ITSS Information Security Services

Update 5 Aug 2003: Microsoft RPC Vulnerability Actively Exploited Throughout Stanford

Update 7 Aug 2003: Detection, Recovery and Prevention of the Auto-Propagating Windows RPC Exploit

On this page:
Summary
Technical Details
Countermeasures
References

Summary

A core component of the Windows operating system, responsible for managing inter-process communications between machines, contains a remotely exploitable buffer overflow [1,2]. The researchers who discovered the vulnerability have written exploit code to demonstrate the problem. Although this code is not purportedly available to the public, its existence means that public exploits will be written and distributed in the near future.

All users of Windows operating systems are strongly encouraged to apply the appropriate patches immediately. The easiest way to do this is by visiting http://windowsupdate.microsoft.com. The individual patches are available at the following URLs:

Windows NT 4.0:
http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en

Windows NT 4.0 Terminal Server:
http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-C9FAD2DC65CA&displaylang=en

Windows 2000:
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Windows XP:
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

Windows 2003:
http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-3A212458E92E&displaylang=en

The Remote Procedure Call (RPC) protocol on the Windows operating systems provides a mechanism for a program running on one machine to execute code on another machine. Windows uses the Distributed Component Object Model (DCOM) to help manage communications of Windows components over a network, typically (but not always) the TCP/IP networks used in most environments. The DCOM interface to RPC accepts network connections on TCP port 135, and fails to validate message inputs during the instantiation of DCOM objects. By sending an appropriately malformed RPC message, an attacker can cause a vulnerable machine to execute arbitrary code within the security context of the RPC service, typically the SYSTEM context [1,2].

The researchers who discovered the vulnerability were able to create proof of concept exploits for Windows 2000/XP (running SP4 and SP1 respectively). They were also able to bypass the buffer overflow protections included as part of Windows 2003, and gain SYSTEM privileges there as well.

The vulnerable components of the Windows operating system are installed by default on all versions of Windows, and cannot be disabled without crippling a number of core Windows components.

Stanford blocks access between the Internet and SUNet on TCP/135, the port used by Microsoft RPC services, so worms and exploits written to take advantage of this vulnerability from the Internet will be blocked at our perimeter. However, this should not be considered to be definitive protection against the exposure due to this problem. The large number of laptops on Stanford's network are capable of introducing malicious code into our environment despite our perimeter security measures.

Due to the severity of this vulnerability, and the universal presense of RPC and DCOM on Windows machines, all Windows users are strongly encouraged to patch their machines as quickly as possible.

[1] Microsoft Security Bulletin MS03-026 Buffer Overrun in RPC Interface Could Allow Code Execution (823980)

[2] Buffer Overrun in Windows RPC Interface