HighRealSecure Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS:
This signature looks for a specially crafted MSRPC Remote Activation Request or System Activation Request that is used to conduct a buffer overflow.
This signature looks for a specially-crafted MSRPC remote activation request or System activation request that is used to conduct a buffer overflow.
High
RealSecure Desktop: baseline, RealSecure Network: XPU 5.18, RealSecure Network: XPU 21.2, RealSecure Server Sensor: XPU 21.1, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, BlackICE Agent for Server: 3.6eof, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 21.2, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0
Microsoft Windows NT: 4.0 Terminal Server, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT: 4.0 Server, Microsoft Windows NT: 4.0 Workstation, Microsoft Windows 2003 Server
Unauthorized Access Attempt
Microsoft Windows is vulnerable to two buffer overflows, caused by improper handling of Remote Procedure Call (RPC) messages for Distributed Component Object Model (DCOM) activation by the RPCSS service. By default, the RPCSS service is enabled. A remote attacker could establish a connection and send a malformed RPC message to overflow a buffer and execute arbitrary code on the system with Local System privileges.
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
WinRpcssDcomBo
WinMs03039Patch
win-ms03039-patch
Enable the following checks in the ISS Protection Platform:
MSRPC_RemoteActivate_Path_BO
Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 135
For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051 or MS04-029. See References.
For Microsoft Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-051, which were superseded by the patch released with MS06-018.
For Windows XP and Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-012, which was superseded by the patch released with MS05-051.
For Windows NT 4.0:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-029. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS03-039, but it was superseded by the patch released with MS04-012, and then superseded by the patch released with MS04-029.
Microsoft Security Bulletin MS03-039
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
NSFOCUS Security Advisory SA2003-06
Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability
http://www.nsfocus.com/english/homepage/research/0306.htm
CERT Advisory CA-2003-23
Vulnerabilities in Microsoft Windows
http://www.cert.org/advisories/CA-2003-23.html
BugTraq Mailing List, Wed Sep 10 2003 - 12:32:40 CDT
EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II
http://archives.neohapsis.com/archives/bugtraq/2003-09/0183.html
CERT Vulnerability Note VU#254236
Microsoft Windows contains buffer overflow in RPCSS Service DCOM activation routines
http://www.kb.cert.org/vuls/id/254236
CERT Vulnerability Note VU#483492
Microsoft Windows contains buffer overflow in RPCSS Service DCOM activation routines
http://www.kb.cert.org/vuls/id/483492
Packet Storm Web site
rpcHeap.txt
http://packetstormsecurity.nl/0309-exploits/rpcHeap.txt
Packet Storm Web site
09.16.ms03-039-exp.c
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=09.16.ms03-039-exp.c&type=archives&%5Bsearch%5D.x=4&%5Bsearch%5D.y=4
Packet Storm Web site
ms03-039-linux
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=ms03-039-linux&type=archives&%5Bsearch%5D.x=14&%5Bsearch%5D.y=4
Microsoft Security Bulletin MS05-012
Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
Microsoft Security Bulletin MS04-012
Cumulative Update for Microsoft RPC/DCOM (828741)
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
Microsoft Security Bulletin MS04-029
Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx
Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx
ISS X-Force
Microsoft Windows RPCSS DCOM buffer overflows
http://www.iss.net/security_center/static/13129.php
CVE
CVE-2003-0528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0528