sending a malformed RPC message, an attacker could cause the RPCSS
Service on a system to fail in such a way that arbitrary code could be
executed.

Is this a flaw in the RPC Endpoint Mapper?
No - Although the RPC endpoint mapper shares the RPCSS service with the
DCOM infrastructure, the flaw actually occurs in the DCOM Activation
infrastructure. The RPC endpoint mapper allows RPC clients to determine
the port number currently assigned to a particular RPC service. An
endpoint is a protocol-specific identifier of a service on a host machine.
For protocols like TCP or UDP, this is a port. For named pipes, it is a
named pipe name. Other protocols use other protocol specific endpoints.

What could these vulnerabilities enable an attacker to do?
An attacker who successfully exploited the buffer overrun vulnerabilities
could be able to run code with Local System privileges on an affected
system. The attacker could be able to take any action on the system,
including installing programs, viewing changing or deleting data, or
creating new accounts with full privileges.

An attacker who successfully exploited the denial of service vulnerability
could cause the RPCSS Service to hang and become unresponsive.

How could an attacker exploit these vulnerabilities?
An attacker could seek to exploit these vulnerabilities by creating a
program that could communicate with a vulnerable server over an affected
TCP/UDP port to send a specific kind of malformed RPC message. Receipt of
such a message could cause the RPCSS service on the vulnerable system to
fail in such a way that it could execute arbitrary code.

It could also be possible to access the affected component through another
vector, such as one that would involve logging onto the system
interactively or by using another application that passed parameters to
the vulnerable component-- locally or remotely.

Who could exploit these vulnerabilities?
Any user who could deliver a malformed RPC message to the RPCSS Service on
an affected system could attempt to exploit these vulnerabilities. Because
the RPCSS Service is on by default in all versions of Windows, this in
essence means that any user who could establish a connection with an
affected system could attempt to exploit these vulnerabilities.

Iגm still using Microsoft Windows NT 4.0 Workstation, but it is no longer
in support. However, this bulletin has a patch. Why is that?
Windows NT 4.0 Workstation has reached its end of life as previously
documented and Microsoft is not normally providing generally available
patches. However, due to the nature of this vulnerability, the fact that
the end-of-life occurred very recently, and the number of Windows NT 4.0
Workstations currently in active use, Microsoft has decided to make an
exception for this vulnerability.
We do not anticipate doing this for future vulnerabilities, but reserve
the right to produce and make available patches when necessary. It should
be a priority for customers with existing Windows NT 4.0 Workstations to
migrate those to supported platforms to prevent exposure to future
vulnerabilities.

Additional information about the Windows Desktop Product Life Cycle
Support is available at:
 <http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx>
http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx

Iגm still using Microsoft Windows 2000 Service Pack 2, but it is no
longer in support. However, this bulletin has a patch that will install on
Service Pack 2. Why is that?
Windows 2000 Service Pack 2 has reached its end of life as previously
documented and Microsoft is not normally providing generally available
patches. However, due to the nature of this vulnerability, the fact that
the end-of-life occurred very recently, and the number of customers
currently running Windows 2000 Service Pack 2, Microsoft has decided to
make an exception for this vulnerability.
We do not anticipate doing this for future vulnerabilities, but reserve
the right to produce and make available patches when necessary. It should
be a priority for customers with existing Windows 2000 Service Pack 2
systems to migrate those to supported platforms to prevent exposure to
future vulnerabilities.

Additional information about the Windows Desktop Product Life Cycle
Support is available at:
 <http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx
> http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx

Are there any tools I can use to detect systems on my network that do not
have the MS03-039 patch installed?

Yes - Microsoft has released a tool that can be used to scan a network for
the presence of systems which have not had the MS03-039 patch installed.
More details on this tool are available in Microsoft Knowledge Base
article 827363.

What does the patch do?
The patch corrects the vulnerability by altering the DCOM implementation
to properly check the information passed to it.

Workarounds:

Are there any workarounds that can be used to help block exploitation of
this vulnerability while I am testing or evaluating the patch?
Yes. Although Microsoft urges all customers to apply the patch at the
earliest possible opportunity, there are a number of workarounds that can
be applied to help prevent the vector used to exploit this vulnerability
in the interim.
There is no guarantee that the workarounds will block all possible attack
vectors.

It should be noted that these workarounds should be considered temporary
measures as they just help block paths of attack rather than correcting
the underlying vulnerability.

 * Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at
your firewall and disable COM Internet Services (CIS) and RPC over HTTP,
which listen on ports 80 and 443, on the affected systems.
These ports are used to initiate an RPC connection with a remote computer.
Blocking them at the firewall ,will help prevent systems behind that
firewall from being attacked by attempts to exploit these vulnerabilities.

You should also be sure and block any other specifically configured RPC
port on the remote machine.
If enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP
ports 80 (and 443 on XP and Windows Server 2003). Make sure that CIS and
RPC over HTTP are disabled on all the affected systems.
More information on how to disable CIS can be found in Microsoft Knowledge
Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;825819> 825819.
For information regarding RPC over HTTP, see
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp

 * Use a personal firewall such as Internet Connection Firewall (only
available on XP and Windows Server 2003) and disable COM Internet Services
(CIS)and RPC over HTTP, which listen on ports 80 and 443, on the affected
machines, especially any machines that connect to a corporate network
remotely using a VPN or similar.
If you are using the Internet Connection Firewall in Windows XP or Windows
Server 2003 to protect your Internet connection, it will by default block
inbound RPC traffic from the Internet.
Make sure that CIS and RPC over HTTP are disabled on all affected
machines.

More information on how to disable CIS can be found in Microsoft Knowledge
Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;825819> 825819.
For information regarding RPC over HTTP, see
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp.

 * Block the affected ports using an IPSEC filter and disable COM Internet
Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the
affected machines.
You can secure network communications on Windows 2000-based computers if
you use Internet Protocol Security (IPSec). Detailed information on IPSec
and how to apply filters can be found in Microsoft Knowledge Base Article
313190 and 813878. Make sure that CIS and RPC over HTTP are disabled on
all affected machines.

More information on how to disable CIS can be found in Microsoft Knowledge
Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;825819> 825819.

For information regarding RPC over HTTP, see
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp.

 * Disable DCOM on all affected machines

When a computer is part of a network, the DCOM wire protocol enables COM
objects on that computer to communicate with COM objects on other
computers.
You can disable DCOM for a particular computer to help protect against
this vulnerability, but doing so will disable all communication between
objects on that computer and objects on other computers.

If you disable DCOM on a remote computer, you will not be able to remotely
access that computer afterwards to re-enable DCOM.
To re-enable DCOM, you will need physical access to that computer.

Information on how to disable DCOM is available in Microsoft Knowledge
Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;825750> 825750.

Note: For Windows 2000, the methods described above will only work on
systems running Service Pack 3 or later.
Customers using Service Pack 2 or below should upgrade to a later Service
Pack or use one of the other workarounds.

Patch availability
Download locations for this patch
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=en> Windows NT Workstation 4.0
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=en> Windows NT Server 4.0
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F&displaylang=en> Windows NT Server 4.0, Terminal Server Edition
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=en> Windows 2000
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=en> Windows XP
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65&displaylang=en> Windows XP 64 bit Edition
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B&displaylang=en> Windows XP 64 bit Edition Version 2003
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=en> Windows Server 2003
 *
<http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B&displaylang=en> Windows Server 2003 64 bit Edition

ADDITIONAL INFORMATION

Vulnerabilities discovered by: <http://www.eeye.com/html> eEye Digital
Security, <http://www.nsfocus.com> NSFOCUS Security Team, and Xue Yong
Zhi and Renaud Deraison from <http://www.tenablesecurity.com> Tenable
Network Security
The original article can be found at:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Denial of Service in Leafnode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]