DCOM/RPC revisited

Discussion in 'other security issues & news' started by Pretender, Oct 14, 2003.

Thread Status:
Not open for further replies.
  1. Pretender

    Pretender Registered Member

    Apr 23, 2002
    Virtual Paradise
    Vulnerability Note VU#547820
    Microsoft Windows DCOM/RPC vulnerability
    There is a vulnerability in Microsoft Windows DCOM/RPC that can be exploited to cause a denial of service. It may be possible for an attacker to execute arbitrary code on a vulnerable system.
    I. Description
    Microsoft Windows Remote Procedure Call (RPC) "... is a powerful, robust, efficient, and secure interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process. That different process can be on the same machine, on the local area network, or across the Internet." The Distributed COM (DCOM) "...extends the Component Object Model (COM) to support communication among objects on different computers -- on a LAN, a WAN, or even the Internet."
    Based on publicly available exploit code, there is a vulnerability in DCOM/RPC. This vulnerability is different than those described in CA-2003-16 (VU#568148/MS03-026) and CA-2003-23 (VU#254236/VU#483492/MS03-039). As in the previous vulnerabilities, this flaw appears to be a buffer overflow that occurs in the DCOM interface to RPC. A remote attacker could attempt to exploit this vulnerability using crafted RPC packets.

    II. Impact
    An unauthenticated, remote attacker could cause a denial of service or possibly execute arbitrary code with SYSTEM privileges.
    III. Solution
    The CERT/CC is currently unaware of a practical solution to this problem.
    Until patches are available, the following workarounds can be used to reduce possible attack vectors. These workarounds are not complete solutions and may affect network and application operation. Research and test before making changes to production systems.

    Using a network or host-based firewall, block RPC network traffic (ports 135/tcp, 139/tcp, 445/tcp, 593/tcp and 135/udp, 137/udp, 138/udp, 445/udp).
    Disable COM Internet Services (CIS) and RPC over HTTP as described in Microsoft Knowledge Base Article 825819.
    Disable DCOM as described Microsoft Knowledge Base Article 825750.
    Systems Affected
    Vendor Status Date Updated
    Microsoft Corporation Vulnerable 13-Oct-2003

Thread Status:
Not open for further replies.