[NT] Vulnerability in RPC Runtime Library Allows Information Disclosure and DoS (MS04-029)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/13/04

  • Next message: SecuriTeam: "[UNIX] Squid Web Proxy Cache Remote DoS" 
    To: list@securiteam.com
Date: 13 Oct 2004 15:25:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in RPC Runtime Library Allows Information Disclosure and DoS
    (MS04-029)
    ------------------------------------------------------------------------

    SUMMARY

    An information disclosure and denial of service vulnerability exists when
    the RPC Runtime Library processes specially crafted messages. An attacker
    who successfully exploited this vulnerability could potentially read
    portions of active memory or cause the affected system to stop responding.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows NT Server 4.0 Service Pack 6a -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=AE32474A-CB72-4044-B97F-A2BAD2CD5D97> Download the update

     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
    -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=80A543A6-9D5E-4954-80CD-F706F9B284BA> Download the update

    Immune Systems:
     * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
    Service Pack 4
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP Service Pack 2
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0569>
    CAN-2004-0569

    Mitigating Factors for RPC Runtime Library Vulnerability
     * Firewall best practices and standard default firewall configurations
    can help protect networks from attacks that originate outside the
    enterprise perimeter. Best practices recommend that systems that are
    connected to the Internet have a minimal number of ports exposed.

    Workarounds for RPC Runtime Library Vulnerability
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.
     * Block the following at the firewall:
       * UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and
    593
       * All unsolicited inbound traffic on ports greater than 1024
       * Any other specifically configured RPC port
       * If installed, COM Internet Services (CIS) or RPC over HTTP, which
    listen on ports 80 and 443

    These ports are used to initiate a connection with RPC. Blocking them at
    the firewall will help prevent systems that are behind that firewall from
    attempts to exploit this vulnerability. Also, make sure that you block any
    other specifically configured RPC port on the remote system. We recommend
    that you block all unsolicited inbound communication from the Internet to
    help prevent attacks that may use other ports. For more information about
    the ports that RPC uses, visit the following Web site. For more
    information about how to disable CIS, see Microsoft Knowledge Base Article
     <http://support.microsoft.com/default.aspx?scid=kb;en-us;825819> 825819.

     * Enable advanced TCP/IP filtering on systems that support this feature.
    You can enable advanced TCP/IP filtering to block all unsolicited inbound
    traffic. For additional information about how to configure TCP/IP
    filtering, see Microsoft Knowledge Base Article
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;309798> 309798.

     * Block the affected ports by using IPSec on the affected systems.
    Use Internet Protocol Security (IPSec) to help protect network
    communications. Detailed information about IPSec and how to apply filters
    is available in Microsoft Knowledge Base Articles
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;313190> 313190
    and <http://support.microsoft.com/?id=813878> 813878.

    FAQ for RPC Runtime Library Vulnerability
    What is the scope of the vulnerability ?
    This is an information disclosure and denial of service vulnerability. An
    attacker who successfully exploited this vulnerability could potentially
    read portions of active memory or cause the affected system to stop
    responding.

    What causes the vulnerability ?
    An unchecked buffer in the RPC Runtime Library.

    What is Remote Procedure Call (RPC) ?
    Remote Procedure Call (RPC) is a protocol that the Windows operating
    system uses. RPC provides an interprocess communication mechanism that
    allows a program that is running on one system to access services
    seamlessly on another system. The protocol is derived from the Open
    Software Foundation (OSF) RPC protocol, with the addition of some
    Microsoft-specific extensions.

    What is the RPC Runtime Library ?
    By default, the RPC Runtime Library is installed on all affected systems.
    The RPC Runtime Library provides services such as communication services,
    directory services, and security services to application developers. For
    more information about the RPC Runtime Library, visit the following
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/developing_32_bit_windows_applications.asp> MSDN Library Web site.

    What might an attacker use the vulnerability to do ?
    An attacker who successfully exploited this vulnerability could cause the
    affected system to stop responding or potentially read portions of active
    memory.

    Who could exploit the vulnerability ?
    Any anonymous user who can deliver a series of specially crafted messages
    to the affected system could attempt to exploit this vulnerability. By
    default, this ability is enabled on the affected systems. Therefore, any
    user who can establish a connection to an affected system could attempt to
    exploit this vulnerability.

    How could an attacker exploit the vulnerability ?
    An attacker could exploit this vulnerability by creating a series of
    specially crafted network messages and sending the messages to an affected
    system.

    An attacker could also access the affected component through another
    vector. For example, an attacker could log on to the system interactively
    or by using another program that passes parameters to the vulnerable
    component (locally or remotely).

    Could the vulnerability be exploited over the Internet ?
    Yes. An attacker may be able to exploit this vulnerability over the
    Internet. Firewall best practices and standard default firewall
    configurations can help protect against attacks that originate from the
    Internet. Microsoft has provided information on how you can help protect
    your PC. IT Professionals can visit the
    <http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center
    Web site.

    What does the update do ?
    The update removes the vulnerability by modifying the way that RPC Runtime
    Library validates the length of a message before it passes the message to
    the allocated buffer.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed ?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information
    indicating that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited ?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    How does this vulnerability relate to the RPC vulnerabilities that are
    addressed by MS04-012 ?
    Both security bulletins are related to RPC components. However, this
    update addresses a new vulnerability that was not addressed as part of
    MS04-012. MS04-012 helps protect against the vulnerabilities that are
    discussed in that bulletin, but does not address this new vulnerability.
    This update does not replace MS04-012. You must install this update and
    the update provided as part of the MS04-012 security bulletin to help
    protect your system against the vulnerabilities addressed by each security
    bulletin.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.
    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS04-029.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS04-029.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Squid Web Proxy Cache Remote DoS"

    Relevant Pages