Microsoft Security Bulletin MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)

2003-09-11T00:00:00
ID SECURITYVULNS:DOC:5079
Type securityvulns
Reporter Securityvulns
Modified 2003-09-11T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----


Title: Buffer Overrun In RPCSS Service Could Allow Code
Execution (824146) Date: September 10, 2003 Software: Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Server(r) 4.0 Microsoft Windows NT Server 4.0, Terminal Server
Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003
Impact: Run code of attacker's choice Max Risk: Critical Bulletin: MS03-039

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp http://www.microsoft.com/security/security_bulletins/MS03-039.asp


Issue:

The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation- two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched.

Mitigating Factors:

  • Firewall best practices and standard default firewall configurations can help protect networks from remote attacks originating outside of the enterprise perimeter. Best practices recommend blocking all ports that are not actually being used. For this reason, most systems attached to the Internet should have a minimal number of the affected ports exposed.

Risk Rating:

  • Critical

Patch Availability:

  • A patch is available to fix this vulnerability. Please read the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp http://www.microsoft.com/security/security_bulletins/MS03-039.asp

for information on obtaining this patch.

Acknowledgment:

  • eEye Digital Security (http://www.eeye.com/html)
  • NSFOCUS Security Team (http://www.nsfocus.com)
  • Xue Yong Zhi and Renaud Deraison from Tenable Network Security (http://www.tenablesecurity.com)

for reporting the buffer overrun vulnerabilities and working with us to protect customers.


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2

iQEVAwUBP19PE40ZSRQxA/UrAQFL2ggAk84V2SkEsj8r0xW6JoxE9ojVFp8kQLWS SMYMXP6iEONzJzUGcoX8OLDWG5ncSoJVOSM+84PUCOAFnIZs8eZV8MiOdjm/j2yO Fv+0bw6foQbsyvFT9Kcckrj/DJAIEnu5EMwVcU1jlkP1rIj6JXaZdC78jpHson2y AdxBM8altRg1aKplWYVe5vOV0Ya92KUkbKy0khv9xKgNO/PPbno4AdBzkk5s7hqy NNnhi+lbdZBubzhQkvG+Wj3bAA/onj7SdTAKXuaLEB61c5gDsznwV+d+tHYbZjdm 3BAhoL+b34yteRa3wJrMxgz6+KJLDpUvEUW9DYU9Mlscl3+d1StbNw== =2u0i -----END PGP SIGNATURE-----


You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.