2118006 : RPC DCOM interface buffer overflow

High RiskHigh Risk

Quick Links

Event description Jump to the top of this document

Microsoft is vulnerable to a buffer overflow in the Distributed Component Object Model (DCOM) interface of the RPC (Remote Procedure Call) service. By sending a malformed message to the RPC service, a remote attacker can overflow a buffer and execute arbitrary code on the system with Local System privileges.

Products that have this security check Jump to the top of this document

MSRPC_RemoteActivate_Bo

This signature looks for a specially-crafted MSRPC Remote ActivationRequest or System Activation Request that is used to conduct a buffer overflow.


Affected platforms Jump to the top of this document

How to remove this vulnerability Jump to the top of this document

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
WinRpcDCOMBo
win-rpc-dcom-bo
WinMs03039Patch
win-ms03039-patch

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
MSRPC_RemoteActivate_Bo

Block or restrict the following in the ISS Protection Platform as appropriate to the environment: Port 135

For Manual Protection:

For Microsoft Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-012 and then superseded by the patch in MS06-018.

For Windows XP, and Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-026, but it was superseded by the patch released with MS03-039 ,MS04-012, and MS05-012, and then superseded by the patch in MS05-051.

For Microsoft Windows NT 4.0:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-029. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039 and MS04-012, and then superseded with the patch released with MS04-029.

For HP OpenVMS V7.3, V7.3-1, and V7.3-2:
Apply the appropriate patch for this vulnerability, as listed in Hewlett-Packard Security Bulletin HPSBOV01056. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References Jump to the top of this document

Internet Security Systems Security Alert #147
Flaw in Microsoft Windows RPC Implementation
http://xforce.iss.net/xforce/alerts/id/147

Microsoft Security Bulletin MS03-026
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx

Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx

Microsoft Security Bulletin MS04-029
Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx

Microsoft Security Bulletin MS03-039
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

Microsoft Security Bulletin MS04-012
Cumulative Update for Microsoft RPC/DCOM (828741)
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

Microsoft Security Bulletin MS05-012
Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx

Core Security Technologies Advisory CORE-2003-12-05
DCE RPC Vulnerabilities New Attack Vectors Analysis
http://archives.neohapsis.com/archives/bugtraq/2003-12/0166.html

CIAC Information Bulletin N-117
Microsoft RPC Interface Buffer Overrun Vulnerability
http://www.ciac.org/ciac/bulletins/n-117.shtml

BugTraq Mailing List, Sun Jul 20 2003 - 14:01:13 CDT
Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2003-07/0255.html

VulnWatch Mailing List, Thu Jul 17 2003 - 16:04:40 CDT
Re: [LSD] Critical security vulnerability in Microsoft Operating Systems
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0036.html

CERT Advisory CA-2003-16
Buffer Overflow in Microsoft RPC
http://www.cert.org/advisories/CA-2003-16.html

BugTraq Mailing List, Wed Jul 16 2003 - 23:27:27 CDT
[LSD] Critical security vulnerability in Microsoft Operating Systems
http://archives.neohapsis.com/archives/bugtraq/2003-07/0194.html

Common Vulnerabilities and Exposures
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0352

BugTraq
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
http://www.securityfocus.com/bid/8205

Information about this document Jump to the top of this document

The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.

Copyright © 1997 – 2009 IBM Internet Security Systems. All rights reserved.

This page was created on Thu Jun 11 09:07:19 2009