From w.naef@iwar.org.uk Wed Sep 10 19:52:15 2003
From: "Wanja Eric Naef [IWS]" <w.naef@iwar.org.uk>
To: Infocon <infocon@iwar.org.uk>
Date: Wed, 10 Sep 2003 23:34:45 +0100
Subject: [INFOCON]  CERT Advisory CA-2003-23 RPCSS Vulnerabilities in
    Microsoft Windows 


-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows

   Original release date: September 10, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Microsoft Windows NT Workstation 4.0
     * Microsoft Windows NT Server 4.0
     * Microsoft Windows NT Server 4.0, Terminal Server Edition
     * Microsoft Windows 2000
     * Microsoft Windows XP
     * Microsoft Windows Server 2003

Overview

   Microsoft  has  published  a bulletin describing three
vulnerabilities
   that  affect  numerous  versions  of  Microsoft  Windows. Two of
these
   vulnerabilities  are  remotely  exploitable  buffer overflows that
may
   allow  an  attacker  to execute arbitrary code with system
privileges.
   The  third vulnerability may allow a remote attacker to cause a
denial
   of service.

I. Description

   The  Microsoft  RPCSS  Service  is  responsible  for  managing
Remote
   Procedure   Call   (RPC)  messages.  There  are  two  buffer
overflow
   vulnerabilities  in  the RPCSS service, which is enabled by default
on
   many  versions  of  Microsoft Windows. These buffer overflows occur
in
   sections  of  code  that  handle  DCOM activation messages sent to
the
   RPCSS service.

   The  CERT/CC  is  tracking  these  vulnerabilities  as  VU#483492
and
   VU#254236,  which  correspond  to  CVE  candidates  CAN-2003-0715
and
   CAN-2003-0528,  respectively.  The  buffer overflows discussed in
this
   advisory are different than those discussed in previous advisories.

   Microsoft has also published information regarding a
denial-of-service
   vulnerability  in  the  RPCSS service. This vulnerability only
affects
   Microsoft Windows 2000 systems.

   The  CERT/CC  is  tracking  this  vulnerability  as  VU#326746,
which
   corresponds  to  CVE  candidate  CAN-2003-0605. This vulnerability
was
   previously discussed in CA-2003-19.

II. Impact

   By  exploiting  either  of the buffer overflow vulnerabilities,
remote
   attackers  may  be  able  to  execute arbitrary code with Local
System
   privileges.

   By  exploiting  the  denial-of-service vulnerability, remote
attackers
   may  be  able to disrupt the RPCSS service. This may result in
general
   system instability and require a reboot.

III. Solution

Apply a patch from Microsoft

   Microsoft  has  published  Microsoft  Security  Bulletin  MS03-039
to
   address this vulnerability. For more information, please see

     http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

   This bulletin supersedes MS03-026.

Block traffic to and from common Microsoft RPC ports

   As  an  interim  measure,  users  can  reduce the chance of
successful
   exploitation  by blocking traffic to and from well-known Microsoft
RPC
   ports, including
     * Port 135 (tcp/udp)
     * Port 137 (udp)
     * Port 138 (udp)
     * Port 139 (tcp)
     * Port 445 (tcp/udp)
     * Port 593 (tcp)

   To  prevent  compromised hosts from contacting other vulnerable
hosts,
   the  CERT/CC  recommends  that  system administrators filter the
ports
   listed above for both incoming and outgoing traffic.

Disable COM Internet Services and RPC over HTTP

   COM  Internet  Services (CIS) is an optional component that allows
RPC
   messages  to  be  tunneled  over  HTTP ports 80 and 443. As an
interim
   measure,  sites  that use CIS may wish to disable it as an
alternative
   to blocking traffic to and from ports 80 and 443.

Disable DCOM

   Disable  DCOM  as  described  in MS03-039 and Microsoft Knowledge
Base
   Article 825750.
     _________________________________________________________________

   This  document  was  written by Jeffrey P. Lanza and is based upon
the
   information in MS03-039.
 
______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-23.html
 
______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)
/
   EDT(GMT-4)  Monday  through  Friday;  they are on call for
emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by
email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for
more
   information.

Getting security information

   CERT  publications  and  other security information are available
from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and
bulletins,
   send  email  to majordomo@cert.org. Please include in the body of
your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the
U.S.
   Patent and Trademark Office.
 
______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the
Software
   Engineering  Institute  is  furnished  on  an  "as is" basis.
Carnegie
   Mellon University makes no warranties of any kind, either expressed
or
   implied  as  to  any matter including, but not limited to, warranty
of
   fitness  for  a  particular purpose or merchantability, exclusivity
or
   results  obtained from use of the material. Carnegie Mellon
University
   does  not  make  any warranty of any kind with respect to freedom
from
   patent, trademark, or copyright infringement.
 
______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
Sep 10, 2003:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP1+NqTpmH2w9K/0VAQHUbwP/aQ8osvAzy2BswiPOpLFoUhC4GIjdtXcx
mGcVDXyVcu4v4pKym8+ojIrQhdWKwOt9ZL8+RSaq8IMjUgE11BX5zA1/1WZhkE7p
hlu+HDTkDc5WvFrNqbChrC3gX2fgjI9hjx361SXuhgXAxI5nLz2of50pb+GxPWvA
ZQJp4ymyuyI=
=A+8F
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Information is the currency of victory on the battlefield.
GEN Gordon Sullivan, CSA (1993)
------------------------------------------------------------------------

INFOCON Mailing List @
IWS - The Information Warfare Site
http://www.iwar.org.uk

------------------------------------------------------------------------
To subscribe, change your subscription or unsubscribe go to http://www.iwar.org.uk/mailman/listinfo/infocon/ 
------------------------------------------------------------------------