Date Discovered July 16, 2003
Description A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.
This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80.
** There have been unconfirmed reports that Windows 9x systems with certain software installed may also be vulnerable to this issue. Reportedly, Windows 98 systems with .NET software installed may be vulnerable according to scans using various DCOM RPC vulnerability scanning tools. Symantec has not confirmed this behaviour and it may in fact be due to false positives generated by the scanners.
Block external access at the network boundary, unless external parties require service. Hosts that can send malicious traffic to TCP/UDP port 135 can exploit this issue. External access to this port should be filtered at network perimeters. Permit access for trusted or internal hosts and networks only. Other RPC Endpoint Mapper ports such as TCP 139, 445 and 593 should also be blocked to reduce exposure to this issue.
Implement multiple redundant layers of security.
Multiple layers of network access control and intrusion detection should be deployed to limit exposure to potentially vulnerable systems and monitor network traffic for malicious or anomalous activity.
eEye has released a free scanning tool for administrators to detect systems vulnerable to this issue. Please check the references section for a link to download this utility.
** Several reports state that the RPC/DCOM service may still be vulnerable to a denial of service attack even if the Microsoft-supplied patch has been applied.
Microsoft has released patches to address this issue. Note that Windows
NT 4.0 Workstation reached its end of life on June 30th, 2003. Because of
this, Microsoft has not released a supported NT 4.0 Workstation patch.
The Windows NT 4.0 Server patch may work on NT 4.0 Workstation, however,
this has not been tested nor is it supported by Microsoft.
** CERT/CC reported an unrelated vulnerability in DCE implementations provided by various vendors that may be triggered by exploits or scanning tools associated with this issue. Please see BID 8371 for further details on the availability of fixes for affected implementations. It should be noted that this is a side-effect that may cause problems with DCE implementations, but does not affect Microsoft Windows itself.
Microsoft has released an update to their advisory stated that while the provided Windows 2000 patch will install on Windows 2000 SP2, it is unsupported. Microsoft recommends users to upgrade to a supported Service Pack. Further information can be found in MS03-026.
Cisco has released an advisory detailing products affected by this vulnerability, as well as making fix information available. Additional details available in referenced advisory.
Microsoft has released new fixes that supersede the original fixes for this issue. Administrators are advised to apply the new patches as they also address BID 8458, 8459, and 8460 in addition to this BID.
HP has made fixes available for OpenVMS.
Credits Discovery of this vulnerability has been credited to The Last Stage of Delirium Research Group.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.