|
ITSS Information Security Services
ITSS
Security Alerts > Microsoft
RPC Vulnerability Actively Exploited Throughout Stanford
- 5 August 2003
Original Bulletin 16 July 2003: Windows RPC Buffer Overflow Permits Remote Code Execution
Update 7 August 2003: Detection,
Recovery and Prevention of the Auto-Propagating Windows RPC Exploit
On this page:
Summary
Technical Details
Countermeasures
Summary
A significant number of Windows machines
throughout the Stanford campus have been exploited via
the recently announced critical vulnerability in the
Microsoft RPC service, described in http://securecomputing.stanford.edu/alerts/windows-rpc-16jul2003.html.
At least two exploits are known to be circulating on
the Internet, which leave different malicious software
installed on victim machines. Information Security Services
has not yet been able to isolate the infection vectors
for the machines that have been compromised, but we
continue to work with campus system administrators,
other university incident response teams, Microsoft,
and others to reduce the impact of these attacks on
campus.
If you run any
Windows desktop or server machine, or are responsible
for machines belonging to other people, install
the patches included in the advisory above immediately.
Technical
Details
On July 16, 2003, Microsoft and the security
research organization Last Stage of Delirium announced
a critical vulnerability in the Windows RPC/DCOM interface.
This vulnerability affects Windows NT Workstation and
Server, Windows 2000, Windows XP and Windows 2003 Server.
Although the LSD report included no proof of concept
code, exploits began hitting the Internet within a couple
of days.
Microsoft, CERT and others have documented
the existence of at least two exploits, which create
different signatures on compromised machines. These
exploits may attack a system through any port that the
RPC endpoint mapper uses -- these include
Protocol sequence used by
endpoint mapper |
TCP or UDP port |
ncacn_ip_tcp |
TCP/135 |
ncadg_ip_udp |
UDP/135 |
ncacn_np \pipe\emapper (uses
SMB null sessions) |
TCP/139 and TCP/445 |
ncacn_http |
TCP/593 |
ncacn_http with COM Internet
services enabled |
TCP/80 |
Here is a list of the public exploits known to take
advantage of the RPC vulnerability described in MS03-026:
RPC Win32
AutoRooter,
described by F-Secure, Network Associates, Symantec
and others
- creates files rpc.exe,
rpctest.exe, tftpd.exe, dcomx.exe, lolx.exe, worm.exe
on local hard drive
- spawns rootshell that accepts connections on TCP/57005
- rpc.exe
contains text "rpc autorooter by ERIC"
dcom.c
exploit
- spawns rootshell that accepts connections on TCP/4444
or an arbitrary port selected by the attacker
xfocus DCOM exploit
As yet unidentified rootkit --
installs backdoor and then patches vulnerability
Countermeasures
We do not yet know what ports the exploit software
is using. All of the ports listed in the Technical
Details section except TCP/80 are blocked at
the perimeter of Stanford's network.
The most important thing that all personal computer
users and administrators can do is to be sure that the
patch for MS03-026 is installed on their machines. Although
there have been some reports that the patch has not
prevented some computers from being compromised, those
reports have not been confirmed, and are now believed
to be a result of confusion between this RPC buffer
overflow and another (as yet unconfirmed) denial of
service vulnerability in the Windows 2000 RPC implementation.
Details on patches are available at http://securecomputing.stanford.edu/alerts/windows-rpc-16jul2003.html.
ITSS Information Security Services expects an update
from Microsoft on these issues tomorrow, and will provide
more information as it becomes available.
Last modified Wednesday, 08-Feb-2006 11:46:35 PST
© 2003, Stanford University. All rights reserved.
Comments about this document? Use
the HelpSU
submission form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).
|
| 
