1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. OS Attack: MS RPCSS Attack CVE-2004-0116 2

OS Attack: MS RPCSS Attack CVE-2004-0116 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attack that is being conducted against the Microsoft RPC DCOM service.

Additional Information

There are numerous vulnerabilities associated with Microsoft's RPC DCOM service. This signature represents patterns associated with various publicly available RPC DCOM attacks. Events associated with this attack warrant immediate attention, and users are encouraged to audit the status of all machines with the RPC service enabled.

Microsoft Windows supports a Remote Procedure Call (RPC) application programmer's interface (API) that allows applications to share publicly available objects in a distributed computing environment (DCE). RPCSS is the service that carries out the communication that takes place through the specified API.

One of the more notable vulnerabilities associated with this service is a denial-of-service condition that exists in the RPCSS service. This issue is due to a failure of the application to properly handle malformed network messages.

The problem presents itself when the malformed messages are handled by the affected service. Exceptional conditions triggered by the malformed messages cause a failure of the application to free previously acquired heap memory. After processing a number of offending messages, the process will be unable to allocate more memory for incoming network data and a denial-of-service condition will be triggered.

The issue specifically deals with the processing of packets reporting extremely large length. After DCOM processes the request, it is passed to the Activation class of functions residing in 'rpcss.dll'. Here memory is allocated to store the information; the size of memory allocated is derived from the 'length' field of the message. If the specified length is larger than the memory pool of the source buffer, an exception will be triggered. In this case the memory that was allocated will not be freed, causing a memory leak that will trigger a denial-of-service condition.

Successful exploitation of this issue may allow a remote attacker to cause the affected server to crash or stop responding. On Microsoft Windows 2000, XP, and Server 2003 this will cause the affected system to reboot; on all other Windows platforms the system will have to be manually rebooted. It is currently not known whether this issue could be leveraged to execute arbitrary code on the affected system.

It has been observed that W32.Gaobot and W32.RXBot worms exploit this issue to propagate.

Affected

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server Japanese Edition
  • Microsoft Windows 2000 Terminal Services SP1, SP2, SP3, SP4
  • Microsoft Windows NT Enterprise Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0, 4.0 alpha, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6
  • Microsoft Windows NT Workstation 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Tablet PC Edition

Response

Workaround:

The vendor has supplied the following workaround information:
When a system is part of a network, the DCOM wire protocol enables COM objects on that system to communicate with COM objects on other systems. You can disable DCOM for a particular system to help protect against this vulnerability, but doing so will also disable all communication between objects on that system and objects on other systems. It should be noted that this workaround is only possible on Windows 2000 systems that have applied service pack 3.

Solution:

Microsoft has released a security bulletin MS04-012 with fixes to address this and other issues. It should be noted that there are no fixes for Windows 95, Windows 98, nor Windows ME.

Microsoft Windows 2000 Advanced Server SP2:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Advanced Server SP3:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Advanced Server SP4:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Professional SP2:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Professional SP3:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Professional SP4:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Server SP2:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Server SP3:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows 2000 Server SP4:
Microsoft Upgrade Security Update for Windows 2000 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Upgrade Security Update for Windows NT Server 4.0 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=D4F2AD32-FE74-4DA1-AEAE-80897AC86720&displaylang=en

Microsoft Windows NT Server 4.0 SP6a:
Microsoft Upgrade Security Update for Windows NT Server 4.0 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=D4F2AD32-FE74-4DA1-AEAE-80897AC86720&displaylang=en

Microsoft Windows NT Terminal Server 4.0 SP6:
Microsoft Upgrade Security Update for Windows NT Server, Terminal Server Edition (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=5B29E35D-E5DA-4486-B7EB-D54C7398142C&displaylang=en

Microsoft Windows NT Workstation 4.0 SP6a:
Microsoft Upgrade Security Update for Windows NT Workstation 4.0 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=4ACB5BD6-A0BF-40BC-8955-D833923642EF&displaylang=en

Microsoft Windows Server 2003 Datacenter Edition:
Microsoft Upgrade Security Update for Windows Server 2003 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=07317CE9-520D-4574-B575-5FB85DA9A4D7&displaylang=en

Microsoft Windows Server 2003 Datacenter Edition 64-bit:
Microsoft Upgrade Sec Update: Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=75A08528-5E99-4BE0-8E97-F1C9789611EB&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition:
Microsoft Upgrade Security Update for Windows Server 2003 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=07317CE9-520D-4574-B575-5FB85DA9A4D7&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition 64-bit:
Microsoft Upgrade Sec Update: Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=75A08528-5E99-4BE0-8E97-F1C9789611EB&displaylang=en

Microsoft Windows Server 2003 Standard Edition:
Microsoft Upgrade Security Update for Windows Server 2003 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=07317CE9-520D-4574-B575-5FB85DA9A4D7&displaylang=en

Microsoft Windows Server 2003 Web Edition:
Microsoft Upgrade Sec Update: Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=75A08528-5E99-4BE0-8E97-F1C9789611EB&displaylang=en
Microsoft Upgrade Security Update for Windows Server 2003 (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=07317CE9-520D-4574-B575-5FB85DA9A4D7&displaylang=en

Microsoft Windows XP Home:
Microsoft Upgrade Security Update for Windows XP (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=D488BBBB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en

Microsoft Windows XP Home SP1:
Microsoft Upgrade Security Update for Windows XP (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=D488BBBB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en

Microsoft Windows XP Professional:
Microsoft Upgrade Security Update for Windows XP (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=D488BBBB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en

Microsoft Windows XP Professional SP1:
Microsoft Upgrade Security Update for Windows XP (KB828741)
http://www.microsoft.com/downloads/details.aspx?FamilyId=D488BBBB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube