Flaw in Microsoft Windows RPC Implementation

	Internet Security Systems Security Alert
July 16, 2003

Flaw in Microsoft Windows RPC Implementation

Synopsis:

Microsoft has published a security bulletin describing a buffer overflow
vulnerability in the Windows RPC (Remote Procedure Call) interface. The
RPC protocol is integral to the normal operation of many networking
technologies within the Windows operating system. The buffer overflow
affects the DCOM (Distributed Component Object Model) interface on port
135.

Impact:

Attackers may exploit this vulnerability by sending a specially-crafted
RPC packet to port 135 on a vulnerable target. Successful exploitation
of this vulnerability will result in complete control of the target
system. Many security-conscious administrators know to block this service
at the perimeter, but open networks and personal computers used by
individuals may be vulnerable to attack.

Several versions of functional "exploit" code for this vulnerability are
now being actively distributed in the hacker underground. ISS MSS
(Managed Security Services) RealSecure Network installations
have detected numerous attacks. Several third-party sources have also
detected widespread scanning and exploitation.

Affected Versions:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003 

Note: All major releases and Service Pack levels of the platforms above
are vulnerable.

Description:

The vulnerability occurs in the RPC interface to DCOM. The RPC protocol is
used by the Windows operating systems and its applications to communicate
over the network. RPC was originally developed by the OSF (Open Software
Foundation) to build a system in which computers could request network
services or resources from another computer without specific knowledge of
the network or computing environment answering the request.

The DCOM interface to RPC is only accessible via port TCP/135 on default
installations of Windows 2000, Windows XP, and Windows Server 2003. On
Windows NT 4.0, the DCOM component is additionally accessible via port
UDP/135 by default.

If the "Tunneling TCP/IP" protocol is explicitly enabled within the
DCOM Configuration Utility, the affected component may be reachable via
the HTTP RPC Endpoint Mapper port (TCP/593).  This protocol is disabled by 
default in all configurations. DCOM may be accessible over port TCP/80 via 
COM Internet Services in similarly rare circumstances.  DCOM is also 
accessible via non-IP protocols (IPX/SPX), and non-routable protocols
(NETBEUI).

Microsoft has added several extensions to their implementation of the RPC
protocol, including the integration of DCOM.  DCOM is built upon RPC to
provide better interoperability between Microsoft applications and newer
technologies such as ActiveX, HTTP, and Java. The DCE RPC and DCOM
interfaces are widely used and enabled by default on Windows
installations.

The DCOM object activation functionality is vulnerable to a remote stack
overflow attack and arbitrary code execution when dealing with
instantiation of DCOM objects. The vulnerable code executes under the
SYSTEM security context and any successful attacks will grant SYSTEM
privileges. Integrated buffer overflow protection in Windows Server 2003
is reportedly ineffective at preventing this attack.

Recommendations:

For identification of potentially vulnerable systems, Internet Security
Systems has provided the following assessment checks: 

Internet Scanner XPU 7.3/6.32
WinRpcDCOMBo - (http://xforce.iss.net/xforce/xfdb/12629)

System Scanner SR 3.18 
win-rpc-dcom-bo - ()

For Dynamic Threat Protection, Internet Security Systems recommends
applying a Virtual Patch for the Microsoft RPC vulnerability. Employ
the following protection techniques through ISS┬┐ Dynamic Threat
Protection platform. 

RealSecure Network XPU 20.16 and 20.18 
MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)

Proventia A Series XPU 20.16 and 20.18
MSRPC_RemoteActivate_Bo - ()

RealSecure Server XPU 20.16 and 20.18
MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)

RealSecure Guard, Sentry and Desktop 3.6 ebr
MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)

RealSecure Desktop 7.0 eba
MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629

All updates listed above are available from the ISS Download center
() 

For Manual Protection, ISS and Microsoft have offered the following
recommendations:

X-Force recommends that ports TCP/135 and UDP/135 be blocked on all 
perimeter networks. Individuals and network administrators should also 
configure personal firewalls, desktop and network protection systems to 
block port 135 as well. In addition to this, it may be advisable to block
TCP/593 and ensure that all systems running COM Internet Services are
properly protected.

Microsoft has released updates to address the vulnerability on all
affected platforms. Refer to the Microsoft Security Bulletin MS03-026.

Additional Information:

ISS has produced a command-line tool that scans
for systems that might be vulnerable to the MS03-026 RPC
DCOM Vulnerability.  That tool is available on our
website at: 



The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0352 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardizes names for security
problems.

Last Stage of Delirium
http://www.lsd-pl.net

Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email
xforce@iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws. 

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.