1. /
  2. Security Response/
  3. Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability

Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability

Risk

High

Date Discovered

July 16, 2003

Description

A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system. This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80. ** There have been unconfirmed reports that Windows 9x systems with certain software installed may also be vulnerable to this issue. Reportedly, Windows 98 systems with .NET software installed may be vulnerable according to scans using various DCOM RPC vulnerability scanning tools. Symantec has not confirmed this behaviour and it may in fact be due to false positives generated by the scanners.

Technologies Affected

  • Cisco Broadband Troubleshooter
  • Cisco Building BroadBand Services Manager Hotspot 1.0.0
  • Cisco Building Broadband Service Manager 5.1.0
  • Cisco Building Broadband Service Manager 5.2.0
  • Cisco Call Manager
  • Cisco Call Manager 1.0.0
  • Cisco Call Manager 2.0.0
  • Cisco Call Manager 3.0.0
  • Cisco Call Manager 3.1.0
  • Cisco Call Manager 3.1.0 (2)
  • Cisco Call Manager 3.1.0 (3a)
  • Cisco Call Manager 3.2.0
  • Cisco Call Manager 3.3.0
  • Cisco Call Manager 3.3.0 (3)
  • Cisco CiscoWorks VPN/Security Management Solution
  • Cisco Collaboration Server
  • Cisco Conference Connection
  • Cisco Customer Response Application Server
  • Cisco DOCSIS CPE Configurator
  • Cisco Dynamic Content Adapter
  • Cisco E-Mail Manager
  • Cisco Emergency Responder
  • Cisco IP Contact Center Express
  • Cisco IP Telephony Environment Monitor
  • Cisco IP/VC 3540 Application Server
  • Cisco IP/VC 3540 Video Rate Matching Module
  • Cisco Intelligent Contact Manager
  • Cisco Internet Service Node
  • Cisco Lan Management Solution
  • Cisco Media Blender
  • Cisco Network Registar
  • Cisco Networking Services for Active Directory
  • Cisco Personal Assistant
  • Cisco QoS Policy Manager
  • Cisco Routed Wan Management
  • Cisco SN 5420 Storage Router 1.1.0 (2)
  • Cisco SN 5420 Storage Router 1.1.0 (3)
  • Cisco SN 5420 Storage Router 1.1.0 (4)
  • Cisco SN 5420 Storage Router 1.1.0 (5)
  • Cisco SN 5420 Storage Router 1.1.0 (7)
  • Cisco SN 5420 Storage Router 1.1.3
  • Cisco Secure ACS for Windows NT 2.1.0
  • Cisco Secure ACS for Windows NT 2.3.0
  • Cisco Secure ACS for Windows NT 2.4.0
  • Cisco Secure ACS for Windows NT 2.5.0
  • Cisco Secure ACS for Windows NT 2.6.0
  • Cisco Secure ACS for Windows NT 2.6.2
  • Cisco Secure ACS for Windows NT 2.6.3
  • Cisco Secure ACS for Windows NT 2.6.4
  • Cisco Secure ACS for Windows NT 3.0.0
  • Cisco Secure ACS for Windows NT 3.0.0 .1
  • Cisco Secure ACS for Windows NT 3.0.3
  • Cisco Secure ACS for Windows NT 3.1.1
  • Cisco Secure ACS for Windows Server 3.2.0
  • Cisco Secure Access Control Server 3.2.1
  • Cisco Secure Policy Manager 3.0.1
  • Cisco Secure Scanner
  • Cisco Service Management
  • Cisco Small Network Management Solution
  • Cisco Trailhead
  • Cisco Transport Manager
  • Cisco Unity Server
  • Cisco Unity Server 2.0.0
  • Cisco Unity Server 2.1.0
  • Cisco Unity Server 2.2.0
  • Cisco Unity Server 2.3.0
  • Cisco Unity Server 2.4.0
  • Cisco Unity Server 2.46.0
  • Cisco Unity Server 3.0.0
  • Cisco Unity Server 3.1.0
  • Cisco Unity Server 3.2.0
  • Cisco Unity Server 3.3.0
  • Cisco Unity Server 4.0.0
  • Cisco User Registration Tool
  • Cisco VPN/Security Management Solution
  • Cisco Voice Manager
  • Cisco Wireless Lan Solution Engine
  • Cisco uOne 1.0.0
  • Cisco uOne 2.0.0
  • Cisco uOne 3.0.0
  • Cisco uOne 4.0.0
  • Cisco uOne Enterprise Edition
  • Compaq OpenVMS 6.2.0 -1H1 Alpha
  • Compaq OpenVMS 6.2.0 -1H2 Alpha
  • Compaq OpenVMS 6.2.0 -1H3 Alpha
  • Compaq OpenVMS 6.2.0 VAX
  • Compaq OpenVMS 6.2.0 alpha
  • Compaq OpenVMS 7.1.0 -2 Alpha
  • Compaq OpenVMS 7.1.0 VAX
  • Compaq OpenVMS 7.1.0 alpha
  • Compaq OpenVMS 7.2.0 -1H1 Alpha
  • Compaq OpenVMS 7.2.0 -1H2 Alpha
  • Compaq OpenVMS 7.2.0 -2 Alpha
  • Compaq OpenVMS 7.2.0 VAX
  • Compaq OpenVMS 7.2.0 alpha
  • Compaq OpenVMS 7.2.1 Alpha
  • Compaq OpenVMS 7.3.0 -1 Alpha
  • Compaq OpenVMS 7.3.0 Alpha
  • Compaq OpenVMS 7.3.0 VAX
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows NT Enterprise Server 4.0
  • Microsoft Windows NT Enterprise Server 4.0 SP1
  • Microsoft Windows NT Enterprise Server 4.0 SP2
  • Microsoft Windows NT Enterprise Server 4.0 SP3
  • Microsoft Windows NT Enterprise Server 4.0 SP4
  • Microsoft Windows NT Enterprise Server 4.0 SP5
  • Microsoft Windows NT Enterprise Server 4.0 SP6
  • Microsoft Windows NT Enterprise Server 4.0 SP6a
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0
  • Microsoft Windows NT Terminal Server 4.0 SP1
  • Microsoft Windows NT Terminal Server 4.0 SP2
  • Microsoft Windows NT Terminal Server 4.0 SP3
  • Microsoft Windows NT Terminal Server 4.0 SP4
  • Microsoft Windows NT Terminal Server 4.0 SP5
  • Microsoft Windows NT Terminal Server 4.0 SP6
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Workstation 4.0 SP1
  • Microsoft Windows NT Workstation 4.0 SP2
  • Microsoft Windows NT Workstation 4.0 SP3
  • Microsoft Windows NT Workstation 4.0 SP4
  • Microsoft Windows NT Workstation 4.0 SP5
  • Microsoft Windows NT Workstation 4.0 SP6
  • Microsoft Windows NT Workstation 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP Home
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1

Recommendations

Block external access at the network boundary, unless external parties require service.

Hosts that can send malicious traffic to TCP/UDP port 135 can exploit this issue. External access to this port should be filtered at network perimeters. Permit access for trusted or internal hosts and networks only. Other RPC Endpoint Mapper ports such as TCP 139, 445 and 593 should also be blocked to reduce exposure to this issue.

Implement multiple redundant layers of security.

Multiple layers of network access control and intrusion detection should be deployed to limit exposure to potentially vulnerable systems and monitor network traffic for malicious or anomalous activity.
eEye has released a free scanning tool for administrators to detect systems vulnerable to this issue. Please check the references section for a link to download this utility. ** Several reports state that the RPC/DCOM service may still be vulnerable to a denial of service attack even if the Microsoft-supplied patch has been applied. Microsoft has released patches to address this issue. Note that Windows NT 4.0 Workstation reached its end of life on June 30th, 2003. Because of this, Microsoft has not released a supported NT 4.0 Workstation patch. The Windows NT 4.0 Server patch may work on NT 4.0 Workstation, however, this has not been tested nor is it supported by Microsoft. ** CERT/CC reported an unrelated vulnerability in DCE implementations provided by various vendors that may be triggered by exploits or scanning tools associated with this issue. Please see BID 8371 for further details on the availability of fixes for affected implementations. It should be noted that this is a side-effect that may cause problems with DCE implementations, but does not affect Microsoft Windows itself. Microsoft has released an update to their advisory stated that while the provided Windows 2000 patch will install on Windows 2000 SP2, it is unsupported. Microsoft recommends users to upgrade to a supported Service Pack. Further information can be found in MS03-026. Cisco has released an advisory detailing products affected by this vulnerability, as well as making fix information available. Additional details available in referenced advisory. Microsoft has released new fixes that supersede the original fixes for this issue. Administrators are advised to apply the new patches as they also address BID 8458, 8459, and 8460 in addition to this BID. HP has made fixes available for OpenVMS.

Credits

Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver