N-117: Microsoft RPC Interface Buffer Overrun Vulnerability

N-117: Microsoft RPC Interface Buffer Overrun Vulnerability Privacy and Legal Notice INFORMATION BULLETIN N-117: Microsoft RPC Interface Buffer Overrun Vulnerability [Microsoft Security Bulletin MS03-026, MS03-039] July 16, 2003 21:00 GMT
[REVISED 1 Aug 2003]
[REVISED 13 Aug 2003]
[REVISED 15 Aug 2003]
[REVISED 22 Aug 2003]
[REVISED 10 SEPT 2003]


PROBLEM:	A buffer overrun vulnerability exists in the part of the Windows Remote Procedure Call(RPC) that deals with message exchange over TCP/IP (Port 135).
PLATFORM:	Windows NT 4.0 Windows NT 4.0 Server Windows NT 4.0 Terminal Services Edition Windows 2000 Windows XP Windows Server 2003 NOTE--If you have patched your system with MS03-026 you will need to patch your system with MS03-039. The patch provided in MS03-039 supersedes the one included in MS03-026. If MS03-026 patches have been installed prior to the discover of the Blaster worm, your system is secure from the vulnerability that W32.Blaster is using.
DAMAGE:	A successful attacker would be able to run code with Local System privileges, including installing programs, changing or deleting data, or creating new accounts with full privileges.
SOLUTION:	Apply the respective Microsoft patches.

VULNERABILITY ASSESSMENT:	The risk is HIGH. A successful attacker needs only to be able to send an especially crafted packet to port 135 on the target machine. Sites that block port 135 at their incoming firewall are only vulnerable to attack by machines inside of the firewall.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/n-117.shtml
ORIGINAL BULLETINS:	Released on 9/10/03 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp
	Released on 7/16/03 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
ADDITIONAL INFORMATION:	9/10/03 - For MS03-039, see CERT's Advisory: http://www.cert.org/advisories/CA-2003-23.html 7/31/03 - For MS03-026, see CERT's Advisory: http://www.cert.org/advisories/CA-2003-19.html

REVISION HISTORY:
8/01/2003: Added link to CERT Advisory CA-2003-19. Contains additional
information on other vulnerabilities and backdoor port activity.
8/13/2003: re-posted contents of MS bulletin to reflect revisions-to-date
in the technical description workaround information, mitigating
factors, and Service Pack 2 support information.
8/15/2003: Added additional information to PLATFORM section. Added
Microsoft's scanner tool update information. Updated download
links, removed the word "Server" from the NT4 link.
8/22/2003: Updated supercedence information in the Additional Information
section.
9/10/2003: Added new bulletin from Microsoft MS03-039 which supersedes
MS03-026 and updated PLATFORM section.

[***** Start Microsoft Security Bulletin MS03-039 *****]

Microsoft Security Bulletin MS03-039

Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
Originally posted: September 10, 2003

Summary

Who should read this bulletin: Users running Microsoft ® Windows ®

Impact of vulnerability: Run code of attacker’s choice

Maximum Severity Rating: Critical

Recommendation: System administrators should apply the security patch immediately

End User Bulletin:
An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp

Protect your PC:
Additional information on how you can help protect your PC is available at the following locations:

End Users can visit http://www.microsoft.com/security/protect/default.asp
IT Professionals can visit http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tips/pcprotec.asp

Affected Software:

Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server® 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Not Affected Software:

Microsoft Windows Millennium Edition

Technical details

Technical description:

The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an
inter-process communication mechanism that allows a program running on one computer to seamlessly
access services on another computer. The protocol itself is derived from the Open Software Foundation
(OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages
for DCOM activation— two that could allow arbitrary code execution and one that could result in a
denial of service. The flaws result from incorrect handling of malformed messages. These particular
vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS
Service. This interface handles DCOM object activation requests that are sent from one machine to
another.

An attacker who successfully exploited these vulnerabilities could be able to run code with Local
System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker
could then be able to take any action on the system, including installing programs, viewing, changing
or deleting data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message
to a vulnerable system targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network for the presence of systems which
have not had the MS03-039 patch installed. More details on this tool are available in Microsoft
Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base
article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a
system which has installed the security patch provided with this bulletin, the superseded tool will
incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages
customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363
to determine if their systems are patched.

Mitigating factors:

Firewall best practices and standard default firewall configurations can help protect networks
from remote attacks originating outside of the enterprise perimeter. Best practices recommend
blocking all ports that are not actually being used. For this reason, most systems attached to the
Internet should have a minimal number of the affected ports exposed.

For more information about the ports used by RPC, visit the following Microsoft Web site:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp

Severity Rating: Windows NT 4.0 Server Windows NT 4.0, Terminal Server Edition Windows 2000 Windows XP Windows Server 2003
Buffer Overrun Vulnerabilities Critical Critical Critical Critical Critical
Denial of Service Vulnerability None None Important None None
Aggregate Severity of all Vulnerabilities Critical Critical Critical Critical Critical
The above assessment is based on the types of systems affected by the vulnerability, their typical
deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier:
Buffer Overrun: CAN-2003-0715

Buffer Overrun: CAN-2003-0528

Denial of Service: CAN-2003-0605

Tested Versions:
Microsoft tested Windows Millennium Edition, Windows NT 4.0 Server, Windows NT 4.0 Terminal Services
Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this
vulnerability. Previous versions are no longer supported, and may or may not be affected by these
vulnerabilities.

Patch availability

Download locations for this patch
Windows NT Workstation
Windows NT Server 4.0
Windows NT Server 4.0, Terminal Server Edition
Windows 2000
Windows XP
Windows XP 64 bit Edition
Windows XP 64 bit Edition Version 2003
Windows Server 2003
Windows Server 2003 64 bit Edition

Additional information about this patch
Installation platforms:

The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
The Windows NT 4.0, Terminal Server Edition patch can be installed on systems running Windows
NT 4.0, Terminal Server Edition Service Pack 6.
The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2, Service
Pack 3, or Service Pack 4.
The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.
The patch for Windows Server 2003 can be installed on systems running Windows Server 2003 Gold.

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches:
The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026
as well as MS01-048

Verifying patch installation:

Windows NT 4.0:
To verify that the patch has been installed on the machine, confirm that all files listed in the file
manifest in Knowledge Base article 824146 are present on the system.
Windows NT 4.0 Terminal Server Edition:
To verify that the patch has been installed on the machine, confirm that all files listed in the file
manifest in Knowledge Base article 824146 are present on the system.
Windows 2000:
To verify that the patch has been installed on the machine, confirm that the following registry key
has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\
KB824146.
To verify the individual files, use the date/time and version information provided in the file
manifest in Knowledge Base article 824146 are present on the system.

Windows XP:

If installed on Windows XP Gold: To verify that the patch has been installed on the machine,
confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Updates\Windows XP\SP1\KB824146
To verify the individual files, use the date/time and version information provided in the file
manifest in Knowledge Base article 824146 are present on the system.

If installed on Windows XP Service Pack 1:
To verify that the patch has been installed on the machine, confirm that the following registry key
has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824146.
To verify the individual files, use the date/time and version information provided in the file
manifest in Knowledge Base article 824146 are present on the system.

Windows Server 2003:
To verify that the patch has been installed on the machine, confirm that the following registry key
has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window Server 2003\SP1\
KB824146.
To verify the individual files, use the date/time and version information provided in the file
manifest in Knowledge Base article 824146 are present on the system.

Caveats:
None

Localization:
Localized versions of this patch are available at the locations discussed in “Patch Availability”.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found
by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the Windows Update web site

Other information:
Acknowledgments
Microsoft thanks eEye Digital Security, NSFOCUS Security Team, and Xue Yong Zhi and Renaud Deraison
from Tenable Network Security for reporting the buffer overrun vulnerabilities and working with us to
protect customers.

Support:

Microsoft Knowledge Base article 824146 discusses this issue and will be available approximately
24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft
Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for
support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any
kind. Microsoft disclaims all warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 September 10, 2003: Bulletin Created.

[***** End Microsoft Security Bulletin MS03-039 *****]

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/