Security Update for Windows

Title: Buffer Overrun In RPCSS Service Could Allow Code
Execution (824146)
Date: September 10, 2003
Software: Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server(r) 4.0
Microsoft Windows NT Server 4.0, Terminal Server
Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-039

Microsoft encourages customers to review the Security Bulletins
at:

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp http://www.microsoft.com/security/security_bulletins/MS03-039.asp

- - -----------------------------------------------------------------

Issue:


The fix provided by this patch supersedes the one included in
Microsoft Security Bulletin MS03-026.

Remote Procedure Call (RPC) is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to
seamlessly access services on another computer. The protocol
itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific
extensions.

There are three identified vulnerabilities in the part of RPCSS
Service that deals with RPC messages for DCOM activation- two
that could allow arbitrary code execution and one that could
result in a denial of service. The flaws result from incorrect
handling of malformed messages. These particular vulnerabilities
affect the Distributed Component Object Model (DCOM) interface
within the RPCSS Service. This interface handles DCOM object
activation requests that are sent from one machine to another.

An attacker who successfully exploited these vulnerabilities
could be able to run code with Local System privileges on an
affected system, or could cause the RPCSS Service to fail. The
attacker could then be able to take any action on the system,
including installing programs, viewing, changing or deleting
data, or creating new accounts with full privileges.

To exploit these vulnerabilities, an attacker could create a
program to send a malformed RPC message to a vulnerable system
targeting the RPCSS Service.

Microsoft has released a tool that can be used to scan a network
for the presence of systems which have not had the MS03-039 patch
installed. More details on this tool are available in Microsoft
Knowledge Base article 827363. This tool supersedes the one
provided in Microsoft Knowledge Base article 826369. If the tool
provided in Microsoft Knowledge Base Article 826369 is used
against a system which has installed the security patch provided
with this bulletin, the superseded tool will incorrectly report
that the system is missing the patch provided in MS03-026.
Microsoft encourages customers to run the latest version of the
tool available in Microsoft Knowledge Base article 827363 to
determine if their systems are patched.


Mitigating Factors:

- Firewall best practices and standard default firewall
configurations can help protect networks from remote attacks
originating outside of the enterprise perimeter. Best practices
recommend blocking all ports that are not actually being used.
For this reason, most systems attached to the Internet should
have a minimal number of the affected ports exposed.

Risk Rating:

- Critical

Patch Availability:
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp http://www.microsoft.com/security/security_bulletins/MS03-039.asp
for information on obtaining this patch.

Acknowledgment:

- eEye Digital Security (http://www.eeye.com/html)
- NSFOCUS Security Team (http://www.nsfocus.com)
- Xue Yong Zhi and Renaud Deraison from Tenable Network Security
(http://www.tenablesecurity.com)

for reporting the buffer overrun vulnerabilities and working with
us to protect customers.

 

Here we go again...from the Internet Storm Center:

Microsoft RPCSS Vulnerability
http://isc.sans.org/diary.html?date=2003-09-10
September 10th 2003 15:48 EDT
"In response to todays announcement of a new Microsoft Windows RPC vulnerability, we raised the 'Infocon' to 'yellow' in order to alert users of the urgency to patch, and to point out that this is a new issue not covered by any of the prior RPC patches.
- Microsoft released a new RPC related advisory (MS003-039). This advisory discloses a buffer overrun condition in the RPCSS service. This issue is not fixed by any patch applied to remedy the RPC DCOM vulnerability..."

- Can download patch (approx. 916k for W2K) from here:
http://support.microsoft.com/?kbid=824146

 

Seems that Steve Gibson was right again
http://www.wilderssecurity.com/showthread.php?t=13292

 

FYI...from the Internet Storm Center:

Windows RPCSS Vulnerability Update
http://isc.sans.org/diary.html?date=2003-09-11
"Several groups are working on an exploit for this vulnerability. Expect a working exploit to be published and used within the next few days...
- This vulnerability is NOT PATCHED by the RPC DCOM patch (MS03-026)
The RPCSS patch (MS03-039) has been made available on Sept. 10th (Wednesday). No patch prior to this date fixed this issue. While this is an RPC issue, it is a new and different issue as the one released in July.
- You must patch as soon as possible
We expect an exploit in widespread use shortly. At this point, you should be able to patch while assuming that the machine has not yet been compromised. However, within a few days this may no longer be the case and you will have to validate the system's integrity...
- The patch for MS03-039 (RPCSS) does include the July patch for MS03-026 (RPC DCOM).
- Workarounds
>There are two workarounds. You can avoid exploitation by this vulnerability by applying firewall rules. In particular if you are using a host based ("Personal") firewall. For network firewalls, make sure no hosts are moved into the same zone with unpatched machines. We recommend setting up a "laptop quarantine" to avoid the introduction of malware from the outside of the network.
>In order to protect unpatched systems, you should close the following ports:
UDP 135, 137, 138, 445
TCP 135, 139, 445, 593
Other ports may be used as well depending on additional components you may have installed. In particular if you are using COM Internet Services (CIS) and RPC over HTTP, you need to close port 80 and 443 inbound.
- To disable RPC, see this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
- Update Vulnerability Scanners
Scanners for the old RPC vulnerability will not recognize this new vulnerability, and may detect false positives for patched systems. Update to the most recent versions of your scanner..."

(For complete detail, use the above link in this post).

 

FYI...Buffer Overrun in RPCSS May Allow Code Execution
-(reiteration for clarification)-
http://support.microsoft.com/?kbid=824146
(O/S systems affected
"The information in this article applies to:
Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows Server 2003, Web Edition
Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Tablet PC Edition

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows NT Workstation 4.0...

- NOTE: The features that are associated with these vulnerabilities are also not included with Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows 98 Second Edition, even if DCOM is installed..."

(For complete information including -Patch Information- and -Updated Scanning Tool- information, use the above link in this post).

 

- GRC has version -2- now available:
http://grc.com/dcom/

- MS updated scanner:
http://support.microsoft.com/default.aspx?kbid=827363

 

FYI...per: https://www.wilderssecurity.com/securitynews.html

Hackers Pass Out New Software for Attacks
http://www.620ktar.com/news/article.aspx?article_id=217828&cc=012345

"Security researchers on Tuesday detected hackers distributing software to break into computers using flaws announced last week in some versions of Microsoft Corp.'s Windows operating system...
- The discovery gives fresh impetus for tens of millions of Windows users, inside corporations and in their homes, to immediately apply a free repairing patch from Microsoft. Homeland Security officials have warned that attacks could result in a "significant impact" on the operation of the Internet.
- Researchers from iDefense Inc. of Reston, Va., who found the new attack software being distributed from a Chinese Web site, said it was already being used to break into vulnerable computers and implant eavesdropping programs. They said they expect widespread attacks similar to the Blaster infection within days...The latest hacker tool was relatively polished. It gives hackers access to victims' computers by creating a new account with the name "e" with a preset password. iDefense said the tool includes options to attack two Windows 2000 versions that are commonly used inside corporations..."

 

No MSBlaster II...Worm Writers Lying Low
http://www.techweb.com/wire/story/TWB20030926S0011

 

FYI...

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci931798,00.html
- The UK's National Infrastructure Security Co-ordination Centre (NISCC) has warned that exploit code has been published on the Internet to take advantage of a buffer overrun flaw in the RPCSS Service affecting "a range of versions, levels and language versions of Microsoft Windows 2000 and XP."...
14 October 2003
http://www.uniras.gov.uk/l1/l2/l3/alerts2003/alert-2903.txt

- NOTE: This appears to be inline with the RPCSS Service vuln and is a separate issue from the CERT advisory issued today - see CERT advisory topic here.