Vulnerability Alert

Microsoft Windows RPC DCOM Multiple Vulnerabilities

 
Threat Type:
IntelliShield ID:7536
Version:2
First Published:2004 April 13 23:15 GMT
Last Published:2004 April 16 19:18 GMT
Port: 135, 137, 138, 139, 443, 445, 593, 80
CVE:CVE-2003-0807 , CVE-2003-0813 , CVE-2004-0116 , CVE-2004-0124
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
 
Version Summary:

US-CERT has released a Technical Cyber Security Alert and Vulnerability Notes that address the multiple RPC DCOM vulnerabilities.

 
 
Description

Microsoft Windows contains multiple vulnerabilities in the RPC DCOM service that could allow an attacker to execute arbitrary code on the system, create a denial of service (DoS) condition or redirect communications ports.

The first vulnerability (CAN-2003-0813) exists in the RPC runtime library.  A race condition exists within the DCOM interface, which an attacker could exploit by submitting multiple parallel requests and immediately closing the connection.  This causes arbitrary information to be written to memory and executed.  This vulnerability is similar to the issue detailed in IntelliShield Alert 6795.

The second vulnerability (CAN-2004-0116) is located within the RPCSS Service.  An attacker could exploit the vulnerability by submitting a malicious request to the RPC service, which could result in the overrunning of the allocated buffer.  This overflow is contained by RPC, but the memory is not deallocated.  By repeating this request an attacker can rapidly consume system resources, resulting in a DoS condition.

The third vulnerability (CAN-2003-0807) is located within the COM Internet Services (CIS).  If CIS is enabled, an attacker can exploit the vulnerability by creating a malicious response to forwarded messages that will cause CIS to stop responding to future messages, resulting in a DoS condition.

The fourth vulnerability (CAN-2004-0124) is due to the way that object identities are created on affected systems.  The vulnerability could allow an attacker to enable applications to open network communications through unexpected ports.

Updated software is available.

 
Warning Indicators

Systems running the following Windows products are vulnerable:

Windows NT Workstation 4.0 SP6a
Windows NT Server SP6a
Windows NT Terminal Services Edition SP6
Windows 2000 SP2, SP3, SP4
Windows XP SP1
Windows XP 64-Bit Edition
Windows XP 64-Bit Edition 2003
Windows Server 2003
Windows Server 2003 64-Bit Edition
Windows 98, 98SE
Windows Millennium Edition

 
IntelliShield Analysis

Disabling the RPC DCOM service can render some machines useless.  The method in which to remedy these issues is to apply the appropriate patch and block all RPC communications ports from outside access.  The hacker community will likely take great interest in this vulnerability and work quickly to develop an exploit.

The CIS vulnerability can be mitigated by ensuring that RPC over HTTP has been disabled.  By default, CIS is disabled, but it could be inadvertently enabled if web applications utilizing this feature have been developed and deployed.  It is also important to note that IIS 6 running in native mode is not susceptible to this vulnerability; however it is vulnerable when IIS 6 is running in IIS 5 compatibility mode.

These vulnerabilities are similar to the ones exploited by the Lovsan worm, as detailed in IntelliShield Alert 6477.  Organizations that experienced problems as a result of this worm and have not taken steps to improve their security can expect similar issues if a worm is developed exploiting these new vulnerabilities.

Hibernating laptops provided a vector for the Lovsan worm to penetrate networks and bypass virus walls, as did home systems connecting to enterprise networks via VPN.  Administrators are encouraged to monitor these attack vectors in the event that a worm exploiting these vulnerabilities surfaces.

Administrators are advised to apply the updates as soon as it is convenient, and immediately on machines that have outward-facing interfaces.

 
Vendor Announcements

Microsoft has released a security bulletin at the following link: MS04-012

US-CERT has released a Technical Cyber Security Alert at the following link: TA04-104A

US-CERT has released vulnerability notes at the following links: VU#698564 and VU#212892

 
Impact

A remote attacker could execute arbitrary code, create a denial of service condition or redirect communications ports.

 
Technical Information

Sources indicate that the remote code execution vulnerability (CAN-2003-0813) is difficult to perform by itself, but by utilizing the memory allocation vulnerability (CAN-2004-0116) an attacker can locate memory space in which to inject arbitrary code without overwriting multiple system objects.

The first vulnerability lies within the RPC DCOM structure, in the activation class functions within the RPCSS module.  By initiating simultaneous parallel requests and then immediately terminating the connections, an attacker can cause a small amount of heap corruption within the svchost RPC process.

The second vulnerability lies within the RPCSS service host.  An attacker can create a large request for the creation of an activation class object.  The request creates an exception, which is handled by default exception handlers that fail to deallocate memory space.  By repeating this request several times, an attacker can quickly consume large amounts of system resources, resulting in system instability and a DoS condition.

The third vulnerability is located in the CIS of IIS.  On systems running IIS 5, or running IIS 6 operating in IIS 5 compatibility mode, an attacker can create a response to a RPC request that causes CIS to stop responding to future forwarded requests, resulting in a DoS condition until the affected IIS service can be restarted.

The fourth vulnerability is due to the way that object identities are created.  By exploiting the weak object identifier creation scheme, an attacker can cause applications to open arbitrary network communication ports.  This can be done to applications that were not designed for network communications.  This does not allow the attacker to gain control of the affected machine, but by opening communications on arbitrary ports, an attacker may be able to bypass firewall restrictions to exploit other known vulnerabilities.

 
Safeguards

Administrators are advised to apply the appropriate patches.

Administrators are advised to block external access to RPC DCOM ports 135, 137/udp, 138/udp, 445, 139/tcp, 593/tcp.

If possible, administrators are advised to disable CIS, as detailed in Microsoft Knowledge Base Article KB825819.

Administrators are advised to disable forwarding to DCOM, as detailed in Microsoft Knowledge Base Article KB826382.

 
Patches/Software

Microsoft has released updates at the following links:

Windows NT Workstation 4.0 SP6a
Windows NT Server 4.0 SP6a
Windows NT Terminal Server Edition SP6
Windows 2000
Windows XP
Windows XP 64-Bit Edition
Windows XP 64-Bit Edition 2003
Windows Server 2003
Windows Server 2003 64-Bit Edition


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
3330/0Windows RPCSS Overflow 2S6302012 Mar 07 
3337/0Windows RPC Race Condition ExploitationS3672008 Nov 11 
5588/0Windows DCOM OverflowS5422011 Jan 25 
5588/1Windows DCOM OverflowS6172012 Jan 13 
5596/0Windows SMB/RPC NoOp SledS2892007 Jun 05 
 
Alert History
 

Version 1, April 13, 2004, 7:15 PM: Microsoft Windows contains multiple vulnerabilities in the RPC DCOM service that could allow a remote attacker to execute arbitrary code, create a denial of service condition, or redirect communications ports.  Patches are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Datacenter Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows 98 Original Release Base, SP1 | Second Edition Base | j Base
Microsoft, Inc.Windows Me Original Release Base
Microsoft, Inc.Windows NT Server 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Microsoft, Inc.Windows NT Server Enterprise Edition Original Release Base | 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Microsoft, Inc.Windows NT Terminal Server Original Release Base | 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Microsoft, Inc.Windows NT Workstation Original Release Base | 4.0 Base, SP1, SP2, SP3, SP3, SP4, SP5, SP6, SP6a
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base | Datacenter Edition, 64-bit (Itanium) Base | Enterprise Edition Base | Enterprise Edition, 64-bit (Itanium) Base | Standard Edition Base | Web Edition Base
Microsoft, Inc.Windows XP Home Edition Base, SP1 | Professional Edition Base, SP1 | Professional Edition, 64-bit (Itanium) Base, 2003 (itanium 2), SP1

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield