Description

This signature detects an attack that is being conducted against the Microsoft RPC DCOM service.

Additional Information

There are numerous vulnerabilities associated with Microsoft's RPC DCOM service. This signature represents patterns associated with various publicly available RPC DCOM attacks. Events associated with this attack warrant immediate attention, and users are encouraged to audit the status of all machines with the RPC service enabled.

Microsoft Windows supports a Remote Procedure Call (RPC) application programmer's interface (API) that allows applications to share publicly available objects in a distributed computing environment (DCE). RPCSS is the service that carries out the communication that takes place through the specified API.

One of the more notable vulnerabilities associated with this service is a denial-of-service condition that exists in the RPCSS service. This issue is due to a failure of the application to properly handle malformed network messages.

The problem presents itself when the malformed messages are handled by the affected service. Exceptional conditions triggered by the malformed messages cause a failure of the application to free previously acquired heap memory. After processing a number of offending messages, the process will be unable to allocate more memory for incoming network data and a denial-of-service condition will be triggered.

The issue specifically deals with the processing of packets reporting extremely large length. After DCOM processes the request, it is passed to the Activation class of functions residing in 'rpcss.dll'. Here memory is allocated to store the information; the size of memory allocated is derived from the 'length' field of the message. If the specified length is larger than the memory pool of the source buffer, an exception will be triggered. In this case the memory that was allocated will not be freed, causing a memory leak that will trigger a denial-of-service condition.

Successful exploitation of this issue may allow a remote attacker to cause the affected server to crash or stop responding. On Microsoft Windows 2000, XP, and Server 2003 this will cause the affected system to reboot; on all other Windows platforms the system will have to be manually rebooted. It is currently not known whether this issue could be leveraged to execute arbitrary code on the affected system.

It has been observed that W32.Gaobot and W32.RXBot worms exploit this issue to propagate.