Buffer Overrun In Rpcss Service Could Allow Code E

Full Version: Buffer Overrun In Rpcss Service Could Allow Code E

GovernmentSecurity.org > The Archives > Exploit Articles

RELiC

Sep 11 2003, 03:03 AM

Buffer Overrun In RPCSS Service Could Allow Code Execution (MS03-039)
Date: 2003-09-10

Author : eEye Digital Security, NSFOCUS Security Team, and Xue Yong Zhi and Renaud Deraison from Tenable Network Security

------------------------
Summary
------------------------

Impact of vulnerability: Run code of attacker’s choice

Maximum Severity Rating: Critical

Recommendation: System administrators should apply the security patch immediately

An end user version of this bulletin is available at:
http://www.microsoft.com/security/security...ns/ms03-039.asp

Affected Software:

Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server® 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Not Affected Software:
Microsoft Windows Millennium Edition

------------------------
Technical description:
------------------------

The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation— two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched.

------------------------
Vulnerability identifier:
------------------------

Buffer Overrun: CAN-2003-0715

Buffer Overrun: CAN-2003-0528

Denial of Service: CAN-2003-0605

------------------------
Tested Versions:
------------------------

Microsoft tested Windows Millennium Edition, Windows NT 4.0 Server, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

------------------------
Patch availability
------------------------

Download locations for this patch :

Windows NT Workstation :
http://www.microsoft.com/downloads/details...&displaylang=en

Windows NT Server 4.0 :
http://www.microsoft.com/downloads/details...&displaylang=en

Windows NT Server 4.0, Terminal Server Edition :
http://www.microsoft.com/downloads/details...&displaylang=en

Windows 2000 :
http://www.microsoft.com/downloads/details...&displaylang=en

Windows XP:
http://www.microsoft.com/downloads/details...&displaylang=en

Windows XP 64 bit Edition:
http://www.microsoft.com/downloads/details...&displaylang=en

Windows XP 64 bit Edition Version 2003:
http://www.microsoft.com/downloads/details...&displaylang=en

Windows Server 2003:
http://www.microsoft.com/downloads/details...&displaylang=en

Windows Server 2003 64 bit Edition:
http://www.microsoft.com/downloads/details...&displaylang=en

The watcher

Sep 11 2003, 03:19 AM

yeah rpc is back ^^ need an exploit lol ^^

hope no virus will follow : /

VamPs

Sep 11 2003, 04:09 AM

it already has dude, and it fucks windows so u have to reinstall, i'll have to see if the code is still on my computer tonight so i can post..

l8rs

Hexboy

Sep 11 2003, 04:20 AM

http://cyruxnet.com.ar/rpcxploit2.htm
and
http://oc192.netfirms.com/projects/downloa...ds/oc192-dcom.c
and a gazillion others by now.

and heres patch :
http://download.microsoft.com/download/c/d...146-x86-ENU.exe

VamPs

Sep 11 2003, 04:32 AM

hEXBOY thats the old rpc dcom 1s

theres another 3 flaws out now

Hexboy

Sep 11 2003, 06:26 AM

Is it ? Oops , I need to go through my wad of rpc shit in my favorites.

thatsmej

Sep 11 2003, 07:18 AM

QUOTE (The watcher @ Sep 11 2003, 03:19 AM)

yeah rpc is back ^^ need an exploit lol ^^

hope no virus will follow : /

most ppl blocked poort 135 139 445,

the rest of them is still suffering the ms blaster worm..

sow i dont think the exploit will work on much fast lines...

but alsow i`m waiting on the exploit