ITSS Information Security Services

On this page:
Summary
Technical Details
Countermeasures
References

Summary

A core component of the Windows operating system, responsible for co-ordinating communications between processes and machines on local networks, contains several vulnerabilities, the worst of which may allow an attacker to completely compromise an unpatched machine. All versions of the Windows operating system contain the flawed software. All Windows users must install the new update as quickly as possible, even if you have applied the previous RPC patch. The easiest way to do this is to use Internet Explorer to visit http://windowsupdate.microsoft.com and install all critical updates.

However, if you have problems running Windows Update, the individual patches may be downloaded and installed from the following URLs:

Windows NT Workstation
http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=en

Windows NT Server
http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=en

Windows NT Terminal Server
http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F&displaylang=en

Windows 2000
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=en

Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=en

Windows 2003 Server
http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=en

The Remote Procedure Call (RPC) architecture allows a program running on one computer to access data and services on other machines in its local network. One of the goals of RPC is to make it easier for computer applications to communicate with other machines, without having to provide their own code for establishing and using low level network protocols.

The Distributed Component Object Model (DCOM) protocol uses RPC to enable software components to communicate over a network, providing an additional level of abstraction for interoperability in network environmnets.

MS03-026 addressed a remotely exploitable stack overflow vulnerability in the DCOM object activation code, in particular a problem with incorrect parameter checks in the code that instantiates DCOM objects. This vulnerability, assigned the name CAN-2003-0352 by the Common Vulnerabilities and Exposures project, led to the widespread compromise of unpatched systems experienced by Stanford and others (see http://securecomputing.stanford.edu/win-rpc.html for more information).

MS03-039 addresses three newly announced vulnerabilities in the same component of the Windows networking architecture, the RPC/DCOM interface. The first one is a failure to validate the length of a filename parameter [1, 9] within DCOM, which allows an attacker to execute arbitrary code with local SYSTEM privileges. This has been assigned the name CAN-2003-0528 and was discovered by the NSFOCUS security team.

The second vulnerability is a denial of service exposure in the RPC/DCOM interface [1,10]. According to the CVE description, "The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function." This has been assigned the name CAN-2003-0605 and was discovered by Xfocus, a Chinese security research team. Exploit code based on the Xfocus proof of concept code has been observed in the wild.

The third vulnerability is contained in the DCOM object activation request subsystem [1, 2]. Sending 4 or 5 malformed activation request packets will trigger the heap corruption and allow an attacker to execute arbitrary code with local SYSTEM privileges. This has been assigned the name CAN -2003-0715 and was discovered by eEye Digital Security. Exploit code is not yet publicly available but should be shortly, as the vulnerability is very similar to the vulnerability at the core of MS Blaster and the other recently-experienced Windows RPC exploits.

If you use a Windows computer and you have not installed the patch for MS03-026, all you need to do is clean whatever infections your system has collected because of the RPC vulnerabilities, and install the patch released today. MS03-039 includes the fixes contained in MS03-026. See http://securecomputing.stanford.edu/protect for more information.

If you use a Windows system and you have installed MS03-026, you still need to install the patch released today, which includes fixes for three new problems.

In addition to updating your operating system with these critical fixes, you can protect yourself by using the Windows XP firewall functionality, and by disabling DCOM altogether if your system does not use it. [Note: ITSS cannot predict the impact of disabling DCOM in the wide variety of computer and application environments in use at Stanford. Disable at your own risk.]

Configuring the Windows XP Internet Connection Firewall to work with Stanford Authentication and File Sharing

[Note about the XP firewall: there is a definite lag between the time that you boot your computer and the ICF becomes active. We have received several reports of Stanford users being infected by the current RPC exploits in the time between their machines coming on line and the firewall enforcing a set of rules. Remember that running the firewall doesn't mean that you can delay patching your Windows systems.]

How to Disable DCOM (provided by Med School) (use at your own risk)

For system and network administrators, several scanners are now available to identify computers that are vulnerable to the issues contained in MS03-039. The update creates problems with scanners designed to identify MS03-026; the new patches make the old scanners report systems as Vulnerable even when they're patched.

ISS Command Line Scanner for MS03-039
Microsoft's Updated Scanner
eEye's Updated Scanner
Nessus NASL Script

Remember that a system patched with MS03-039 is not vulnerable to any of the exploits experienced at Stanford thus far -- so install those patches quickly!

[1] Microsoft Security Bulletin MS03-039: Buffer Overrun in RPCSS Service Could Allow Code Execution (824146)

[2] Microsoft RPC Heap Corruption Vulnerability - Part II

[3] CERT Advisory CA -2003-23 RPCSS Vulnerabilities in Microsoft Windows

[4] Microsoft Knowledge Base Article 824146 - MS03-039: A Buffer Overrun in RPCSS May Allow Code Execution

[5] Microsoft Knowledge Base Article 827363 - How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

[6] ISS Security Alert: Multiple Vulnerabilities in Microsoft RPC Service

[7] Tenable Alert - Microsoft Security Bulletin MS03-039

[8] Nessus Plug-In: Microsoft RPC Interface Buffer Overrun (824146)

[9] NSFOCUS Security Advisory (SA2003-06): Microsoft Winodws RPC DCOM Interface Heap Overflow Vulnerability

[10] Microsoft Windows 2000 RPC DCOM Interface DoS and Privilege Escalation Vulnerability