CERT Vulnerability VU#568148 and Microsoft Security Bulletin MS03-026 ; and LSD email to VulnWatch/BugTraq regarding Microsoft Windows RPC buffer overflow (critical) vulnerability

Network & Academic Computing Services
CERT Vulnerability VU#568148 and Microsoft Security Bulletin MS03-026 ; and LSD email to VulnWatch/BugTraq regarding Microsoft Windows RPC buffer overflow (critical) vulnerability

NACS > Support > Security > NetBIOS and Special Port Blocking > RPC Vulnerability; VU#568148; Port 593 block on top of 135

Related Links

RPC Exploit Patch

Overview

A buffer overflow vulnerability in Microsoft's Remote Procedure Call (RPC) implementation may allow a remote attacker to execute arbitrary code or cause a denial of service. If you use a Microsoft Windows computer (XP, 2000, NT 4.0, Windows Server 2003) you should read this page.

The Last Stage of Delirium Research Group is the discoverer of this vulnerability, which is documented in CERT/CC (Carnegie Mellon "Computer Emergency Response Team/Coordination Center"; See www.cert.org/faq/cert_faq.html for more information) Vulnerability Note VU#568148
and Microsoft Security Bulletin MS03-026.

This looks like a serious vulnerability. In a letter to various lists, Microsoft said in part, "Although we encourage you to pay attention to all security bulletins and to deploy patches in a timely manner we wanted to call special attention to this particular instance as we have become aware of some activity on the internet that we believe increases the likelihood of the exploitation of this vulnerability." Rather unusual language for Microsoft.

But that is not all! In addition, the U.S. Department of Homeland Security (US DHS) DHS/ Information Analysis and Infrastructure Protection (IAIP) National Cyber Security Division (NCSD) issued an update to their July 24th, 2003 advisory regarding this vulnerability on July 30th, 2003, which states that several working exploits are in widespread distribution on the Internet which provide full remote system-level access, "to vulnerable computers." See http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm for more detail.

NACS NetPlanSec group strongly urges all Faculty, Staff and Students who use Microsoft Windows platforms (XP, 2000, NT 4.0, all versions) on any UC Irvine network (and that includes dialing in or VPN'ing in from home) to follow the directions for MS03-26/KB823980 to the letter. To verify you have this critical update already, or to install it please visit Microsoft Knowledge Base Article 823980, aka MS03-026.

Local copies of the patch are available here: Windows NT Windows 2000 Windows 2003 Server Windows XP
These patches are only available to systems on the UCI network.

Any system which is compromised by worms exploiting this vulnerability will be disconnected from UCInet.

The following email from Last Stage of Delirium is a follow-up about this vulnerability, and shows that ports 135, 139, 445 and 593 can be used as attack vectors. It is as a result of this vulnerability that NACS has added port 593 to the list of ports blocked at the UCI campus network border.

---------------------- Begin Forwarded Message  -------------------------
Date: Tue, 22 Jul 2003 13:15:12 -0700
From: Last Stage of Delirium 
X-X-Sender: lsd@ix.put.poznan.pl
To: Todd Sabin <tsabin@razor.bindview.com>
cc: bugtraq@securityfocus.com, <secure@microsoft.com>
   <vulnwatch@vulnwatch.org>
In-Reply-To: <m3k7agsw47.fsf@jetcar.qnz.org>
Message-ID: <Pine.SGI.4.43.0307221311350.403459-100000@ix.put.poznan.pl>
Subject: [VulnWatch] Re: [LSD] Critical security vulnerability in Microsoft
         Operating Systems

Hello,

We confirm the existance of the following RPC attack vectors pointed out
by Todd Sabin with regard to the vulnerability described in MS03-026.
These are respectively:

- - ncacn_np:\pipe\epmapper
- - ncadg_ip_udp:135
- - ncacn_ip_tcp:135
- - ncacn_http:593

This means that at least:
- - UDP port 135,
- - TCP ports 135, 139, 445 and 593 can be used as remote attack vectors.

The possibility of using ncacn_http (and TCP port 80) for the purpose
of launching a remote attack depends on whether COM Internet Services
are enabled for DCOM on a Windows Server running IIS (as far as we know
they are not enabled by default).

Best Regards,
Members of LSD Research Group
http://lsd-pl.net


On Thu, 17 Jul 2003, Todd Sabin wrote:

>
> I think it's worth mentioning that Microsoft's advisory on this issue
> is incorrect in stating that the only attack vector is port 135.  The
> vulnerability lies in one of the RPC interfaces that the endpoint
> mapper/RPCSS services.  As such, it is accessible over any RPC
> protocol sequence that the endpoint mapper listens on.  That includes:
>
> o ncacn_ip_tcp :  TCP port 135
> o ncadg_ip_udp :  UDP port 135
> o ncacn_np     :  \pipe\epmapper, normally accessible via SMB null
>                   session on TCP ports 139 and 445
> o ncacn_http   : if active, listening on TCP port 593.
>
> Finally, if ncacn_http is active, and COM Internet Services is
> installed and enabled, which is NOT the default in any configuration
> I'm aware of, then you can also talk to the endpoint mapper over port
> 80.  Just to be clear, I think this is a very uncommon scenario, but
> the possibility does exist.
>
> So if you want to be completely safe, block UDP 135, TCP 135, 139, 445,
> and 593.  And make sure you don't have COM Internet Services running.
>
> --
> Todd Sabin                                       <tsabin@optonline.net>
> BindView RAZOR Team                         <tsabin@razor.bindview.com>
>
---------------------- End of Forwarded Message  ------------------------

top of page

NACS > Support> Security > NetBIOS and Special Port Blocking > RPC Vulnerability; VU#568148 ; Port 593 block on top of 135

University of California, Irvine