11 August 2003
MICROSOFT has published a security bulletin describing a buffer overflow vulnerability in the Windows RPC (Remote Procedure Call) interface.
The RPC protocol is integral to the normal operation of many networking technologies within the Windows operating system. The buffer overflow affects the DCOM (Distributed Component Object Model) interface on port 135.
Impact: Attackers may exploit this vulnerability by sending a specially crafted RPC packet to port 135 on a vulnerable target. Successful exploitation of this vulnerability will result in complete control of the target system. Many security conscious administrators know how to block this service at the perimeter, but open networks and personal computers used by individuals may be vulnerable to attack.
Several versions of functional “exploit” code for this vulnerability are now being actively distributed in the hacker underground.
ISS MSS (Managed Security Services) RealSecure Network installations have detected numerous attacks. Several third-party sources have also detected widespread scanning and exploitation.
Affected versions:
l Microsoft Windows NT 4.0
l Microsoft Windows NT 4.0 Terminal Services Edition
l Microsoft Windows 2000
l Microsoft Windows XP
l Microsoft Windows Server 2003
All major releases and Service Pack levels of the platforms above are vulnerable.
The vulnerability occurs in the RPC interface to DCOM. The RPC protocol is used by the Windows operating systems and its applications to communicate over the network.
RPC was originally developed by the OSF (Open Software Foundation) to build a system in which computers could request network services or resources from another computer without specific knowledge of the network or computing environment answering the request.
The DCOM interface to RPC is only accessible via port TCP/135 on default installations of Windows 2000, Windows XP, and Windows Server 2003. On Windows NT 4.0, the DCOM component is additionally accessible via port UDP/135 by default.
If the “Tunnelling TCP/IP” protocol is explicitly enabled within the DCOM Configuration Utility, the affected component may be reachable via the HTTP RPC Endpoint Mapper port (TCP/593).
This protocol is disabled by default in all configurations. DCOM may be accessible over port TCP/80 via COM Internet Services in similarly rare circumstances. DCOM is also accessible via non-IP protocols (IPX/SPX), and non-routable protocols (NETBEUI).
Microsoft has added several extensions to their implementation of the RPC protocol, including the integration of DCOM.
DCOM is built upon RPC to provide better interoperability between Microsoft applications and newer technologies such as ActiveX, HTTP, and Java. The DCE RPC and DCOM interfaces are widely used and enabled by default on Windows installations.
The DCOM object activation functionality is vulnerable to a remote stack overflow attack and arbitrary code execution when dealing with instantiation of DCOM objects.
The vulnerable code executes under the SYSTEM security context and any successful attacks will grant SYSTEM privileges. Integrated buffer overflow protection in Windows Server 2003 is reportedly ineffective at preventing this attack.
Recommendations: For identification of potentially vulnerable systems, Internet Security Systems has provided the following assessment checks:
l Internet Scanner XPU 7.3/6.32
l WinRpcDCOMBo- (http://xforce.iss.net/xforce/xfdb/12629)
l System Scanner SR 3.18 win-rpc-dcom-bo-(http://xforce. iss.net/xforce/xfdb/12629)
For Dynamic Threat Protection, Internet Security Systems recommends applying a Virtual Patch for the Microsoft RPC vulnerability. Employ the following protection techniques through ISS’ Dynamic Threat Protection platform:
l RealSecure Network XPU 20.16 and 20.18
l MSRPC_RemoteActivate_Bo -(http://xforce.iss.net/xforce/xfdb/12629)
l Proventia A Series XPU 20.16 and 20.18
l MSRPC_RemoteActivate_Bo -(http://xforce.iss.net/xforce/xfdb/12629)
l RealSecure Server XPU 20.16 and 20.18
l MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)
l RealSecure Guard, Sentry and Desktop 3.6 ebr
l MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)
l RealSecure Desktop 7.0 eba
l MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629
All updates listed above are available from the ISS Download center (
For manual protection, ISS and Microsoft have offered the following recommendations:
X-Force recommends that ports TCP/135 and UDP/135 be blocked on all perimeter networks. Individuals and network administrators should also configure personal firewalls, desktop and network protection systems to block port 135 as well.
In addition to this, it may be advisable to block TCP/593 and ensure that all systems running COM Internet Services are properly protected.
Microsoft has released updates to address the vulnerability on all affected platforms. Refer to the Microsoft Security Bulletin MS03-026.
ISS has produced a command-line tool that scans for systems that might be vulnerable to the MS03-026 RPC DCOM Vulnerability. That tool is available at: (http://www.iss.net/support/product-utilities/ms03-026rpc.php)
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0352 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Last Stage of Delirium http://www.lsd-pl.net Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
About Internet Security Systems (ISS):
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
MICROSOFT has published a security bulletin describing a buffer overflow vulnerability in the Windows RPC (Remote Procedure Call) interface.
The RPC protocol is integral to the normal operation of many networking technologies within the Windows operating system. The buffer overflow affects the DCOM (Distributed Component Object Model) interface on port 135.
Impact: Attackers may exploit this vulnerability by sending a specially crafted RPC packet to port 135 on a vulnerable target. Successful exploitation of this vulnerability will result in complete control of the target system. Many security conscious administrators know how to block this service at the perimeter, but open networks and personal computers used by individuals may be vulnerable to attack.
Several versions of functional “exploit” code for this vulnerability are now being actively distributed in the hacker underground.
ISS MSS (Managed Security Services) RealSecure Network installations have detected numerous attacks. Several third-party sources have also detected widespread scanning and exploitation.
Affected versions:
l Microsoft Windows NT 4.0
l Microsoft Windows NT 4.0 Terminal Services Edition
l Microsoft Windows 2000
l Microsoft Windows XP
l Microsoft Windows Server 2003
All major releases and Service Pack levels of the platforms above are vulnerable.
The vulnerability occurs in the RPC interface to DCOM. The RPC protocol is used by the Windows operating systems and its applications to communicate over the network.
RPC was originally developed by the OSF (Open Software Foundation) to build a system in which computers could request network services or resources from another computer without specific knowledge of the network or computing environment answering the request.
The DCOM interface to RPC is only accessible via port TCP/135 on default installations of Windows 2000, Windows XP, and Windows Server 2003. On Windows NT 4.0, the DCOM component is additionally accessible via port UDP/135 by default.
If the “Tunnelling TCP/IP” protocol is explicitly enabled within the DCOM Configuration Utility, the affected component may be reachable via the HTTP RPC Endpoint Mapper port (TCP/593).
This protocol is disabled by default in all configurations. DCOM may be accessible over port TCP/80 via COM Internet Services in similarly rare circumstances. DCOM is also accessible via non-IP protocols (IPX/SPX), and non-routable protocols (NETBEUI).
Microsoft has added several extensions to their implementation of the RPC protocol, including the integration of DCOM.
DCOM is built upon RPC to provide better interoperability between Microsoft applications and newer technologies such as ActiveX, HTTP, and Java. The DCE RPC and DCOM interfaces are widely used and enabled by default on Windows installations.
The DCOM object activation functionality is vulnerable to a remote stack overflow attack and arbitrary code execution when dealing with instantiation of DCOM objects.
The vulnerable code executes under the SYSTEM security context and any successful attacks will grant SYSTEM privileges. Integrated buffer overflow protection in Windows Server 2003 is reportedly ineffective at preventing this attack.
Recommendations: For identification of potentially vulnerable systems, Internet Security Systems has provided the following assessment checks:
l Internet Scanner XPU 7.3/6.32
l WinRpcDCOMBo- (http://xforce.iss.net/xforce/xfdb/12629)
l System Scanner SR 3.18 win-rpc-dcom-bo-(http://xforce. iss.net/xforce/xfdb/12629)
For Dynamic Threat Protection, Internet Security Systems recommends applying a Virtual Patch for the Microsoft RPC vulnerability. Employ the following protection techniques through ISS’ Dynamic Threat Protection platform:
l RealSecure Network XPU 20.16 and 20.18
l MSRPC_RemoteActivate_Bo -(http://xforce.iss.net/xforce/xfdb/12629)
l Proventia A Series XPU 20.16 and 20.18
l MSRPC_RemoteActivate_Bo -(http://xforce.iss.net/xforce/xfdb/12629)
l RealSecure Server XPU 20.16 and 20.18
l MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)
l RealSecure Guard, Sentry and Desktop 3.6 ebr
l MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629)
l RealSecure Desktop 7.0 eba
l MSRPC_RemoteActivate_Bo - (http://xforce.iss.net/xforce/xfdb/12629
All updates listed above are available from the ISS Download center (
For manual protection, ISS and Microsoft have offered the following recommendations:
X-Force recommends that ports TCP/135 and UDP/135 be blocked on all perimeter networks. Individuals and network administrators should also configure personal firewalls, desktop and network protection systems to block port 135 as well.
In addition to this, it may be advisable to block TCP/593 and ensure that all systems running COM Internet Services are properly protected.
Microsoft has released updates to address the vulnerability on all affected platforms. Refer to the Microsoft Security Bulletin MS03-026.
ISS has produced a command-line tool that scans for systems that might be vulnerable to the MS03-026 RPC DCOM Vulnerability. That tool is available at: (http://www.iss.net/support/product-utilities/ms03-026rpc.php)
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0352 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Last Stage of Delirium http://www.lsd-pl.net Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
About Internet Security Systems (ISS):
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.
© Times of Oman 2003
