Sources indicate that the remote code execution vulnerability (CAN-2003-0813) is difficult to perform by itself, but by utilizing the memory allocation vulnerability (CAN-2004-0116) an attacker can locate memory space in which to inject arbitrary code without overwriting multiple system objects.
The first vulnerability lies within the RPC DCOM structure, in the activation class functions within the RPCSS module. By initiating simultaneous parallel requests and then immediately terminating the connections, an attacker can cause a small amount of heap corruption within the svchost RPC process.
The second vulnerability lies within the RPCSS service host. An attacker can create a large request for the creation of an activation class
object. The request creates an exception, which is handled by default exception handlers that fail to deallocate memory space. By repeating this request several times, an attacker can quickly consume large amounts of system resources, resulting in system instability and a DoS condition.
The third vulnerability is located in the CIS of IIS. On systems running IIS 5, or running IIS 6 operating in IIS 5 compatibility mode, an attacker can create a response to a RPC request that causes CIS to stop responding to future forwarded requests, resulting in a DoS condition until the affected IIS service can be restarted.
The fourth vulnerability is due to the way that object identities are created. By exploiting the weak object identifier creation
scheme, an attacker can cause applications to open arbitrary network communication ports. This can be done to applications that were not designed for network communications. This does not allow the attacker to gain control of the affected machine, but by opening communications on arbitrary ports, an attacker may be able to bypass firewall restrictions to exploit other known vulnerabilities.