[VulnWatch] CERT Advisory CA-2003-03 Buffer Overflow in Windows Locator Service (fwd)

From: Rain Forest Puppy (rfp@vulnwatch.org)
Date: 01/23/03

  • Next message: xss-is-lame@hushmail.com: "[VulnWatch] Re: New Web Vulnerability - Cross-Site Tracing"
    Date: Thu, 23 Jan 2003 22:03:10 +0000 (GMT)
    From: Rain Forest Puppy <rfp@vulnwatch.org>
    To: vulnwatch@vulnwatch.org

    ---------- Forwarded message ----------
    Date: Thu, 23 Jan 2003 16:20:31 -0500
    From: CERT Advisory <cert-advisory@cert.org>
    To: cert-advisory@cert.org
    Subject: CERT Advisory CA-2003-03 Buffer Overflow in Windows Locator Service


    CERT Advisory CA-2003-03 Buffer Overflow in Windows Locator Service

       Original issue date: January 23, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history is at the end of this file.

    Systems Affected

         * Microsoft Windows NT 4.0
         * Microsoft Windows NT 4.0, Terminal Server Edition
         * Microsoft Windows 2000
         * Microsoft Windows XP


       A buffer overflow vulnerability in the Microsoft Windows Locator
       service could allow a remote attacker to execute arbitrary code or
       cause the Windows Locator service to fail. This service is enabled and
       running by default on Windows 2000 domain controllers and Windows NT
       4.0 domain controllers.

    I. Description

       A buffer overflow in the Windows Locator service may make it possible
       for a remote attacker to execute arbitrary code on a vulnerable system
       by sending an overly large request to the Windows Locator service.
       Microsoft describes the Windows Locator service as "a name service
       that maps logical names to network-specific names." From MS03-001:

         A client that is going to make a Remote Procedure Call (RPC) can
         call the Locator service to resolve a logical name for a network
         object to a network-specific name for use in the RPC. For example,
         if a print server has the logical name "laserprinter", an RPC
         client could call the Locator service to find out the
         network-specific name that mapped to "laserprinter". The RPC client
         uses the network-specific name when it makes the RPC call to the

       Further information about this vulnerability can be found in Microsoft
       Security Bulletin MS03-001 and in CERT/CC Vulnerability Note VU#610986,
       which correspond to CVE candidate CAN-2003-0003.

    II. Impact

       A remote attacker may be able to execute arbitrary code on a
       vulnerable system, or cause the Windows Locator service to fail. An
       attacker who is able to compromise a domain controller might be able
       to cause the compromised domain controller to trust the attacker's

    III. Solution

    Apply a patch

    Disable vulnerable service

       Until a patch can be applied, you may wish to disable the Windows
       Locator service. To determine if the Windows Locator service is
       running, Microsoft recommends the following:

         * The status of the "Remote Procedure Call (RPC) Locator" service
           and how it is started (automatically or manually) can be viewed in
           the Control Panel. For Windows 2000 and Windows XP, use Control
           Panel | Administrative Tools | Services, and on Windows NT 4.0,
           use Control Panel | Services.

         * It is also possible to determine the status of the Locator service
           from the command line by entering: net start

         * A list of services will be displayed. If "Remote Procedure Call
           (RPC) Locator" appears in the list, then the locator service is

       To disable the Windows Locator service, Microsoft recommends the

         * An administrator can disable the Locator service by setting the
           RpcLocator service status to "disabled" in the services control

         * The service can also be stopped via the command line using the
           sc.exe program, which ships with Windows XP and is included as
           part of the Windows 2000 Resource Kit. The following command will
           stop the service: sc stop RpcLocator

         * To disable the service using the command line tool, use the
           following: sc config RpcLocator start= disabled

    Restrict access to NetBIOS

       You may wish to block access to NetBIOS from outside your network
       perimeter. This will limit your exposure to attacks. However, blocking
       at the network perimeter would still allow attackers within the
       perimeter of your network to exploit the vulnerability. It is
       important to understand your network's configuration and service
       requirements before deciding what changes are appropriate.

       As a best practice, the CERT/CC recommends disabling all services that
       are not explicitly required. Before deciding to disable the Windows
       Locator service, carefully consider your service requirements. Please
       also note that Microsoft is actively deploying the patches for this
       vulnerability via Windows Update.

    Appendix A. Vendor Information

       This appendix contains information provided by vendors. When vendors
       report new information, this section is updated and the changes are
       noted in the revision history. If a vendor is not listed below, we
       have not received their comments.

    Microsoft Corporation

         Please see Microsoft Security Bulletin MS03-001.

    Appendix B. References

         * Microsoft Security Bulletin MS03-001 -

         * CERT/CC Vulnerability Note VU#10986 -

       This vulnerability was discovered by David Litchfield of Next
       Generation Security Software Ltd and was first described in MS03-001.

       Author: Ian A. Finlay.

       This document is available from:

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

    Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

       Revision History

       January 23, 2003: Initial release

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----

    Relevant Pages