Topic: Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability

Release Date: 2003-09-11

CVE CAN ID : CAN-2003-0528

Affected system:
==============
- Microsoft Windows NT
- Microsoft Windows XP
- Microsoft Windows 2000
- Microsoft Windows 2003

Unaffected system:
================
- Microsoft Windows 98

Impact:
======

NSFOCUS Security Team has found a remote exploitable buffer overflow vulnerability in the RPC DCOM interface of Microsoft Windows system. By exploiting the vulnerability remote attackers could gain local system privilege.

Description:
==========

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a buffer overflow vulnerability in Windows RPC Distributed Component Object Model (DCOM) interface handling. Windows DCOM implementation doesn't carry out any length check when handling a filename parameter. By passing an over-large parameter (several hundred bytes) attackers can cause a heap overflow and crash the RpcSS service. The carefully crafted data then can run arbitrary code on the system with Local System privilege. Attackers could take any action on the system, including installing programs, obtaining or deleting data, or creating new accounts with total privilege.

This vulnerability can be exploited on 135(TCP/UDP), 139, 445, 593 and other ports.

Note: This vulnerability is not the same one as described in MS03-026. The patch provided by MS03-026 (Q823980) can not fix the vulnerability.

Workaround:
===========
* Block at least the following ports at firewall:

135/UDP
137/UDP
138/UDP
445/UDP

135/TCP
139/TCP
445/TCP
593/TCP

Disable COM Internet Services (CIS) and RPC over HTTP.

* If you can not block the above ports for some reasons, you can temporarily
disable DCOM:

Open "Control Panel"-->"Management Tools"-->"Component Services"
Click on the "Component Services"-->"Computers"-->"My Computer" on the
"Console Root", right click "My Computer" to choose the "Properties"

Choose the "Default Properties " tab, clear "Enable Distributed COM on
this Computer" check box.

Click OK and exit "Component Services".

Note: Disabling DCOM might cause some applications to fail and system
abnormality. Some important system services might fail to start.
Therefore NSFOCUS doesn't recommend such a method. You can block ports
at firewall as mentioned above to ensure the system security.

Vendor Status:
============

2003.07.29 Informed the vendor
2003.07.30 Vendor confirmed the vulnerability
2003.09.10 Microsoft has issued a Security Bulletin(MS03-039) and the related patch.

Detailed Microsoft Security Bulletin is available at:

http://www.microsoft.com/technet/security/bulletin/ms03-039.asp

Additional Information:
==================

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0528 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries.

Credit:
=====

Yuan Renguang of NSFOCUS Security Team found the vulnerability.