[VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft Operating Systems

From: Todd Sabin (tsabin_at_razor.bindview.com)
Date: 07/17/03

  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet"
    To: Last Stage of Delirium <contact@lsd-pl.net>
    Date: Thu, 17 Jul 2003 17:04:40 -0400
    
    

    Last Stage of Delirium <contact@lsd-pl.net> writes:

    > Hello,
    >
    > We have discovered a critical security vulnerability in all recent versions of
    > Microsoft operating systems. The vulnerability affects default installations
    > of Windows NT 4.0, Windows 2000, Windows XP as well as Windows 2003 Server.
    >
    > This is a buffer overflow vulnerability that exists in an integral component of
    > any Windows operating system, the RPC interface implementing Distributed Component
    > Object Model services (DCOM). In a result of implementation error in a function
    > responsible for instantiation of DCOM objects, remote attackers can obtain
    > unauthorized access to vulnerable systems.
    > [...]

    I think it's worth mentioning that Microsoft's advisory on this issue
    is incorrect in stating that the only attack vector is port 135. The
    vulnerability lies in one of the RPC interfaces that the endpoint
    mapper/RPCSS services. As such, it is accessible over any RPC
    protocol sequence that the endpoint mapper listens on. That includes:

    o ncacn_ip_tcp : TCP port 135
    o ncadg_ip_udp : UDP port 135
    o ncacn_np : \pipe\epmapper, normally accessible via SMB null
                      session on TCP ports 139 and 445
    o ncacn_http : if active, listening on TCP port 593.

    Finally, if ncacn_http is active, and COM Internet Services is
    installed and enabled, which is NOT the default in any configuration
    I'm aware of, then you can also talk to the endpoint mapper over port
    80. Just to be clear, I think this is a very uncommon scenario, but
    the possibility does exist.

    So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
    and 593. And make sure you don't have COM Internet Services running.

    -- 
    Todd Sabin                                          <tsabin@optonline.net>
    BindView RAZOR Team                            <tsabin@razor.bindview.com>
    

  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet"

    Relevant Pages