Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Windows NT/2000/XP/2003 RPC buffer overflow

  [Full-Disclosure] EEYE: Microsoft DCOM RPC Memory Leak

  [Full-Disclosure] EEYE: Microsoft DCOM RPC Race Condition

  Microsoft Security Bulletin MS04-012

  [CORE-2003-12-05]  DCE RPC Vulnerabilities New Attack Vectors Analysis

From:MICROSOFT <secure_(at)_microsoft.com>
Date:17.07.2003
Subject:Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC Interface Could Allow Code Execution(Q823980)

-----BEGIN PGP SIGNED MESSAGE-----

- - ---------------------------------------------------------------
Title:      Buffer Overrun In RPC Interface Could Allow Code
           Execution (823980)

Date:       16 July 2003
Software:   Microsoft(r) Windows (r) NT 4.0
           Microsoft Windows NT 4.0 Terminal Services Edition
           Microsoft Windows 2000
           Microsoft Windows XP
           Microsoft Windows Server 2003
Impact:     Run code of attacker's choice
Max Risk:   Critical
Bulletin:   MS03-026

Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
- - ---------------------------------------------------------------

Issue:
======

Remote Procedure Call (RPC) is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to
seamlessly execute code on a remote system. The protocol itself
is derived from the OSF (Open Software Foundation) RPC protocol,
but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with
message exchange over TCP/IP. The failure results because of
incorrect handling of malformed messages. This particular
vulnerability affects a Distributed Component Object Model (DCOM)
interface with RPC, which listens on TCP/IP port 135. This
interface handles DCOM object activation requests sent by client
machines (such as Universal Naming Convention (UNC) paths) to the
server.

To exploit this vulnerability, an attacker would need to send a
specially formed request to the remote computer on port 135.


Mitigating factors:
====================

- To exploit this vulnerability, the attacker would require the
ability to send a specially crafted request to port 135 on the
remote machine. For intranet environments, this port would
normally be accessible, but for Internet connected machines, the
port 135 would normally be blocked by a firewall. In the case
where this port is not blocked, or in an intranet configuration,
the attacker would not require any additional privileges.

- Best practices recommend blocking all TCP/IP ports that are
not actually being used. For this reason, most machines attached
to the Internet should have port 135 blocked. RPC over TCP is not
intended to be used in hostile environments such as the internet.
More robust protocols such as RPC over HTTP are provided for
hostile environments.

Risk Rating:
============
Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the  Security Bulletins at
  
http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
  
  for information on obtaining this patch.


- - ---------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPxSXX40ZSRQxA/UrAQE6PwgAp5nlZkLDJPNc8QNb5AajGy3R2SpaRhw2
WxonBgaiNU2sJscIQwObdjH1NHHq5Jw3ptFja/LbI/LOUZkQi6dOqPQjsyfthQzC
vUvGw5Fr0x3Pe1OJcsSmH6pl5XBOSSCVXRb4grHUZaMABymZkTzvz0rKonhpWDjv
OGnP9CisSxEBXMTnCIsqP6T1eoENxriICB3pR5ZuKqSgd+Q/J7DV1aTLwYCIaxwR
4a+d/xufAQyDW5WEdKvHlfoyw/ZKDIqIsUsueX5HX+PTBa5VRcaLYKk7GbDnStyB
3+aktUF1z5C9LqG5zDcFGXWOPEmERTWKUZ06YBIieNbZwV75pjxEmQ==
=KrV/
-----END PGP SIGNATURE-----



*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product
Security Notification Service.  For more information on this service, please visit
http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at
http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft
Profile Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security
Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security
Advisor web site at http://www.microsoft.com/security.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod